CVE-2024-42472: Access to files outside sandbox for apps using persistent= (--persist)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
flatpak (Ubuntu) |
Fix Released
|
Undecided
|
Leonidas S. Barbosa |
Bug Description
"A malicious or compromised Flatpak app using persistent directories could read and write files in locations it would not normally have access to, which is an attack on integrity and confidentiality." —https:/
Fixed upstream in 1.14.10 and 1.15.10. I'm reporting this here as a courtesy to Ubuntu, but the Flatpak team does not have the resources to prepare stable updates and SRUs for all distributions, so someone else will have to take over from here.
Please note that solving this CVE without race conditions requires a new bubblewrap (bwrap) feature. There are four possible approaches:
1. Update bubblewrap to 0.10.0, and give Flatpak a versioned dependency on it. This is what we did in Debian unstable and experimental, and in the Flatpak team's backports PPAs for noble and jammy:
https:/
2. Backport the --bind-fd feature to an older bubblewrap, and give Flatpak a suitable versioned dependency on it. This is what we did for Flatpak 1.14.10 in Debian 12 'bookworm':
https:/
https:/
3. Instead of using the bwrap package, build Flatpak with its vendored convenience copy (`--without-
https:/
4. Only apply a partial solution (mitigation) for the CVE. If an instance of a malicious or compromised app runs in parallel with a second instance being started, it can attempt to exploit a race condition to give the second instance access to files outside the sandbox (probably difficult to achieve in practice, but I'm not an exploit developer, and maybe there is a trick that can make the timing easier).
CVE References
Changed in flatpak (Ubuntu): | |
assignee: | nobody → Leonidas S. Barbosa (leosilvab) |
> 3. Instead of using the bwrap package, build Flatpak with its vendored convenience copy
If someone takes this approach in newer Ubuntu branches where bwrap needs a special AppArmor profile to be allowed to do its job, please note that the vendored convenience copy gets installed as /usr/libexec/ flatpak- bwrap rather than /usr/bin/bwrap, so AppArmor profiles might need adjusting.
In the Flatpak team's PPA, so far we've only needed to do this for focal and older, which don't need a special AppArmor profile for bwrap, so this problem didn't arise.