Bug 2041592 (CVE-2022-21682) - CVE-2022-21682 flatpak: flatpak-builder --mirror-screenshots-url can access files outside the build directory
Summary: CVE-2022-21682 flatpak: flatpak-builder --mirror-screenshots-url can access f...
Keywords:
Status: NEW
Alias: CVE-2022-21682
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2042007 1999742 2041593 2042008
Blocks: 2041595
TreeView+ depends on / blocked
 
Reported: 2022-01-17 19:00 UTC by Guilherme de Almeida Suckevicz
Modified: 2022-05-17 09:42 UTC (History)
5 users (show)

Fixed In Version: flatpak 1.12.3, flatpak 1.10.6
Doc Type: If docs needed, set a value
Doc Text:
A path traversal vulnerability was found in Flatpak. This happens when flatpak-builder applies `finish-args` last in the build. At this point the build directory will have the full access that is specified in the manifest, so running `flatpak build` against it will gain those permissions.
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)

Description Guilherme de Almeida Suckevicz 2022-01-17 19:00:31 UTC
Flatpak is a Linux application sandboxing and distribution framework. A path traversal vulnerability affects versions of Flatpak prior to 1.12.3 and 1.10.6. flatpak-builder applies `finish-args` last in the build. At this point the build directory will have the full access that is specified in the manifest, so running `flatpak build` against it will gain those permissions. Normally this will not be done, so this is not problem. However, if `--mirror-screenshots-url` is specified, then flatpak-builder will launch `flatpak build --nofilesystem=host appstream-utils mirror-screenshots` after finalization, which can lead to issues even with the `--nofilesystem=host` protection. In normal use, the only issue is that these empty directories can be created wherever the user has write permissions. However, a malicious application could replace the `appstream-util` binary and potentially do something more hostile. This has been resolved in Flatpak 1.12.3 and 1.10.6 by changing the behaviour of `--nofilesystem=home` and `--nofilesystem=host`.

Reference:
https://github.com/flatpak/flatpak/security/advisories/GHSA-8ch7-5j3h-g4fx

Comment 1 Guilherme de Almeida Suckevicz 2022-01-17 19:00:46 UTC
Created flatpak tracking bugs for this issue:

Affects: fedora-all [bug 2041593]


Note You need to log in before you can comment on or make changes to this bug.