CVSS: 8.6EPSS: 0%CPEs: 7EXPL: 0CVE-2021-43860 – Permissions granted to applications can be hidden from the user at install time
https://notcve.org/view.php?id=CVE-2021-43860
Flatpak is a Linux application sandboxing and distribution framework. Prior to versions 1.12.3 and 1.10.6, Flatpak doesn't properly validate that the permissions displayed to the user for an app at install time match the actual permissions granted to the app at runtime, in the case that there's a null byte in the metadata file of an app. Therefore apps can grant themselves permissions without the consent of the user. Flatpak shows permissions to the user during install by reading them from the "xa.metadata" key in the commit metadata. This cannot contain a null terminator, because it is an untrusted GVariant. • https://github.com/flatpak/flatpak/commit/54ec1a482dfc668127eaae57f135e6a8e0bc52da https://github.com/flatpak/flatpak/commit/65cbfac982cb1c83993a9e19aa424daee8e9f042 https://github.com/flatpak/flatpak/commit/93357d357119093804df05acc32ff335839c6451 https://github.com/flatpak/flatpak/commit/ba818f504c926baaf6e362be8159cfacf994310e https://github.com/flatpak/flatpak/commit/d9a8f9d8ccc0b7c1135d0ecde006a75d25f66aee https://github.com/flatpak/flatpak/releases/tag/1.10.6 https://github.com/flatpak/flatpak/releases/tag/1.12.3 https://github.com/flatpak/ • CWE-269: Improper Privilege Management CWE-276: Incorrect Default Permissions •
CVSS: 8.8EPSS: 0%CPEs: 6EXPL: 0CVE-2021-41133 – Sandbox bypass via recent VFS-manipulating syscalls
https://notcve.org/view.php?id=CVE-2021-41133
Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. In versions prior to 1.10.4 and 1.12.0, Flatpak apps with direct access to AF_UNIX sockets such as those used by Wayland, Pipewire or pipewire-pulse can trick portals and other host-OS services into treating the Flatpak app as though it was an ordinary, non-sandboxed host-OS process. They can do this by manipulating the VFS using recent mount-related syscalls that are not blocked by Flatpak's denylist seccomp filter, in order to substitute a crafted `/.flatpak-info` or make that file disappear entirely. Flatpak apps that act as clients for AF_UNIX sockets such as those used by Wayland, Pipewire or pipewire-pulse can escalate the privileges that the corresponding services will believe the Flatpak app has. Note that protocols that operate entirely over the D-Bus session bus (user bus), system bus or accessibility bus are not affected by this. • http://www.openwall.com/lists/oss-security/2021/10/26/9 https://github.com/flatpak/flatpak/commit/1330662f33a55e88bfe18e76de28b7922d91a999 https://github.com/flatpak/flatpak/commit/26b12484eb8a6219b9e7aa287b298a894b2f34ca https://github.com/flatpak/flatpak/commit/462fca2c666e0cd2b60d6d2593a7216a83047aaf https://github.com/flatpak/flatpak/commit/4c34815784e9ffda5733225c7d95824f96375e36 https://github.com/flatpak/flatpak/commit/89ae9fe74c6d445bb1b3a40e568d77cf5de47e48 https://github.com/flatpak/flatpak/commit/9766ee05b1425db397d2cf23afd24c7f6146a69f https://github.c • CWE-20: Improper Input Validation •
CVSS: 9.0EPSS: 0%CPEs: 4EXPL: 0CVE-2019-10063 – flatpak: Sandbox bypass via IOCSTI (incomplete fix for CVE-2017-5226)
https://notcve.org/view.php?id=CVE-2019-10063
Flatpak before 1.0.8, 1.1.x and 1.2.x before 1.2.4, and 1.3.x before 1.3.1 allows a sandbox bypass. Flatpak versions since 0.8.1 address CVE-2017-5226 by using a seccomp filter to prevent sandboxed apps from using the TIOCSTI ioctl, which could otherwise be used to inject commands into the controlling terminal so that they would be executed outside the sandbox after the sandboxed app exits. This fix was incomplete: on 64-bit platforms, the seccomp filter could be bypassed by an ioctl request number that has TIOCSTI in its 32 least significant bits and an arbitrary nonzero value in its 32 most significant bits, which the Linux kernel would treat as equivalent to TIOCSTI. Flatpak, en versiones anteriores a la 1.0.8, 1.1.x y 1.2.x anteriores a la 1.2.4, y en las versiones 1.3.x anteriores a la 1.3.1, permite omitir el sandbox. Las versiones de Flatpak desde la 0.8.1 abordan CVE-2017-5226 mediante un filtro seccomp para evitar que las aplicaciones del sandbox empleen el ioctl TIOCSTI, que podría emplearse para inyectar comandos en la terminal de control para que se ejecuten fuera del sandbox una vez la aplicación en el sandbox se cierra. • https://access.redhat.com/errata/RHSA-2019:1024 https://access.redhat.com/errata/RHSA-2019:1143 https://github.com/flatpak/flatpak/issues/2782 https://access.redhat.com/security/cve/CVE-2019-10063 https://bugzilla.redhat.com/show_bug.cgi?id=1695973 • CWE-20: Improper Input Validation CWE-266: Incorrect Privilege Assignment •
CVSS: 8.2EPSS: 0%CPEs: 11EXPL: 0CVE-2019-8308 – flatpak: potential /proc based sandbox escape
https://notcve.org/view.php?id=CVE-2019-8308
Flatpak before 1.0.7, and 1.1.x and 1.2.x before 1.2.3, exposes /proc in the apply_extra script sandbox, which allows attackers to modify a host-side executable file. Flatpak, en versiones anteriores a la 1.0.7 y en versiones 1.1.x y 1.2.x anteriores a la 1.2.3, expone /proc en el sandbox de script apply_extra, lo que permite que los atacantes modifiquen un archivo ejecutable del lado del host. A flaw was found in flatpak. In certain special cases, installing flatpak applications and runtimes system-wide may allow an attacker to escape the flatpak sandbox. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. • http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00088.html https://access.redhat.com/errata/RHSA-2019:0375 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=922059 https://github.com/flatpak/flatpak/releases/tag/1.0.7 https://github.com/flatpak/flatpak/releases/tag/1.2.3 https://access.redhat.com/security/cve/CVE-2019-8308 https://bugzilla.redhat.com/show_bug.cgi?id=1675070 • CWE-668: Exposure of Resource to Wrong Sphere CWE-672: Operation on a Resource after Expiration or Release •
CVSS: 8.8EPSS: 0%CPEs: 10EXPL: 0CVE-2018-6560 – flatpak: sandbox escape in D-Bus filtering by a crafted authentication handshake
https://notcve.org/view.php?id=CVE-2018-6560
In dbus-proxy/flatpak-proxy.c in Flatpak before 0.8.9, and 0.9.x and 0.10.x before 0.10.3, crafted D-Bus messages to the host can be used to break out of the sandbox, because whitespace handling in the proxy is not identical to whitespace handling in the daemon. En dbus-proxy/flatpak-proxy.c en Flatpak en versiones anteriores a la 0.8.9, 0.9.x y 0.10.x anteriores a la 0.10.3, se pueden utilizar mensajes D-Bus manipulados para salir del sandbox, ya que la gestión de los espacios en blanco en el proxy no es idéntica a cómo gestiona el demonio los espacios en blanco. It was found that flatpak's D-Bus proxy did not properly filter the access to D-Bus during the authentication protocol. A specially crafted flatpak application could use this flaw to bypass all restrictions imposed by flatpak and have full access to the D-BUS interface. • https://access.redhat.com/errata/RHSA-2018:2766 https://github.com/flatpak/flatpak/commit/52346bf187b5a7f1c0fe9075b328b7ad6abe78f6 https://github.com/flatpak/flatpak/releases/tag/0.10.3 https://github.com/flatpak/flatpak/releases/tag/0.8.9 https://access.redhat.com/security/cve/CVE-2018-6560 https://bugzilla.redhat.com/show_bug.cgi?id=1542207 • CWE-270: Privilege Context Switching Error CWE-436: Interpretation Conflict •