Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 930202 (CVE-2024-32462) - <sys-apps/flatpak-{1.14.6,1.12.9}: Sandbox escape via RequestBackground portal
Summary: <sys-apps/flatpak-{1.14.6,1.12.9}: Sandbox escape via RequestBackground portal
Status: CONFIRMED
Alias: CVE-2024-32462
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal critical (vote)
Assignee: Gentoo Security
URL: https://github.com/flatpak/flatpak/se...
Whiteboard: A1 [glsa cleanup]
Keywords: PullRequest
Depends on: 930844
Blocks:
  Show dependency tree
 
Reported: 2024-04-18 17:01 UTC by Christopher Fore
Modified: 2024-06-09 10:04 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Christopher Fore 2024-04-18 17:01:48 UTC
CVE-2024-32462:

A malicious or compromised Flatpak app could execute arbitrary code outside its sandbox in conjunction with xdg-desktop-portal.



The above is fixed in 1.14.6 and 1.12.9.
Comment 1 Christopher Fore 2024-04-18 17:06:31 UTC
xdg-desktop-portal version 1.18.4 will mitigate this vulnerability by only allowing Flatpak apps to create .desktop files for commands that do not start with -. This is not packaged yet, however.
Comment 2 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2024-04-19 10:48:23 UTC
(In reply to Christopher Fore from comment #1)
> xdg-desktop-portal version 1.18.4 will mitigate this vulnerability by only
> allowing Flatpak apps to create .desktop files for commands that do not
> start with -. This is not packaged yet, however.

Worth filing a bug for it or at least CCing its maintainers then ;)
Comment 3 Larry the Git Cow gentoo-dev 2024-04-21 07:48:39 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3e5a89cfc048384ddf35268840fea1ebc3e6ee91

commit 3e5a89cfc048384ddf35268840fea1ebc3e6ee91
Author:     Christopher Fore <csfore@posteo.net>
AuthorDate: 2024-04-20 18:52:49 +0000
Commit:     Zac Medico <zmedico@gentoo.org>
CommitDate: 2024-04-21 07:46:20 +0000

    sys-apps/flatpak: add 1.12.9, 1.14.6, security bump
    
    - Tests skipped (restricted)
    - Fixed trivial QA warnings
      - Changed order of HOMEPAGE, SRC_URI, and DESCRIPTION
    
    Bug: https://bugs.gentoo.org/930202
    Signed-off-by: Christopher Fore <csfore@posteo.net>
    Closes: https://github.com/gentoo/gentoo/pull/36334
    Signed-off-by: Zac Medico <zmedico@gentoo.org>

 sys-apps/flatpak/Manifest              |   2 +
 sys-apps/flatpak/flatpak-1.12.9.ebuild | 108 +++++++++++++++++++++++++++++
 sys-apps/flatpak/flatpak-1.14.6.ebuild | 120 +++++++++++++++++++++++++++++++++
 3 files changed, 230 insertions(+)