CVE-2022-21682 Information
Description
Flatpak is a Linux application sandboxing and distribution framework. A path traversal vulnerability affects versions of Flatpak prior to 1.12.3 and 1.10.6. flatpak-builder applies finish-args last in the build. At this point the build directory will have the full access that is specified in the manifest so running flatpak build against it will gain those permissions. Normally this will not be done so this is not problem. However if --mirror-screenshots-url is specified then flatpak-builder will launch flatpak build --nofilesystem=host appstream-utils mirror-screenshots after finalization which can lead to issues even with the --nofilesystem=host protection. In normal use the only issue is that these empty directories can be created wherever the user has write permissions. However a malicious application could replace the appstream-util binary and potentially do something more hostile. This has been resolved in Flatpak 1.12.3 and 1.10.6 by changing the behaviour of --nofilesystem=home and --nofilesystem=host.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Reference
https://github.com/flatpak/flatpak/security/advisories/GHSA-8ch7-5j3h-g4fx
https://github.com/flatpak/flatpak/commit/4d11f77aa7fd3e64cfa80af89d92567ab9e8e6fa
https://github.com/flatpak/flatpak/commit/445bddeee657fdc8d2a0a1f0de12975400d4fc1a
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/APFTBYGJJVJPFVHRXUW5PII5XOAFI4KH/
https://www.debian.org/security/2022/dsa-5049
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IXKBERLJRYV7KXKGXOLI6IOXVBQNN4DP/
Flatpak
is
a
Linux
application
sandboxing
and
distribution
framework.
A
path
traversal
vulnerability
affects
versions
of
Flatpak
prior
to
1.12.3
and
1.10.6.
flatpak-builder
applies
finish-args
last
in
the
build.
At
this
point
the
build
directory
will
have
the
full
access
that
is
specified
in
the
manifest
so
running
flatpak build
against
it
will
gain
those
permissions.
Normally
this
will
not
be
done
so
this
is
not
problem.
However
if
--mirror-screenshots-url
is
specified
then
flatpak-builder
will
launch
flatpak build --nofilesystem=host appstream-utils mirror-screenshots
after
finalization
which
can
lead
to
issues
even
with
the
--nofilesystem=host
protection.
In
normal
use
the
only
issue
is
that
these
empty
directories
can
be
created
wherever
the
user
has
write
permissions.
However
a
malicious
application
could
replace
the
appstream-util
binary
and
potentially
do
something
more
hostile.
This
has
been
resolved
in
Flatpak
1.12.3
and
1.10.6
by
changing
the
behaviour
of
--nofilesystem=home
and
--nofilesystem=host.
Attack Complexity
LOW
Privileges Required
LOW
User Interaction Required
LOW
Scope
NONE
Confidentiality Impact
UNCHANGED
Integrity Impact
NONE
Availability Impact
HIGH
Base Score
NONE
Base Severity
6.5
Share on: