Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. in versions before 1.10.9, 1.12.9, 1.14.6, and 1.15.8, a malicious or compromised Flatpak app could execute arbitrary code outside its sandbox. Normally, the `--command` argument of `flatpak run` expects to be given a command to run in the specified Flatpak app, optionally along with some arguments. However it is possible to instead pass `bwrap` arguments to `--command=`, such as `--bind`. It's possible to pass an arbitrary `commandline` to the portal interface `org.freedesktop.portal.Background.RequestBackground` from within a Flatpak app. When this is converted into a `--command` and arguments, it achieves the same effect of passing arguments directly to `bwrap`, and thus can be used for a sandbox escape. The solution is to pass the `--` argument to `bwrap`, which makes it stop processing options. This has been supported since bubblewrap 0.3.0. All supported versions of Flatpak require at least that version of bubblewrap. xdg-desktop-portal version 1.18.4 will mitigate this vulnerability by only allowing Flatpak apps to create .desktop files for commands that do not start with --. The vulnerability is patched in 1.15.8, 1.10.9, 1.12.9, and 1.14.6. https://github.com/flatpak/flatpak/commit/72016e3fce8fcbeab707daf4f1a02b931fcc004d https://github.com/flatpak/flatpak/commit/81abe2a37d363f5099c3d0bdcd0caad6efc5bf97 https://github.com/flatpak/flatpak/commit/b7c1a558e58aaeb1d007d29529bbb270dc4ff11e https://github.com/flatpak/flatpak/commit/bbab7ed1e672356d1a78b422462b210e8e875931 https://github.com/flatpak/flatpak/security/advisories/GHSA-phv6-cpc2-2fgj
Created flatpak tracking bugs for this issue: Affects: fedora-all [bug 2275983]
This vulnerability poses an important security risk due to its potential for sandbox escape within Flatpak environments. Exploiting this vulnerability allows a malicious Flatpak application to execute arbitrary code outside of its designated sandbox, effectively bypassing the security measures intended to restrict its system access. By manipulating the --command argument and the org.freedesktop.portal.Background.RequestBackground portal interface, an attacker can craft commands that are misinterpreted as bwrap options, leading to unauthorized execution of commands with elevated privileges. This could result in unauthorized data access, system compromise, and potentially enable further exploitation of the host system.
This issue has been addressed in the following products: Red Hat Enterprise Linux 9.2 Extended Update Support Via RHSA-2024:3960 https://access.redhat.com/errata/RHSA-2024:3960
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2024:3959 https://access.redhat.com/errata/RHSA-2024:3959
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support Red Hat Enterprise Linux 8.4 Telecommunications Update Service Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions Via RHSA-2024:3963 https://access.redhat.com/errata/RHSA-2024:3963
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2024:3961 https://access.redhat.com/errata/RHSA-2024:3961
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.8 Extended Update Support Via RHSA-2024:3962 https://access.redhat.com/errata/RHSA-2024:3962
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions Red Hat Enterprise Linux 8.6 Telecommunications Update Service Via RHSA-2024:3969 https://access.redhat.com/errata/RHSA-2024:3969
This issue has been addressed in the following products: Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions Via RHSA-2024:3970 https://access.redhat.com/errata/RHSA-2024:3970
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.2 Advanced Update Support Via RHSA-2024:3979 https://access.redhat.com/errata/RHSA-2024:3979
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2024:3980 https://access.redhat.com/errata/RHSA-2024:3980