Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 2275981 (CVE-2024-32462) - CVE-2024-32462 flatpak: sandbox escape via RequestBackground portal
Summary: CVE-2024-32462 flatpak: sandbox escape via RequestBackground portal
Keywords:
Status: NEW
Alias: CVE-2024-32462
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2275983
Blocks:
TreeView+ depends on / blocked
 
Reported: 2024-04-18 19:53 UTC by Robb Gatica
Modified: 2024-04-19 16:04 UTC (History)
3 users (show)

Fixed In Version: flatpak 1.15.8, flatpak 1.10.9, flatpak 1.12.9, flatpak 1.14.6
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Flatpak, a system for building, distributing, and running sandboxed desktop applications on Linux. Normally, the "--command" argument of "flatpak run" expects being given a command to run in the specified Flatpak app, along with optional arguments. However, it is possible to pass bwrap arguments to "--command=" instead, such as "--bind". It is possible to pass an arbitrary "commandline" to the portal interface "org.freedesktop.portal.Background.RequestBackground" within the Flatpak app. This is normally safe because it can only specify a command that exists inside the sandbox. When a crafted "commandline" is converted into a "--command" and arguments, the app could achieve the same effect of passing arguments directly to bwrap to achieve sandbox escape.
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)

Description Robb Gatica 2024-04-18 19:53:23 UTC
Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. in versions before 1.10.9, 1.12.9, 1.14.6, and 1.15.8, a malicious or compromised Flatpak app could execute arbitrary code outside its sandbox. Normally, the `--command` argument of `flatpak run` expects to be given a command to run in the specified Flatpak app, optionally along with some arguments. However it is possible to instead pass `bwrap` arguments to `--command=`, such as `--bind`. It's possible to pass an arbitrary `commandline` to the portal interface `org.freedesktop.portal.Background.RequestBackground` from within a Flatpak app. When this is converted into a `--command` and arguments, it achieves the same effect of passing arguments directly to `bwrap`, and thus can be used for a sandbox escape. The solution is to pass the `--` argument to `bwrap`, which makes it stop processing options. This has been supported since bubblewrap 0.3.0. All supported versions of Flatpak require at least that version of bubblewrap. xdg-desktop-portal version 1.18.4 will mitigate this vulnerability by only allowing Flatpak apps to create .desktop files for commands that do not start with --. The vulnerability is patched in 1.15.8, 1.10.9, 1.12.9, and 1.14.6.

https://github.com/flatpak/flatpak/commit/72016e3fce8fcbeab707daf4f1a02b931fcc004d
https://github.com/flatpak/flatpak/commit/81abe2a37d363f5099c3d0bdcd0caad6efc5bf97
https://github.com/flatpak/flatpak/commit/b7c1a558e58aaeb1d007d29529bbb270dc4ff11e
https://github.com/flatpak/flatpak/commit/bbab7ed1e672356d1a78b422462b210e8e875931
https://github.com/flatpak/flatpak/security/advisories/GHSA-phv6-cpc2-2fgj

Comment 1 Robb Gatica 2024-04-18 19:56:09 UTC
Created flatpak tracking bugs for this issue:

Affects: fedora-all [bug 2275983]


Note You need to log in before you can comment on or make changes to this bug.