930202 – (CVE-2024-32462) <sys-apps/flatpak-{1.14.6,1.12.9}: Sandbox escape via RequestBackground portal

Bug 930202 (CVE-2024-32462) - <sys-apps/flatpak-{1.14.6,1.12.9}: Sandbox escape via RequestBackground portal

Summary: <sys-apps/flatpak-{1.14.6,1.12.9}: Sandbox escape via RequestBackground portal

Status:	RESOLVED FIXED

Alias:	CVE-2024-32462

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal critical
Assignee:	Gentoo Security

URL:	https://github.com/flatpak/flatpak/se...
Whiteboard:	A1 [glsa+]
Keywords:	PullRequest

Depends on:	930844
Blocks:
	Show dependency tree

Reported:	2024-04-18 17:01 UTC by Christopher Fore
Modified:	2024-10-27 07:18 UTC (History)
CC List:	1 user (show)

See Also:	930261 https://github.com/gentoo/gentoo/pull/36334
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Christopher Fore 2024-04-18 17:01:48 UTC

CVE-2024-32462:

A malicious or compromised Flatpak app could execute arbitrary code outside its sandbox in conjunction with xdg-desktop-portal.



The above is fixed in 1.14.6 and 1.12.9.

Comment 1 Christopher Fore 2024-04-18 17:06:31 UTC

xdg-desktop-portal version 1.18.4 will mitigate this vulnerability by only allowing Flatpak apps to create .desktop files for commands that do not start with -. This is not packaged yet, however.

Comment 2 Sam James archtester

2024-04-19 10:48:23 UTC

(In reply to Christopher Fore from comment #1)
> xdg-desktop-portal version 1.18.4 will mitigate this vulnerability by only
> allowing Flatpak apps to create .desktop files for commands that do not
> start with -. This is not packaged yet, however.

Worth filing a bug for it or at least CCing its maintainers then ;)

Comment 3 Larry the Git Cow gentoo-dev

2024-04-21 07:48:39 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3e5a89cfc048384ddf35268840fea1ebc3e6ee91

commit 3e5a89cfc048384ddf35268840fea1ebc3e6ee91
Author:     Christopher Fore <csfore@posteo.net>
AuthorDate: 2024-04-20 18:52:49 +0000
Commit:     Zac Medico <zmedico@gentoo.org>
CommitDate: 2024-04-21 07:46:20 +0000

    sys-apps/flatpak: add 1.12.9, 1.14.6, security bump
    
    - Tests skipped (restricted)
    - Fixed trivial QA warnings
      - Changed order of HOMEPAGE, SRC_URI, and DESCRIPTION
    
    Bug: https://bugs.gentoo.org/930202
    Signed-off-by: Christopher Fore <csfore@posteo.net>
    Closes: https://github.com/gentoo/gentoo/pull/36334
    Signed-off-by: Zac Medico <zmedico@gentoo.org>

 sys-apps/flatpak/Manifest              |   2 +
 sys-apps/flatpak/flatpak-1.12.9.ebuild | 108 +++++++++++++++++++++++++++++
 sys-apps/flatpak/flatpak-1.14.6.ebuild | 120 +++++++++++++++++++++++++++++++++
 3 files changed, 230 insertions(+)

Comment 4 Larry the Git Cow gentoo-dev

2024-06-22 07:05:08 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=b6eb17f02063da39c53f7a1a067d6a58ed7fb9b9

commit b6eb17f02063da39c53f7a1a067d6a58ed7fb9b9
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2024-06-22 07:02:59 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2024-06-22 07:04:32 +0000

    [ GLSA 202406-02 ] Flatpak: Sandbox Escape
    
    Bug: https://bugs.gentoo.org/930202
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 glsa-202406-02.xml | 42 ++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 42 insertions(+)

Comment 5 Hans de Graaff gentoo-dev

2024-10-27 07:18:38 UTC

commit f69bf4c9ae6c5e915d78e312e5b40c5012203877
Author: Zac Medico <zmedico@gentoo.org>
Date:   Thu Oct 24 13:04:37 2024 -0700

    sys-apps/flatpak: drop 1.12.8, 1.14.4-r3, 1.14.6, 1.14.8
    
    Bug: https://bugs.gentoo.org/937936
    Signed-off-by: Zac Medico <zmedico@gentoo.org>