Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 765457 (CVE-2021-21261) - <sys-apps/flatpak-{1.8.5,1.10.0}: Sandbox escape (CVE-2021-21261)
Summary: <sys-apps/flatpak-{1.8.5,1.10.0}: Sandbox escape (CVE-2021-21261)
Status: RESOLVED FIXED
Alias: CVE-2021-21261
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL: https://github.com/flatpak/flatpak/se...
Whiteboard: B1 [glsa+ cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2021-01-14 18:19 UTC by Jannik Glückert
Modified: 2021-01-25 00:08 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Jannik Glückert 2021-01-14 18:19:19 UTC
Upstream link: https://github.com/flatpak/flatpak/security/advisories/GHSA-4ppf-fxf6-vxg2

The Flatpak portal D-Bus service (flatpak-portal, also known by its D-Bus service name org.freedesktop.portal.Flatpak) allows apps in a Flatpak sandbox to launch their own subprocesses in a new sandbox instance, either with the same security settings as the caller or with
more restrictive security settings.

In vulnerable versions, the Flatpak portal service passes caller-specified environment variables to non-sandboxed processes on the host system, and in particular to the flatpak run command that is used to launch the new sandbox instance. A malicious or compromised Flatpak app could set environment variables that are trusted by the flatpak run command, and use them to execute arbitrary code that is not in a sandbox.

This is fixed in the new releases 1.8.5 and 1.10.0
Comment 1 Larry the Git Cow gentoo-dev 2021-01-16 04:44:42 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=814b0fb1496a759d92fbea88c37480ebb93abfd2

commit 814b0fb1496a759d92fbea88c37480ebb93abfd2
Author:     Zac Medico <zmedico@gentoo.org>
AuthorDate: 2021-01-16 04:37:26 +0000
Commit:     Zac Medico <zmedico@gentoo.org>
CommitDate: 2021-01-16 04:44:37 +0000

    sys-apps/flatpak: Bump to version 1.10.0
    
    Bug: https://bugs.gentoo.org/765457
    Package-Manager: Portage-3.0.13, Repoman-3.0.2
    Signed-off-by: Zac Medico <zmedico@gentoo.org>

 sys-apps/flatpak/Manifest              |   1 +
 sys-apps/flatpak/flatpak-1.10.0.ebuild | 101 +++++++++++++++++++++++++++++++++
 2 files changed, 102 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=055cbd9675ce449e7621a1d82a50fff097450c2c

commit 055cbd9675ce449e7621a1d82a50fff097450c2c
Author:     Zac Medico <zmedico@gentoo.org>
AuthorDate: 2021-01-16 04:34:36 +0000
Commit:     Zac Medico <zmedico@gentoo.org>
CommitDate: 2021-01-16 04:44:36 +0000

    sys-apps/flatpak: Bump to version 1.8.5
    
    Bug: https://bugs.gentoo.org/765457
    Package-Manager: Portage-3.0.13, Repoman-3.0.2
    Signed-off-by: Zac Medico <zmedico@gentoo.org>

 sys-apps/flatpak/Manifest             |   1 +
 sys-apps/flatpak/flatpak-1.8.5.ebuild | 101 ++++++++++++++++++++++++++++++++++
 2 files changed, 102 insertions(+)
Comment 2 John Helmert III gentoo-dev Security 2021-01-16 07:02:35 UTC
Please cleanup.
Comment 3 Larry the Git Cow gentoo-dev 2021-01-16 20:53:19 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=730592e83540a61141f46c34e76a313ad6f2ee34

commit 730592e83540a61141f46c34e76a313ad6f2ee34
Author:     Zac Medico <zmedico@gentoo.org>
AuthorDate: 2021-01-16 20:48:46 +0000
Commit:     Zac Medico <zmedico@gentoo.org>
CommitDate: 2021-01-16 20:53:15 +0000

    sys-apps/flatpak: Remove vulnerable version 1.8.2
    
    Note that flatpak-1.9.2 remains even though it is vulnerable,
    because it has stable keywords. We'll have to stabilize either
    flatpak-1.10.0 or flatpak-1.8.5.
    
    Bug: https://bugs.gentoo.org/765457
    Package-Manager: Portage-3.0.13, Repoman-3.0.2
    Signed-off-by: Zac Medico <zmedico@gentoo.org>

 sys-apps/flatpak/Manifest             |   1 -
 sys-apps/flatpak/flatpak-1.8.2.ebuild | 101 ----------------------------------
 2 files changed, 102 deletions(-)
Comment 4 Sam James archtester gentoo-dev Security 2021-01-16 21:12:19 UTC
arm64 done
Comment 5 John Helmert III gentoo-dev Security 2021-01-17 00:01:46 UTC
Whoops, missed that there were stable arches, sorry!
Comment 6 Sam James archtester gentoo-dev Security 2021-01-18 00:47:48 UTC
x86 done

all arches done
Comment 7 Larry the Git Cow gentoo-dev 2021-01-18 01:14:01 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d665f32741098e4fc8d7f7a6c04f473e24b9cf9e

commit d665f32741098e4fc8d7f7a6c04f473e24b9cf9e
Author:     Zac Medico <zmedico@gentoo.org>
AuthorDate: 2021-01-18 01:13:09 +0000
Commit:     Zac Medico <zmedico@gentoo.org>
CommitDate: 2021-01-18 01:13:21 +0000

    sys-apps/flatpak: Remove vulnerable version 1.9.2
    
    Bug: https://bugs.gentoo.org/765457
    Package-Manager: Portage-3.0.13, Repoman-3.0.2
    Signed-off-by: Zac Medico <zmedico@gentoo.org>

 sys-apps/flatpak/Manifest             |   1 -
 sys-apps/flatpak/flatpak-1.9.2.ebuild | 101 ----------------------------------
 2 files changed, 102 deletions(-)
Comment 8 Zac Medico gentoo-dev 2021-01-18 01:15:47 UTC
The tree is clean now. The only remaining versions are 1.8.5 and 1.10.0.
Comment 9 GLSAMaker/CVETool Bot gentoo-dev 2021-01-25 00:08:39 UTC
This issue was resolved and addressed in
 GLSA 202101-21 at https://security.gentoo.org/glsa/202101-21
by GLSA coordinator Aaron Bauman (b-man).