Bug 1936985 (CVE-2021-21381)

Summary: CVE-2021-21381 flatpak: "file forwarding" feature can be used to gain unprivileged access to files
Product: [Other] Security Response Reporter: Marian Rehak <mrehak>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: amigadave, dking, klember
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: flatpak 1.10.2 Doc Type: If docs needed, set a value
Doc Text:
A sandbox escape flaw was found in the way flatpak handled special tokens in ".desktop" files. This flaw allows an attacker to gain access to files that are not ordinarily allowed by the app's permissions. The highest threat from this vulnerability is to confidentiality and integrity.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-03-29 11:35:21 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1936986, 1938057, 1938059, 1938060, 1938061, 1938062, 1938063, 1938064    
Bug Blocks: 1936988    

Description Marian Rehak 2021-03-09 15:51:14 UTC 
flatpak since 0.9.4 has a bug in the "file forwarding" feature, which can be used by an attacker to gain access to files that would not ordinarily be allowed by the app's permissions.

References:

https://github.com/flatpak/flatpak/issues/4146
Comment 1 Marian Rehak 2021-03-09 15:51:51 UTC 
Created flatpak tracking bugs for this issue:

Affects: fedora-all [bug 1936986]
Comment 2 Huzaifa S. Sidhpurwala 2021-03-11 04:54:37 UTC 
External References:

https://github.com/flatpak/flatpak/security/advisories/GHSA-xgh4-387p-hqpp
Comment 3 Huzaifa S. Sidhpurwala 2021-03-11 04:55:51 UTC 
Mitigation:

Avoid installing Flatpak apps from untrusted sources, or check the contents of the exported .desktop files in exports/share/applications/*.desktop (typically ~/.local/share/flatpak/exports/share/applications/*.desktop and /var/lib/flatpak/exports/share/applications/*.desktop) to make sure that literal filenames do not follow @@ or @@u.
Comment 6 Huzaifa S. Sidhpurwala 2021-03-12 04:16:50 UTC 
Statement:

This is essentially a sandbox escape flaw and needs a malicious app publisher to execute the exploit.
Comment 7 errata-xmlrpc 2021-03-29 08:14:14 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2021:1002 https://access.redhat.com/errata/RHSA-2021:1002
Comment 8 Product Security DevOps Team 2021-03-29 11:35:21 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-21381
Comment 9 errata-xmlrpc 2021-04-06 08:21:27 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:1068 https://access.redhat.com/errata/RHSA-2021:1068
Comment 10 errata-xmlrpc 2021-04-06 09:36:29 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Extended Update Support

Via RHSA-2021:1074 https://access.redhat.com/errata/RHSA-2021:1074
Comment 11 errata-xmlrpc 2021-04-06 10:17:51 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2021:1073 https://access.redhat.com/errata/RHSA-2021:1073