1936985 – (CVE-2021-21381) CVE-2021-21381 flatpak: "file forwarding" feature can be used to gain unprivileged access to files

Bug 1936985 (CVE-2021-21381) - CVE-2021-21381 flatpak: "file forwarding" feature can be used to gain unprivileged access to files

Summary: CVE-2021-21381 flatpak: "file forwarding" feature can be used to gain unprivi...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2021-21381
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1936986 1938057 1938059 1938060 1938061 1938062 1938063 1938064
Blocks:	1936988
TreeView+	depends on / blocked

Reported:	2021-03-09 15:51 UTC by Marian Rehak
Modified:	2022-04-17 21:11 UTC (History)
CC List:	3 users (show)
Fixed In Version:	flatpak 1.10.2
Doc Type:	If docs needed, set a value
Doc Text:	A sandbox escape flaw was found in the way flatpak handled special tokens in ".desktop" files. This flaw allows an attacker to gain access to files that are not ordinarily allowed by the app's permissions. The highest threat from this vulnerability is to confidentiality and integrity.
Clone Of:
Environment:
Last Closed:	2021-03-29 11:35:21 UTC
Embargoed:

Attachments	(Terms of Use)

Description Marian Rehak 2021-03-09 15:51:14 UTC

flatpak since 0.9.4 has a bug in the "file forwarding" feature, which can be used by an attacker to gain access to files that would not ordinarily be allowed by the app's permissions.

References:

https://github.com/flatpak/flatpak/issues/4146

Comment 1 Marian Rehak 2021-03-09 15:51:51 UTC

Created flatpak tracking bugs for this issue:

Affects: fedora-all [bug 1936986]

Comment 2 Huzaifa S. Sidhpurwala 2021-03-11 04:54:37 UTC

External References:

https://github.com/flatpak/flatpak/security/advisories/GHSA-xgh4-387p-hqpp

Comment 3 Huzaifa S. Sidhpurwala 2021-03-11 04:55:51 UTC

Mitigation:

Avoid installing Flatpak apps from untrusted sources, or check the contents of the exported .desktop files in exports/share/applications/*.desktop (typically ~/.local/share/flatpak/exports/share/applications/*.desktop and /var/lib/flatpak/exports/share/applications/*.desktop) to make sure that literal filenames do not follow @@ or @@u.

Comment 6 Huzaifa S. Sidhpurwala 2021-03-12 04:16:50 UTC

Statement:

This is essentially a sandbox escape flaw and needs a malicious app publisher to execute the exploit.

Comment 7 errata-xmlrpc 2021-03-29 08:14:14 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2021:1002 https://access.redhat.com/errata/RHSA-2021:1002

Comment 8 Product Security DevOps Team 2021-03-29 11:35:21 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-21381

Comment 9 errata-xmlrpc 2021-04-06 08:21:27 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:1068 https://access.redhat.com/errata/RHSA-2021:1068

Comment 10 errata-xmlrpc 2021-04-06 09:36:29 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Extended Update Support

Via RHSA-2021:1074 https://access.redhat.com/errata/RHSA-2021:1074

Comment 11 errata-xmlrpc 2021-04-06 10:17:51 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2021:1073 https://access.redhat.com/errata/RHSA-2021:1073

Note You need to log in before you can comment on or make changes to this bug.