CVE-2024-32462 Information

Description

Flatpak is a system for building distributing and running sandboxed desktop applications on Linux. in versions before 1.10.9 1.12.9 1.14.6 and 1.15.8 a malicious or compromised Flatpak app could execute arbitrary code outside its sandbox. Normally the --command argument of flatpak run expects to be given a command to run in the specified Flatpak app optionally along with some arguments. However it is possible to instead pass bwrap arguments to --command= such as --bind. It’s possible to pass an arbitrary commandline to the portal interface org.freedesktop.portal.Background.RequestBackground from within a Flatpak app. When this is converted into a --command and arguments it achieves the same effect of passing arguments directly to bwrap and thus can be used for a sandbox escape. The solution is to pass the -- argument to bwrap which makes it stop processing options. This has been supported since bubblewrap 0.3.0. All supported versions of Flatpak require at least that version of bubblewrap. xdg-desktop-portal version 1.18.4 will mitigate this vulnerability by only allowing Flatpak apps to create .desktop files for commands that do not start with –. The vulnerability is patched in 1.15.8 1.10.9 1.12.9 and 1.14.6.

Reference

https://github.com/flatpak/flatpak/security/advisories/GHSA-phv6-cpc2-2fgj https://github.com/flatpak/flatpak/commit/72016e3fce8fcbeab707daf4f1a02b931fcc004d https://github.com/flatpak/flatpak/commit/81abe2a37d363f5099c3d0bdcd0caad6efc5bf97 https://github.com/flatpak/flatpak/commit/b7c1a558e58aaeb1d007d29529bbb270dc4ff11e https://github.com/flatpak/flatpak/commit/bbab7ed1e672356d1a78b422462b210e8e875931