Bug 2275981 (CVE-2024-32462)
Summary: | CVE-2024-32462 flatpak: sandbox escape via RequestBackground portal | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Robb Gatica <rgatica> |
Component: | vulnerability | Assignee: | Product Security <prodsec-ir-bot> |
Status: | NEW --- | QA Contact: | |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | unspecified | CC: | klember, saroy, tpopela |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | flatpak 1.15.8, flatpak 1.10.9, flatpak 1.12.9, flatpak 1.14.6 | Doc Type: | If docs needed, set a value |
Doc Text: |
A flaw was found in Flatpak, a system for building, distributing, and running sandboxed desktop applications on Linux. Normally, the "--command" argument of "flatpak run" expects being given a command to run in the specified Flatpak app, along with optional arguments. However, it is possible to pass bwrap arguments to "--command=" instead, such as "--bind". It is possible to pass an arbitrary "commandline" to the portal interface "org.freedesktop.portal.Background.RequestBackground" within the Flatpak app. This is normally safe because it can only specify a command that exists inside the sandbox. When a crafted "commandline" is converted into a "--command" and arguments, the app could achieve the same effect of passing arguments directly to bwrap to achieve sandbox escape.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | Type: | --- | |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 2275983 | ||
Bug Blocks: | 2275980 |
Description
Robb Gatica
2024-04-18 19:53:23 UTC
Created flatpak tracking bugs for this issue: Affects: fedora-all [bug 2275983] This vulnerability poses an important security risk due to its potential for sandbox escape within Flatpak environments. Exploiting this vulnerability allows a malicious Flatpak application to execute arbitrary code outside of its designated sandbox, effectively bypassing the security measures intended to restrict its system access. By manipulating the --command argument and the org.freedesktop.portal.Background.RequestBackground portal interface, an attacker can craft commands that are misinterpreted as bwrap options, leading to unauthorized execution of commands with elevated privileges. This could result in unauthorized data access, system compromise, and potentially enable further exploitation of the host system. This issue has been addressed in the following products: Red Hat Enterprise Linux 9.2 Extended Update Support Via RHSA-2024:3960 https://access.redhat.com/errata/RHSA-2024:3960 This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2024:3959 https://access.redhat.com/errata/RHSA-2024:3959 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support Red Hat Enterprise Linux 8.4 Telecommunications Update Service Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions Via RHSA-2024:3963 https://access.redhat.com/errata/RHSA-2024:3963 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2024:3961 https://access.redhat.com/errata/RHSA-2024:3961 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.8 Extended Update Support Via RHSA-2024:3962 https://access.redhat.com/errata/RHSA-2024:3962 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions Red Hat Enterprise Linux 8.6 Telecommunications Update Service Via RHSA-2024:3969 https://access.redhat.com/errata/RHSA-2024:3969 This issue has been addressed in the following products: Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions Via RHSA-2024:3970 https://access.redhat.com/errata/RHSA-2024:3970 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.2 Advanced Update Support Via RHSA-2024:3979 https://access.redhat.com/errata/RHSA-2024:3979 This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2024:3980 https://access.redhat.com/errata/RHSA-2024:3980 |