Flatpak vulnerable to a sandbox escape via RequestBackground portal due to bad argument parsing
Description
Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. in versions before 1.10.9, 1.12.9, 1.14.6, and 1.15.8, a malicious or compromised Flatpak app could execute arbitrary code outside its sandbox. Normally, the --command argument of flatpak run expects to be given a command to run in the specified Flatpak app, optionally along with some arguments. However it is possible to instead pass bwrap arguments to --command=, such as --bind. It's possible to pass an arbitrary commandline to the portal interface org.freedesktop.portal.Background.RequestBackground from within a Flatpak app. When this is converted into a --command and arguments, it achieves the same effect of passing arguments directly to bwrap, and thus can be used for a sandbox escape. The solution is to pass the -- argument to bwrap, which makes it stop processing options. This has been supported since bubblewrap 0.3.0. All supported versions of Flatpak require at least that version of bubblewrap. xdg-desktop-portal version 1.18.4 will mitigate this vulnerability by only allowing Flatpak apps to create .desktop files for commands that do not start with --. The vulnerability is patched in 1.15.8, 1.10.9, 1.12.9, and 1.14.6.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
56- osv-coords54 versionspkg:rpm/almalinux/flatpakpkg:rpm/almalinux/flatpak-develpkg:rpm/almalinux/flatpak-libspkg:rpm/almalinux/flatpak-selinuxpkg:rpm/almalinux/flatpak-session-helperpkg:rpm/opensuse/bubblewrap&distro=openSUSE%20Leap%2015.6pkg:rpm/opensuse/flatpak&distro=openSUSE%20Leap%2015.5pkg:rpm/opensuse/flatpak&distro=openSUSE%20Leap%2015.6pkg:rpm/opensuse/flatpak&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/xdg-desktop-portal&distro=openSUSE%20Leap%2015.5pkg:rpm/opensuse/xdg-desktop-portal&distro=openSUSE%20Leap%2015.6pkg:rpm/suse/bubblewrap&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP5-ESPOSpkg:rpm/suse/bubblewrap&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP5-LTSSpkg:rpm/suse/bubblewrap&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP6pkg:rpm/suse/bubblewrap&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP5-LTSSpkg:rpm/suse/bubblewrap&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP5pkg:rpm/suse/flatpak&distro=SUSE%20Enterprise%20Storage%207.1pkg:rpm/suse/flatpak&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP2-LTSSpkg:rpm/suse/flatpak&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP3-LTSSpkg:rpm/suse/flatpak&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-ESPOSpkg:rpm/suse/flatpak&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-LTSSpkg:rpm/suse/flatpak&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP5-ESPOSpkg:rpm/suse/flatpak&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP5-LTSSpkg:rpm/suse/flatpak&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Desktop%20Applications%2015%20SP5pkg:rpm/suse/flatpak&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Desktop%20Applications%2015%20SP6pkg:rpm/suse/flatpak&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5pkg:rpm/suse/flatpak&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP2-LTSSpkg:rpm/suse/flatpak&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP3-LTSSpkg:rpm/suse/flatpak&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP4-LTSSpkg:rpm/suse/flatpak&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP5-LTSSpkg:rpm/suse/flatpak&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP5pkg:rpm/suse/flatpak&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP2pkg:rpm/suse/flatpak&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP3pkg:rpm/suse/flatpak&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP4pkg:rpm/suse/flatpak&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP5pkg:rpm/suse/wayland-protocols&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP5-ESPOSpkg:rpm/suse/wayland-protocols&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP5-LTSSpkg:rpm/suse/wayland-protocols&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP5-LTSSpkg:rpm/suse/wayland-protocols&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP5pkg:rpm/suse/xdg-desktop-portal&distro=SUSE%20Enterprise%20Storage%207.1pkg:rpm/suse/xdg-desktop-portal&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP2-LTSSpkg:rpm/suse/xdg-desktop-portal&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP3-LTSSpkg:rpm/suse/xdg-desktop-portal&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-ESPOSpkg:rpm/suse/xdg-desktop-portal&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-LTSSpkg:rpm/suse/xdg-desktop-portal&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Desktop%20Applications%2015%20SP5pkg:rpm/suse/xdg-desktop-portal&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Desktop%20Applications%2015%20SP6pkg:rpm/suse/xdg-desktop-portal&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5pkg:rpm/suse/xdg-desktop-portal&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP2-LTSSpkg:rpm/suse/xdg-desktop-portal&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP3-LTSSpkg:rpm/suse/xdg-desktop-portal&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP4-LTSSpkg:rpm/suse/xdg-desktop-portal&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP5pkg:rpm/suse/xdg-desktop-portal&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP2pkg:rpm/suse/xdg-desktop-portal&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP3pkg:rpm/suse/xdg-desktop-portal&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP4
< 1.12.9-1.el9_4+ 53 more
- (no CPE)range: < 1.12.9-1.el9_4
- (no CPE)range: < 1.12.9-1.el9_4
- (no CPE)range: < 1.12.9-1.el9_4
- (no CPE)range: < 1.12.9-1.el9_4
- (no CPE)range: < 1.12.9-1.el9_4
- (no CPE)range: < 0.11.0-150500.3.9.1
- (no CPE)range: < 1.14.5-150500.3.9.1
- (no CPE)range: < 1.16.0-150600.3.6.1
- (no CPE)range: < 1.15.8-1.1
- (no CPE)range: < 1.16.0-150500.3.6.1
- (no CPE)range: < 1.18.2-150600.4.3.1
- (no CPE)range: < 0.11.0-150500.3.9.1
- (no CPE)range: < 0.11.0-150500.3.9.1
- (no CPE)range: < 0.11.0-150500.3.9.1
- (no CPE)range: < 0.11.0-150500.3.9.1
- (no CPE)range: < 0.11.0-150500.3.9.1
- (no CPE)range: < 1.10.8-150200.4.18.1
- (no CPE)range: < 1.10.8-150200.4.18.1
- (no CPE)range: < 1.10.8-150200.4.18.1
- (no CPE)range: < 1.12.8-150400.3.6.1
- (no CPE)range: < 1.12.8-150400.3.6.1
- (no CPE)range: < 1.16.0-150500.3.15.1
- (no CPE)range: < 1.16.0-150500.3.15.1
- (no CPE)range: < 1.14.5-150500.3.9.1
- (no CPE)range: < 1.16.0-150600.3.6.1
- (no CPE)range: < 1.4.2-3.6.1
- (no CPE)range: < 1.10.8-150200.4.18.1
- (no CPE)range: < 1.10.8-150200.4.18.1
- (no CPE)range: < 1.12.8-150400.3.6.1
- (no CPE)range: < 1.16.0-150500.3.15.1
- (no CPE)range: < 1.4.2-3.6.1
- (no CPE)range: < 1.10.8-150200.4.18.1
- (no CPE)range: < 1.10.8-150200.4.18.1
- (no CPE)range: < 1.12.8-150400.3.6.1
- (no CPE)range: < 1.16.0-150500.3.15.1
- (no CPE)range: < 1.36-150500.3.3.1
- (no CPE)range: < 1.36-150500.3.3.1
- (no CPE)range: < 1.36-150500.3.3.1
- (no CPE)range: < 1.36-150500.3.3.1
- (no CPE)range: < 1.8.0-150200.5.6.1
- (no CPE)range: < 1.8.0-150200.5.6.1
- (no CPE)range: < 1.8.0-150200.5.6.1
- (no CPE)range: < 1.10.1-150400.3.6.1
- (no CPE)range: < 1.10.1-150400.3.6.1
- (no CPE)range: < 1.16.0-150500.3.6.1
- (no CPE)range: < 1.18.2-150600.4.3.1
- (no CPE)range: < 1.4.2-3.3.1
- (no CPE)range: < 1.8.0-150200.5.6.1
- (no CPE)range: < 1.8.0-150200.5.6.1
- (no CPE)range: < 1.10.1-150400.3.6.1
- (no CPE)range: < 1.4.2-3.3.1
- (no CPE)range: < 1.8.0-150200.5.6.1
- (no CPE)range: < 1.8.0-150200.5.6.1
- (no CPE)range: < 1.10.1-150400.3.6.1
Patches
Vulnerability mechanics
References
8- github.com/flatpak/flatpak/commit/72016e3fce8fcbeab707daf4f1a02b931fcc004dmitrex_refsource_MISC
- github.com/flatpak/flatpak/commit/81abe2a37d363f5099c3d0bdcd0caad6efc5bf97mitrex_refsource_MISC
- github.com/flatpak/flatpak/commit/b7c1a558e58aaeb1d007d29529bbb270dc4ff11emitrex_refsource_MISC
- github.com/flatpak/flatpak/commit/bbab7ed1e672356d1a78b422462b210e8e875931mitrex_refsource_MISC
- github.com/flatpak/flatpak/security/advisories/GHSA-phv6-cpc2-2fgjmitrex_refsource_CONFIRM
- www.openwall.com/lists/oss-security/2024/04/18/5mitre
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IB6VQAF5S2YOBULDHPUKPOEIKONOP5KO/mitre
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZFNSCFJVMAQK5AF55JBN7OSJP3CREDBD/mitre
News mentions
0No linked articles in our index yet.