Simon McVittie discovered a bug in the flatpak-portal service that can allow sandboxed applications to execute arbitrary code on the host system (a sandbox escape).
The Flatpak portal D-Bus service (flatpak-portal, also known by its D-Bus service name org.freedesktop.portal.Flatpak) allows apps in a Flatpak sandbox to launch their own subprocesses in a new sandbox instance, either with the same security settings as the caller or with
more restrictive security settings. For example, this is used in Flatpak-packaged web browsers such as Chromium to launch subprocesses
that will process untrusted web content, and give those subprocesses a more restrictive sandbox than the browser itself.
In vulnerable versions, the Flatpak portal service passes caller-specified environment variables to non-sandboxed processes on the host system, and in particular to the flatpak run command that is used to launch the new sandbox instance. A malicious or compromised Flatpak app could set environment variables that are trusted by the flatpak run command, and use them to execute arbitrary code that is not in a sandbox.
Workaround
This vulnerability can be mitigated by preventing the flatpak-portal service from starting, but that mitigation will prevent many Flatpak apps from working correctly.
Fixes
This is fixed in Flatpak 1.10.0 and 1.8.5 (commits 6d1773d, 6e5ae7a, aeb6a7a, cc14010, with automated test coverage added in
8212498, 39a5621, d19f6c3).
The initial fixes introduced a regression (#4080) for users of a setuid version of bubblewrap (bwrap). This is fixed in 1.10.1 (commits 9a61d2c and fb473ca, also backported to the flatpak-1.8.x branch).
Out of scope
The flatpak-session-helper service (org.freedesktop.Flatpak, as accessed by flatpak-spawn --host) is intended to give specially-flagged apps the ability to run arbitrary code on the host system, so it is not a vulnerability that it also trusts the environment variables it is given. Granting access to the org.freedesktop.Flatpak service indicates that an app is trusted and can legitimately execute arbitrary code outside the sandbox. For example, the GNOME Builder integrated development environment is flagged as trusted in this way.
smcv Analyst
Simon McVittie discovered a bug in the
flatpak-portalservice that can allow sandboxed applications to execute arbitrary code on the host system (a sandbox escape).The Flatpak portal D-Bus service (
flatpak-portal, also known by its D-Bus service nameorg.freedesktop.portal.Flatpak) allows apps in a Flatpak sandbox to launch their own subprocesses in a new sandbox instance, either with the same security settings as the caller or withmore restrictive security settings. For example, this is used in Flatpak-packaged web browsers such as Chromium to launch subprocesses
that will process untrusted web content, and give those subprocesses a more restrictive sandbox than the browser itself.
In vulnerable versions, the Flatpak portal service passes caller-specified environment variables to non-sandboxed processes on the host system, and in particular to the
flatpak runcommand that is used to launch the new sandbox instance. A malicious or compromised Flatpak app could set environment variables that are trusted by theflatpak runcommand, and use them to execute arbitrary code that is not in a sandbox.Workaround
This vulnerability can be mitigated by preventing the
flatpak-portalservice from starting, but that mitigation will prevent many Flatpak apps from working correctly.Fixes
This is fixed in Flatpak 1.10.0 and 1.8.5 (commits 6d1773d, 6e5ae7a, aeb6a7a, cc14010, with automated test coverage added in
8212498, 39a5621, d19f6c3).
The initial fixes introduced a regression (#4080) for users of a setuid version of bubblewrap (bwrap). This is fixed in 1.10.1 (commits 9a61d2c and fb473ca, also backported to the flatpak-1.8.x branch).
Out of scope
The
flatpak-session-helperservice (org.freedesktop.Flatpak, as accessed byflatpak-spawn --host) is intended to give specially-flagged apps the ability to run arbitrary code on the host system, so it is not a vulnerability that it also trusts the environment variables it is given. Granting access to theorg.freedesktop.Flatpakservice indicates that an app is trusted and can legitimately execute arbitrary code outside the sandbox. For example, the GNOME Builder integrated development environment is flagged as trusted in this way.