ioctl(..., TIOCSTI, ...) seccomp filter bypass

The snapd default seccomp filter for strict mode snaps blocks the use of the ioctl() system call when used with TIOCSTI as the second argument to the system call. Jann Horn discovered that this restriction could be circumvented on 64 bit architectures on systems with snapd before 2.37.4. A malicious snap could exploit this to bypass intended access restrictions to insert characters into the terminal's input queue.

All Ubuntu systems with snaps installed will automatically refresh the core snap and relaunch snapd from the updated core snap. 2.37.4 snaps were released to the stable channel on 2019-03-12 and therefore all Ubuntu systems with snaps installed will typically have upgraded to the fixed snapd 2.37.4 by the time this issue went public.

Timeline

• 2019 Jan 23: Bug #1812973 filed (private security)

• 2019 Mar 11: all non-Ubuntu distributions updated to 2.37.4
• 2019 Mar 12: 2.37.4 core snap published to the stable channel
• 2019 Mar 13: 2.37.4 snapd snap published to the stable channel
• 2019 Mar 14: 2.37.4 deb updates published to the updates pocket for 16.04 LTS, 18.04 LTS and 18.10

• 2019 Mar 21: USN-3917-1 issued for Ubuntu