high
8.2
CWE
74
Advisory Published
Updated

CVE-2021-21381: Sandbox escape via special tokens in .desktop file

First published: Thu Mar 11 2021(Updated: )

Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. In Flatpack since version 0.9.4 and before version 1.10.2 has a vulnerability in the "file forwarding" feature which can be used by an attacker to gain access to files that would not ordinarily be allowed by the app's permissions. By putting the special tokens `@@` and/or `@@u` in the Exec field of a Flatpak app's .desktop file, a malicious app publisher can trick flatpak into behaving as though the user had chosen to open a target file with their Flatpak app, which automatically makes that file available to the Flatpak app. This is fixed in version 1.10.2. A minimal solution is the first commit "`Disallow @@ and @@U usage in desktop files`". The follow-up commits "`dir: Reserve the whole @@ prefix`" and "`dir: Refuse to export .desktop files with suspicious uses of @@ tokens`" are recommended, but not strictly required. As a workaround, avoid installing Flatpak apps from untrusted sources, or check the contents of the exported `.desktop` files in `exports/share/applications/*.desktop` (typically `~/.local/share/flatpak/exports/share/applications/*.desktop` and `/var/lib/flatpak/exports/share/applications/*.desktop`) to make sure that literal filenames do not follow `@@` or `@@u`.

Credit: security-advisories@github.com security-advisories@github.com

Affected SoftwareAffected VersionHow to fix
>=0.9.4<1.10.2
=10.0
=33
=34
Flatpak Flatpak>=0.9.4<1.10.2
Debian Debian Linux=10.0
Fedoraproject Fedora=33
Fedoraproject Fedora=34
debian/flatpak
1.2.5-0+deb10u4
1.10.8-0+deb11u1
1.10.7-0+deb11u1
1.14.4-1
1.14.5-1

Remedy

https://github.com/flatpak/flatpak/commit/8279c5818425b6812523e3805bbe242fb6a5d961

Remedy

https://github.com/flatpak/flatpak/commit/a7401e638bf0c03102039e216ab1081922f140ae

Remedy

https://github.com/flatpak/flatpak/commit/eb7946bb6248923d8c90fe9b84425fef97ae580d

Remedy

https://github.com/flatpak/flatpak/pull/4156

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

Reference Links

Frequently Asked Questions

  • What is CVE-2021-21381?

    CVE-2021-21381 is a vulnerability in Flatpak, a system for building, distributing, and running sandboxed desktop applications on Linux.

  • What is the severity of CVE-2021-21381?

    The severity of CVE-2021-21381 is high with a CVSS score of 8.2.

  • How does CVE-2021-21381 affect Flatpak?

    CVE-2021-21381 affects Flatpak versions 0.9.4 to 1.10.2, allowing an attacker to gain access to files that would not ordinarily be accessible.

  • Which operating systems are affected by CVE-2021-21381?

    CVE-2021-21381 affects Debian Linux 10.0, Fedora 33, and Fedora 34.

  • How do I fix CVE-2021-21381?

    To fix CVE-2021-21381, upgrade Flatpak to version 1.2.5-0+deb10u4 or higher for Debian, version 1.10.8-0+deb11u1 or higher for Debian 11, or version 1.14.4-1 or higher for Fedora.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2024 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203