Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 930202 (CVE-2024-32462)

Summary: <sys-apps/flatpak-{1.14.6,1.12.9}: Sandbox escape via RequestBackground portal
Product: Gentoo Security Reporter: Christopher Fore <csfore>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: CONFIRMED ---    
Severity: critical CC: zmedico
Priority: Normal Keywords: PullRequest
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://github.com/flatpak/flatpak/security/advisories/GHSA-phv6-cpc2-2fgj
See Also: https://bugs.gentoo.org/show_bug.cgi?id=930261
https://github.com/gentoo/gentoo/pull/36334
Whiteboard: A1 [stable?]
Package list:
Runtime testing required: ---
Bug Depends on: 930844    
Bug Blocks:    

Description Christopher Fore 2024-04-18 17:01:48 UTC 
CVE-2024-32462:

A malicious or compromised Flatpak app could execute arbitrary code outside its sandbox in conjunction with xdg-desktop-portal.



The above is fixed in 1.14.6 and 1.12.9.
Comment 1 Christopher Fore 2024-04-18 17:06:31 UTC 
xdg-desktop-portal version 1.18.4 will mitigate this vulnerability by only allowing Flatpak apps to create .desktop files for commands that do not start with -. This is not packaged yet, however.
Comment 2 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2024-04-19 10:48:23 UTC 
(In reply to Christopher Fore from comment #1)
> xdg-desktop-portal version 1.18.4 will mitigate this vulnerability by only
> allowing Flatpak apps to create .desktop files for commands that do not
> start with -. This is not packaged yet, however.

Worth filing a bug for it or at least CCing its maintainers then ;)
Comment 3 Larry the Git Cow gentoo-dev 2024-04-21 07:48:39 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3e5a89cfc048384ddf35268840fea1ebc3e6ee91

commit 3e5a89cfc048384ddf35268840fea1ebc3e6ee91
Author:     Christopher Fore <csfore@posteo.net>
AuthorDate: 2024-04-20 18:52:49 +0000
Commit:     Zac Medico <zmedico@gentoo.org>
CommitDate: 2024-04-21 07:46:20 +0000

    sys-apps/flatpak: add 1.12.9, 1.14.6, security bump
    
    - Tests skipped (restricted)
    - Fixed trivial QA warnings
      - Changed order of HOMEPAGE, SRC_URI, and DESCRIPTION
    
    Bug: https://bugs.gentoo.org/930202
    Signed-off-by: Christopher Fore <csfore@posteo.net>
    Closes: https://github.com/gentoo/gentoo/pull/36334
    Signed-off-by: Zac Medico <zmedico@gentoo.org>

 sys-apps/flatpak/Manifest              |   2 +
 sys-apps/flatpak/flatpak-1.12.9.ebuild | 108 +++++++++++++++++++++++++++++
 sys-apps/flatpak/flatpak-1.14.6.ebuild | 120 +++++++++++++++++++++++++++++++++
 3 files changed, 230 insertions(+)