Bug 2012245 (CVE-2021-41133) - CVE-2021-41133 flatpak: Sandbox bypass via recent VFS-manipulating syscalls
Summary: CVE-2021-41133 flatpak: Sandbox bypass via recent VFS-manipulating syscalls
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2021-41133
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2012246 2012862 2012864 2012865 2012866 2012867 2012868 2012869
Blocks: 2012248
TreeView+ depends on / blocked
 
Reported: 2021-10-08 16:19 UTC by Guilherme de Almeida Suckevicz
Modified: 2022-05-17 09:42 UTC (History)
4 users (show)

Fixed In Version: flatpak 1.12.1
Clone Of:
Environment:
Last Closed: 2021-11-01 14:07:50 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2021:4042 0 None None None 2021-11-01 13:35:46 UTC
Red Hat Product Errata RHSA-2021:4044 0 None None None 2021-11-01 16:32:53 UTC
Red Hat Product Errata RHSA-2021:4106 0 None None None 2021-11-02 18:22:53 UTC
Red Hat Product Errata RHSA-2021:4107 0 None None None 2021-11-02 20:10:05 UTC

Description Guilherme de Almeida Suckevicz 2021-10-08 16:19:32 UTC 
Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. In versions prior to 1.10.4 and 1.12.0, Flatpak apps with direct access to AF_UNIX sockets such as those used by Wayland, Pipewire or pipewire-pulse can trick portals and other host-OS services into treating the Flatpak app as though it was an ordinary, non-sandboxed host-OS process. They can do this by manipulating the VFS using recent mount-related syscalls that are not blocked by Flatpak's denylist seccomp filter, in order to substitute a crafted `/.flatpak-info` or make that file disappear entirely. Flatpak apps that act as clients for AF_UNIX sockets such as those used by Wayland, Pipewire or pipewire-pulse can escalate the privileges that the corresponding services will believe the Flatpak app has. Note that protocols that operate entirely over the D-Bus session bus (user bus), system bus or accessibility bus are not affected by this. This is due to the use of a proxy process `xdg-dbus-proxy`, whose VFS cannot be manipulated by the Flatpak app, when interacting with these buses. Patches exist for versions 1.10.4 and 1.12.0, and as of time of publication, a patch for version 1.8.2 is being planned. There are no workarounds aside from upgrading to a patched version.

Reference:
https://github.com/flatpak/flatpak/security/advisories/GHSA-67h7-w3jq-vh4q
Comment 1 Guilherme de Almeida Suckevicz 2021-10-08 16:19:47 UTC 
Created flatpak tracking bugs for this issue:

Affects: fedora-all [bug 2012246]
Comment 4 devthomp 2021-10-11 14:24:36 UTC 
As per link:
https://github.com/flatpak/flatpak/security/advisories/GHSA-67h7-w3jq-vh4q

Patches
The short-term solution is to expand the deny-list of syscalls in the seccomp filter:
e26ac75
89ae9fe
26b1248
a10f52a
9766ee0
4c34815
1330662
462fca2
Comment 8 errata-xmlrpc 2021-11-01 13:35:45 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:4042 https://access.redhat.com/errata/RHSA-2021:4042
Comment 9 Product Security DevOps Team 2021-11-01 14:07:50 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-41133
Comment 10 errata-xmlrpc 2021-11-01 16:32:51 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2021:4044 https://access.redhat.com/errata/RHSA-2021:4044
Comment 11 errata-xmlrpc 2021-11-02 18:22:52 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Extended Update Support

Via RHSA-2021:4106 https://access.redhat.com/errata/RHSA-2021:4106
Comment 12 errata-xmlrpc 2021-11-02 20:10:04 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2021:4107 https://access.redhat.com/errata/RHSA-2021:4107
Note You need to log in before you can comment on or make changes to this bug.