Bug 1917430 (CVE-2021-21261)

Summary: CVE-2021-21261 flatpak: sandbox escape via spawn portal
Product: [Other] Security Response Reporter: Michael Kaplan <mkaplan>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: amigadave, dking, klember
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: flatpak 1.8.5, flatpak 1.10.0 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Flatpak. The Flatpak portal D-Bus service passes caller-specified environment variables to non-sandboxed processes on the host system, and in particular to the `flatpak run` command that is used to launch the new sandbox instance. A malicious or compromised Flatpak app could set environment variables that are trusted by the `flatpak run` command, and use them to execute arbitrary code that is outside the sandbox. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-02-01 14:41:47 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1917431, 1917432, 1918771, 1918772, 1918773, 1918774, 1918776    
Bug Blocks: 1918334    

Description Michael Kaplan 2021-01-18 13:34:55 UTC 
The Flatpak portal D-Bus service (flatpak-portal, also known by its D-Bus service name org.freedesktop.portal.Flatpak) allows apps in a Flatpak sandbox to launch their own subprocesses in a new sandbox instance, either with the same security settings as the caller or with
more restrictive security settings.

In vulnerable versions, the Flatpak portal service passes caller-specified environment variables to non-sandboxed processes on the host system, and in particular to the flatpak run command that is used to launch the new sandbox instance. A malicious or compromised Flatpak app could set environment variables that are trusted by the flatpak run command, and use them to execute arbitrary code that is not in a sandbox.
Comment 2 Michael Kaplan 2021-01-18 13:35:18 UTC 
Created flatpak tracking bugs for this issue:

Affects: fedora-all [bug 1917431]
Comment 3 Michael Kaplan 2021-01-18 13:35:20 UTC 
External References:

https://github.com/flatpak/flatpak/security/advisories/GHSA-4ppf-fxf6-vxg2
Comment 5 Mauro Matteo Cascella 2021-01-21 11:23:59 UTC 
Upstream fixes:
https://github.com/flatpak/flatpak/commit/6d1773d2a54dde9b099043f07a2094a4f1c2f486
https://github.com/flatpak/flatpak/commit/821249844bbb7e52cbf4508b4de18c05e8592220
https://github.com/flatpak/flatpak/commit/6e5ae7a109cdfa9735ea7ccbd8cb79f9e8d3ae8b
https://github.com/flatpak/flatpak/commit/aeb6a7ab0abaac4a8f4ad98b3df476d9de6b8bd4
https://github.com/flatpak/flatpak/commit/39a5621e6941b9d27bf89b63e8fb6cad6e279e53
https://github.com/flatpak/flatpak/commit/cc1401043c075268ecc652eac557ef8076b5eaba
https://github.com/flatpak/flatpak/commit/d19f6c330aa42e17df6dc36d12b6f4dfa507dbb3

Follow up commits (optional):
https://github.com/flatpak/flatpak/commit/e2c4ded323161f47609d0af97d00019d04a635f1
https://github.com/flatpak/flatpak/commit/b0aea9c0533f8338ead9acb8dd2a65e6339b9a99
https://github.com/flatpak/flatpak/commit/4108e022452303093d8b90c838695a0476cb09c7
https://github.com/flatpak/flatpak/commit/c4a58d5822e86f82bbf9e2e7702153a51cc6841b
Comment 7 Mauro Matteo Cascella 2021-01-22 10:22:07 UTC 
Mitigation:

This vulnerability can be mitigated by preventing the flatpak-portal service from starting. Please note that this mitigation may prevent other Flatpak apps from working correctly.
Comment 8 Mauro Matteo Cascella 2021-01-27 13:37:21 UTC 
Note from upstream advisory (comment 3): The initial fixes introduced a regression (#4080) for users of a setuid version of bubblewrap (bwrap). This is fixed in 1.10.1 (commits 9a61d2c [1] and fb473ca [2], also backported to the flatpak-1.8.x branch).

[1] https://github.com/flatpak/flatpak/commit/9a61d2c44f0a58cebcb9b2787ae88db07ca68bb0
[2] https://github.com/flatpak/flatpak/commit/fb473cad801c6b61706353256cab32330557374a
Comment 9 Mauro Matteo Cascella 2021-01-28 21:01:08 UTC 
Acknowledgments:

Name: Simon McVittie (Collabora Ltd.)
Comment 11 errata-xmlrpc 2021-02-01 09:13:31 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:0304 https://access.redhat.com/errata/RHSA-2021:0304
Comment 12 errata-xmlrpc 2021-02-01 10:16:12 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Extended Update Support

Via RHSA-2021:0306 https://access.redhat.com/errata/RHSA-2021:0306
Comment 13 errata-xmlrpc 2021-02-01 10:35:33 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2021:0307 https://access.redhat.com/errata/RHSA-2021:0307
Comment 14 Product Security DevOps Team 2021-02-01 14:41:47 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-21261
Comment 15 errata-xmlrpc 2021-02-04 11:09:46 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2021:0411 https://access.redhat.com/errata/RHSA-2021:0411