13 results (0.005 seconds)

CVSS: 10.0EPSS: 0%CPEs: 2EXPL: 0

CVE-2024-42472 – Flatpak may allow access to files outside sandbox for certain apps

https://notcve.org/view.php?id=CVE-2024-42472

Flatpak is a Linux application sandboxing and distribution framework. Prior to versions 1.14.0 and 1.15.10, a malicious or compromised Flatpak app using persistent directories could access and write files outside of what it would otherwise have access to, which is an attack on integrity and confidentiality. When `persistent=subdir` is used in the application permissions (represented as `--persist=subdir` in the command-line interface), that means that an application which otherwise doesn't have access to the real user home directory will see an empty home directory with a writeable subdirectory `subdir`. Behind the scenes, this directory is actually a bind mount and the data is stored in the per-application directory as `~/.var/app/$APPID/subdir`. This allows existing apps that are not aware of the per-application directory to still work as intended without general home directory access. However, the application does have write access to the application directory `~/.var/app/$APPID` where this directory is stored. If the source directory for the `persistent`/`--persist` option is replaced by a symlink, then the next time the application is started, the bind mount will follow the symlink and mount whatever it points to into the sandbox. Partial protection against this vulnerability can be provided by patching Flatpak using the patches in commits ceec2ffc and 98f79773. • https://github.com/flatpak/flatpak/security/advisories/GHSA-7hgv-f2j8-xw87 https://github.com/containers/bubblewrap/commit/68e75c3091c87583c28a439b45c45627a94d622c https://github.com/containers/bubblewrap/commit/a253257cd298892da43e15201d83f9a02c9b58b5 https://github.com/flatpak/flatpak/commit/2cdd1e1e5ae90d7c3a4b60ce2e36e4d609e44e72 https://github.com/flatpak/flatpak/commit/3caeb16c31a3ed62d744e2aaf01d684f7991051a https://github.com/flatpak/flatpak/commit/6bd603f6836e9b38b9b937d3b78f3fbf36e7ff75 https://github.com/flatpak/flatpak/commit/7c63e53bb2af0aae9097fd2edfd6a9ba9d453e97 http • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •

CVSS: 8.4EPSS: 0%CPEs: 4EXPL: 0

CVE-2024-32462 – Flatpak vulnerable to a sandbox escape via RequestBackground portal due to bad argument parsing

https://notcve.org/view.php?id=CVE-2024-32462

Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. in versions before 1.10.9, 1.12.9, 1.14.6, and 1.15.8, a malicious or compromised Flatpak app could execute arbitrary code outside its sandbox. Normally, the `--command` argument of `flatpak run` expects to be given a command to run in the specified Flatpak app, optionally along with some arguments. However it is possible to instead pass `bwrap` arguments to `--command=`, such as `--bind`. It's possible to pass an arbitrary `commandline` to the portal interface `org.freedesktop.portal.Background.RequestBackground` from within a Flatpak app. When this is converted into a `--command` and arguments, it achieves the same effect of passing arguments directly to `bwrap`, and thus can be used for a sandbox escape. • http://www.openwall.com/lists/oss-security/2024/04/18/5 https://github.com/flatpak/flatpak/commit/72016e3fce8fcbeab707daf4f1a02b931fcc004d https://github.com/flatpak/flatpak/commit/81abe2a37d363f5099c3d0bdcd0caad6efc5bf97 https://github.com/flatpak/flatpak/commit/b7c1a558e58aaeb1d007d29529bbb270dc4ff11e https://github.com/flatpak/flatpak/commit/bbab7ed1e672356d1a78b422462b210e8e875931 https://github.com/flatpak/flatpak/security/advisories/GHSA-phv6-cpc2-2fgj https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/messa • CWE-88: Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') •

CVSS: 6.2EPSS: 0%CPEs: 4EXPL: 0

CVE-2023-28101 – Flatpak metadata with ANSI control codes can cause misleading terminal output

https://notcve.org/view.php?id=CVE-2023-28101

Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. In versions prior to 1.10.8, 1.12.8, 1.14.4, and 1.15.4, if an attacker publishes a Flatpak app with elevated permissions, they can hide those permissions from users of the `flatpak(1)` command-line interface by setting other permissions to crafted values that contain non-printable control characters such as `ESC`. A fix is available in versions 1.10.8, 1.12.8, 1.14.4, and 1.15.4. As a workaround, use a GUI like GNOME Software rather than the command-line interface, or only install apps whose maintainers you trust. A flaw was found in Flatpak, a system for building, distributing, and running sandboxed desktop applications on Linux. • https://github.com/flatpak/flatpak/commit/409e34187de2b2b2c4ef34c79f417be698830f6c https://github.com/flatpak/flatpak/commit/6cac99dafe6003c8a4bd5666341c217876536869 https://github.com/flatpak/flatpak/commit/7fe63f2e8f1fd2dafc31d45154cf0b191ebec66c https://github.com/flatpak/flatpak/security/advisories/GHSA-h43h-fwqx-mpp8 https://security.gentoo.org/glsa/202312-12 https://access.redhat.com/security/cve/CVE-2023-28101 https://bugzilla.redhat.com/show_bug.cgi?id=2179219 • CWE-116: Improper Encoding or Escaping of Output •

CVSS: 10.0EPSS: 0%CPEs: 4EXPL: 0

CVE-2023-28100 – TIOCLINUX can send commands outside sandbox if running on a virtual console

https://notcve.org/view.php?id=CVE-2023-28100

Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. Versions prior to 1.10.8, 1.12.8, 1.14.4, and 1.15.4 contain a vulnerability similar to CVE-2017-5226, but using the `TIOCLINUX` ioctl command instead of `TIOCSTI`. If a Flatpak app is run on a Linux virtual console such as `/dev/tty1`, it can copy text from the virtual console and paste it into the command buffer, from which the command might be run after the Flatpak app has exited. Ordinary graphical terminal emulators like xterm, gnome-terminal and Konsole are unaffected. This vulnerability is specific to the Linux virtual consoles `/dev/tty1`, `/dev/tty2` and so on. • https://github.com/flatpak/flatpak/commit/8e63de9a7d3124f91140fc74f8ca9ed73ed53be9 https://github.com/flatpak/flatpak/security/advisories/GHSA-7qpw-3vjv-xrqp https://marc.info/?l=oss-security&m=167879021709955&w=2 https://security.gentoo.org/glsa/202312-12 https://access.redhat.com/security/cve/CVE-2023-28100 https://bugzilla.redhat.com/show_bug.cgi?id=2179220 • CWE-20: Improper Input Validation •

CVSS: 7.7EPSS: 0%CPEs: 8EXPL: 0

CVE-2022-21682 – flatpak-builder can access files outside the build directory.

https://notcve.org/view.php?id=CVE-2022-21682

Flatpak is a Linux application sandboxing and distribution framework. A path traversal vulnerability affects versions of Flatpak prior to 1.12.3 and 1.10.6. flatpak-builder applies `finish-args` last in the build. At this point the build directory will have the full access that is specified in the manifest, so running `flatpak build` against it will gain those permissions. Normally this will not be done, so this is not problem. However, if `--mirror-screenshots-url` is specified, then flatpak-builder will launch `flatpak build --nofilesystem=host appstream-utils mirror-screenshots` after finalization, which can lead to issues even with the `--nofilesystem=host` protection. • https://github.com/flatpak/flatpak/commit/445bddeee657fdc8d2a0a1f0de12975400d4fc1a https://github.com/flatpak/flatpak/commit/4d11f77aa7fd3e64cfa80af89d92567ab9e8e6fa https://github.com/flatpak/flatpak/security/advisories/GHSA-8ch7-5j3h-g4fx https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/APFTBYGJJVJPFVHRXUW5PII5XOAFI4KH https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IXKBERLJRYV7KXKGXOLI6IOXVBQNN4DP https://security.gentoo.org/glsa/202312-12 https://www.debian • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •