CVE-2024-42472: Access to files outside sandbox for apps using persistent= (--persist)

Bug #2077087 reported by Simon McVittie
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
flatpak (Ubuntu)
Fix Released
Undecided
Leonidas S. Barbosa

Bug Description

"A malicious or compromised Flatpak app using persistent directories could read and write files in locations it would not normally have access to, which is an attack on integrity and confidentiality." —https://github.com/flatpak/flatpak/security/advisories/GHSA-7hgv-f2j8-xw87

Fixed upstream in 1.14.10 and 1.15.10. I'm reporting this here as a courtesy to Ubuntu, but the Flatpak team does not have the resources to prepare stable updates and SRUs for all distributions, so someone else will have to take over from here.

Please note that solving this CVE without race conditions requires a new bubblewrap (bwrap) feature. There are four possible approaches:

1. Update bubblewrap to 0.10.0, and give Flatpak a versioned dependency on it. This is what we did in Debian unstable and experimental, and in the Flatpak team's backports PPAs for noble and jammy:

https://salsa.debian.org/debian/flatpak/-/commit/0b47cdbb10d5183239299dba27053055d8fa1ec0

2. Backport the --bind-fd feature to an older bubblewrap, and give Flatpak a suitable versioned dependency on it. This is what we did for Flatpak 1.14.10 in Debian 12 'bookworm':

https://salsa.debian.org/debian/bubblewrap/-/commit/258ab8fb3a3faa54a811631d81fe43b9ca2d2936
https://salsa.debian.org/debian/flatpak/-/commit/37a25fd50181e93f5329c8cfbec7f69dce406a63

3. Instead of using the bwrap package, build Flatpak with its vendored convenience copy (`--without-system-bubblewrap`), and if necessary backport the new feature into that (in the 1.14.10 upstream release, this was already done). This is what we did in the Flatpak team's backports PPAs for focal and bionic:

https://github.com/flatpak/ppa-flatpak/commit/e22a18b1ba36c39515750bf1fcf99bf2206b7e0d

4. Only apply a partial solution (mitigation) for the CVE. If an instance of a malicious or compromised app runs in parallel with a second instance being started, it can attempt to exploit a race condition to give the second instance access to files outside the sandbox (probably difficult to achieve in practice, but I'm not an exploit developer, and maybe there is a trick that can make the timing easier).

CVE References

Revision history for this message
Simon McVittie (smcv) wrote :

> 3. Instead of using the bwrap package, build Flatpak with its vendored convenience copy

If someone takes this approach in newer Ubuntu branches where bwrap needs a special AppArmor profile to be allowed to do its job, please note that the vendored convenience copy gets installed as /usr/libexec/flatpak-bwrap rather than /usr/bin/bwrap, so AppArmor profiles might need adjusting.

In the Flatpak team's PPA, so far we've only needed to do this for focal and older, which don't need a special AppArmor profile for bwrap, so this problem didn't arise.

information type: Private Security → Public Security
Changed in flatpak (Ubuntu):
assignee: nobody → Leonidas S. Barbosa (leosilvab)
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package flatpak - 1.14.6-1ubuntu0.1

---------------
flatpak (1.14.6-1ubuntu0.1) noble-security; urgency=medium

  * SECURITY UPDATE: Access outside sandbox
    - debian/patches/CVE-2024-42472-1.patch: don't follow symlinks when
      mounting persisted directories in common/flatpak-context.c.
    - debian/patches/CVE-2024-42472-2.patch: add test coverage for --persist
      in test/test-run.sh.
    - debian/patches/CVE-2024-42472-3.patch: add --bind-fd and --ro-bind-fd to
      subprojects/bubblerap.c.
    - debian/control: makes flatpak depend on bubblerap with --bind-fd feature
      backported to avoid race condition (LP: #2077087)
    - CVE-2024-42472

 -- Leonidas Da Silva Barbosa <email address hidden> Mon, 23 Sep 2024 15:35:49 -0300

Changed in flatpak (Ubuntu):
status: New → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package flatpak - 1.12.7-1ubuntu0.1

---------------
flatpak (1.12.7-1ubuntu0.1) jammy-security; urgency=medium

  * SECURITY UPDATE: Access outside sandbox
    - debian/patches/CVE-2024-42472-1.patch: don't follow symlinks when
      mounting persisted directories in common/flatpak-context.c.
    - debian/patches/CVE-2024-42472-2.patch: add test coverage for --persist
      in test/test-run.sh.
    - debian/patches/CVE-2024-42472-3.patch: add --bind-fd and --ro-bind-fd to
      subprojects/bubblerap.c.
    - debian/control: makes flatpak depend on bubblerap with --bind-fd feature
      backported to avoid race condition (LP: #2077087)
    - CVE-2024-42472

 -- Leonidas Da Silva Barbosa <email address hidden> Mon, 23 Sep 2024 13:11:22 -0300

Changed in flatpak (Ubuntu):
status: New → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package flatpak - 1.6.5-0ubuntu0.5

---------------
flatpak (1.6.5-0ubuntu0.5) focal-security; urgency=medium

  * SECURITY UPDATE: Access outside sandbox
    - debian/patches/CVE-2024-42472-1.patch: don't follow symlinks when
      mounting persisted directories in common/flatpak-context.c.
    - debian/patches/CVE-2024-42472-2.patch: add test coverage for --persist
      in test/test-run.sh.
    - debian/patches/CVE-2024-42472-3.patch: add --bind-fd and --ro-bind-fd to
      bubblerap.c.
    - debian/control: makes flatpak depend on bubblerap with --bind-fd feature
      backported to avoid race condition (LP: #2077087)
    - CVE-2024-42472

 -- Leonidas Da Silva Barbosa <email address hidden> Tue, 24 Sep 2024 20:03:34 -0300

Changed in flatpak (Ubuntu):
status: New → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.