A flaw was discovered that may allow an attacker to escape from the flatpak sandbox via /proc/self/exe.
Created flatpak tracking bugs for this issue:
Affects: fedora-all [bug 1675432]
My current understanding is that the only portion of flatpak that should run as root is the system-helper. The system-helper functionality may call into apply_extra_data(), which eventually calls flatpak_run_setup_base_argv. The patch adds a new flag, FLATPAK_RUN_FLAG_NO_PROC, to ensure that proc isn't reachable during this operation.
From the devs (paraphrasing) -- this (running as root) should only happen during installation to a system-wide repository. Thus, users running an app or installing into a user repository should be not be impacted by this flaw as those specific operations should not occur as root.
Looks like the potential callflow for the vulnerability is handle-deploy signal (unsure who actually raises this signal) inside of flatpack_system_helper.c -> flatpak_dir_deploy_install -> flatpak_dir_deploy -> apply_extra_data -> flatpak_run_setup_base_argv. The patch adds the FLATPAK_RUN_FLAG_NO_PROC flag to this call.
flatpak_run_setup_base_argv also seems to be called in flatpak_run_app without the flag explicitly set. It looks like this instance could be executed via flatpak_installation_launch_full, but system-helper doesn't appear to call into that.
The question is if system-helper can ever trigger flatpak_run_app as root without that flag set, and, after a quick look, I don't think it can.
Looks like Debian got CVE-2019-8308 assigned: https://github.com/flatpak/flatpak/issues/2699
This flaw appears to impact systems in special cases involving installing flatpak applications and runtimes system-wide. Installation of flatpak applications and runtimes locally should not be impacted.
This issue has been addressed in the following products:
Red Hat Enterprise Linux 7
Via RHSA-2019:0375 https://access.redhat.com/errata/RHSA-2019:0375