high
8.8
CWE
74
Advisory Published
Updated

CVE-2021-21261: Flatpak sandbox escape via spawn portal

First published: Thu Jan 14 2021(Updated: )

Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. A bug was discovered in the `flatpak-portal` service that can allow sandboxed applications to execute arbitrary code on the host system (a sandbox escape). This sandbox-escape bug is present in versions from 0.11.4 and before fixed versions 1.8.5 and 1.10.0. The Flatpak portal D-Bus service (`flatpak-portal`, also known by its D-Bus service name `org.freedesktop.portal.Flatpak`) allows apps in a Flatpak sandbox to launch their own subprocesses in a new sandbox instance, either with the same security settings as the caller or with more restrictive security settings. For example, this is used in Flatpak-packaged web browsers such as Chromium to launch subprocesses that will process untrusted web content, and give those subprocesses a more restrictive sandbox than the browser itself. In vulnerable versions, the Flatpak portal service passes caller-specified environment variables to non-sandboxed processes on the host system, and in particular to the `flatpak run` command that is used to launch the new sandbox instance. A malicious or compromised Flatpak app could set environment variables that are trusted by the `flatpak run` command, and use them to execute arbitrary code that is not in a sandbox. As a workaround, this vulnerability can be mitigated by preventing the `flatpak-portal` service from starting, but that mitigation will prevent many Flatpak apps from working correctly. This is fixed in versions 1.8.5 and 1.10.0.

Credit: security-advisories@github.com

Affected SoftwareAffected VersionHow to fix
Flatpak Flatpak>=0.11.4<1.8.5
Flatpak Flatpak>=1.9.1<1.10.0
Debian Debian Linux=10.0
debian/flatpak
1.2.5-0+deb10u4
1.10.8-0+deb11u1
1.10.7-0+deb11u1
1.14.4-1
1.14.4-2

Remedy

https://github.com/flatpak/flatpak/commit/6d1773d2a54dde9b099043f07a2094a4f1c2f486

Remedy

https://github.com/flatpak/flatpak/commit/6e5ae7a109cdfa9735ea7ccbd8cb79f9e8d3ae8b

Remedy

https://github.com/flatpak/flatpak/commit/aeb6a7ab0abaac4a8f4ad98b3df476d9de6b8bd4

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

Reference Links

Frequently Asked Questions

  • What is CVE-2021-21261?

    CVE-2021-21261 is a vulnerability in the flatpak-portal service that allows sandboxed applications to execute arbitrary code on the host system.

  • How does CVE-2021-21261 affect Linux systems?

    CVE-2021-21261 affects Linux systems running the flatpak-portal service.

  • What is the severity of CVE-2021-21261?

    CVE-2021-21261 has a severity rating of 8.8 (high).

  • Which versions of Flatpak are affected by CVE-2021-21261?

    Flatpak versions 0.11.4 to 1.8.5 are affected by CVE-2021-21261.

  • How can I fix CVE-2021-21261?

    To fix CVE-2021-21261, update Flatpak to version 1.2.5-0+deb10u4, 1.10.8-0+deb11u1, 1.10.7-0+deb11u1, 1.14.4-1, or 1.14.4-2.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2024 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203