Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 930202 (CVE-2024-32462) - <sys-apps/flatpak-{1.14.6,1.12.9}: Sandbox escape via RequestBackground portal
Summary: <sys-apps/flatpak-{1.14.6,1.12.9}: Sandbox escape via RequestBackground portal
Status: RESOLVED FIXED
Alias: CVE-2024-32462
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal critical
Assignee: Gentoo Security
URL: https://github.com/flatpak/flatpak/se...
Whiteboard: A1 [glsa+]
Keywords: PullRequest
Depends on: 930844
Blocks:
  Show dependency tree
 
Reported: 2024-04-18 17:01 UTC by Christopher Fore
Modified: 2024-10-27 07:18 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Christopher Fore 2024-04-18 17:01:48 UTC
CVE-2024-32462:

A malicious or compromised Flatpak app could execute arbitrary code outside its sandbox in conjunction with xdg-desktop-portal.



The above is fixed in 1.14.6 and 1.12.9.
Comment 1 Christopher Fore 2024-04-18 17:06:31 UTC
xdg-desktop-portal version 1.18.4 will mitigate this vulnerability by only allowing Flatpak apps to create .desktop files for commands that do not start with -. This is not packaged yet, however.
Comment 2 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2024-04-19 10:48:23 UTC
(In reply to Christopher Fore from comment #1)
> xdg-desktop-portal version 1.18.4 will mitigate this vulnerability by only
> allowing Flatpak apps to create .desktop files for commands that do not
> start with -. This is not packaged yet, however.

Worth filing a bug for it or at least CCing its maintainers then ;)
Comment 3 Larry the Git Cow gentoo-dev 2024-04-21 07:48:39 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3e5a89cfc048384ddf35268840fea1ebc3e6ee91

commit 3e5a89cfc048384ddf35268840fea1ebc3e6ee91
Author:     Christopher Fore <csfore@posteo.net>
AuthorDate: 2024-04-20 18:52:49 +0000
Commit:     Zac Medico <zmedico@gentoo.org>
CommitDate: 2024-04-21 07:46:20 +0000

    sys-apps/flatpak: add 1.12.9, 1.14.6, security bump
    
    - Tests skipped (restricted)
    - Fixed trivial QA warnings
      - Changed order of HOMEPAGE, SRC_URI, and DESCRIPTION
    
    Bug: https://bugs.gentoo.org/930202
    Signed-off-by: Christopher Fore <csfore@posteo.net>
    Closes: https://github.com/gentoo/gentoo/pull/36334
    Signed-off-by: Zac Medico <zmedico@gentoo.org>

 sys-apps/flatpak/Manifest              |   2 +
 sys-apps/flatpak/flatpak-1.12.9.ebuild | 108 +++++++++++++++++++++++++++++
 sys-apps/flatpak/flatpak-1.14.6.ebuild | 120 +++++++++++++++++++++++++++++++++
 3 files changed, 230 insertions(+)
Comment 4 Larry the Git Cow gentoo-dev 2024-06-22 07:05:08 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=b6eb17f02063da39c53f7a1a067d6a58ed7fb9b9

commit b6eb17f02063da39c53f7a1a067d6a58ed7fb9b9
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2024-06-22 07:02:59 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2024-06-22 07:04:32 +0000

    [ GLSA 202406-02 ] Flatpak: Sandbox Escape
    
    Bug: https://bugs.gentoo.org/930202
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 glsa-202406-02.xml | 42 ++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 42 insertions(+)
Comment 5 Hans de Graaff gentoo-dev Security 2024-10-27 07:18:38 UTC
commit f69bf4c9ae6c5e915d78e312e5b40c5012203877
Author: Zac Medico <zmedico@gentoo.org>
Date:   Thu Oct 24 13:04:37 2024 -0700

    sys-apps/flatpak: drop 1.12.8, 1.14.4-r3, 1.14.6, 1.14.8
    
    Bug: https://bugs.gentoo.org/937936
    Signed-off-by: Zac Medico <zmedico@gentoo.org>