Update for CVE-2021-41133
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
flatpak (Ubuntu) |
Fix Released
|
Medium
|
Andrew Hayzen | ||
Bionic |
Fix Released
|
Medium
|
Andrew Hayzen | ||
Focal |
Fix Released
|
Medium
|
Andrew Hayzen | ||
Hirsute |
Fix Released
|
Medium
|
Andrew Hayzen | ||
Impish |
Fix Released
|
Medium
|
Andrew Hayzen |
Bug Description
[Links]
https:/
https:/
https:/
[Impact]
Versions in Ubuntu right now:
Impish: 1.10.2-3
Hirsute: 1.10.2-1ubuntu1
Focal: 1.6.5-0ubuntu0.3
Bionic: 1.0.9-0ubuntu0.3
Affected versions:
1.11.x, 1.10.x <= 1.10.3, all <= 1.8.2
Patched versions:
1.10.5, 1.12.1, also expected in 1.8.2
[Test Case]
Unknown
[Regression Potential]
Flatpak has a test suite, which is run on build across all relevant architectures and passes.
There is also a manual test plan https:/
Flatpak has autopkgtests enabled http://
Regression potential is low, and upstream is very responsive to any issues raised.
[Patches]
There were 8 initial patches, then some regressions have been found, one has been patched, but a second has a pending pull request (see the github advisory for links). As noted in the debian bug as well there might be further changes to bubblewrap, so guess it makes sense to wait until this has settled.
[Other Information]
An anonymous reporter discovered that Flatpak apps with direct access to AF_UNIX sockets such as those used by Wayland, Pipewire or pipewire-pulse can trick portals and other host-OS services into treating the Flatpak app as though it was an ordinary, non-sandboxed host-OS process, by manipulating the VFS using recent mount-related syscalls that are not blocked by Flatpak's denylist seccomp filter, in order to substitute a crafted /.flatpak-info or make that file disappear entirely.
Impact
Flatpak apps that act as clients for AF_UNIX sockets such as those used by Wayland, Pipewire or pipewire-pulse can escalate the privileges that the corresponding services will believe the Flatpak app has.
Mitigation: Note that protocols that operate entirely over the D-Bus session bus (user bus), system bus or accessibility bus are not affected by this. This is due to the use of a proxy process xdg-dbus-proxy, whose VFS cannot be manipulated by the Flatpak app, when interacting with these buses.
CVE References
description: | updated |
information type: | Public → Public Security |
Changed in flatpak (Ubuntu): | |
assignee: | nobody → Andrew Hayzen (ahayzen) |
Changed in flatpak (Ubuntu Impish): | |
status: | New → In Progress |
Changed in flatpak (Ubuntu Hirsute): | |
status: | New → In Progress |
assignee: | nobody → Andrew Hayzen (ahayzen) |
Changed in flatpak (Ubuntu Bionic): | |
importance: | Undecided → Medium |
Changed in flatpak (Ubuntu Focal): | |
importance: | Undecided → Medium |
Changed in flatpak (Ubuntu Hirsute): | |
importance: | Undecided → Medium |
Changed in flatpak (Ubuntu Impish): | |
importance: | Undecided → Medium |
If someone has the permissions could they add bionic, focal, hirsute, and impish as affected series ?