This bug was fixed in the package flatpak - 1.8.2-1ubuntu0.2
---------------
flatpak (1.8.2-1ubuntu0.2) groovy-security; urgency=medium
* SECURITY UPDATE: Flatpak sandbox escape via crafted .desktop file
(LP: #1918482)
- debian/patches/CVE-2021-21381-1.patch: Disallow @@ and @@u usage in
desktop files.
- debian/patches/CVE-2021-21381-2.patch: dir: Reserve the whole @@
prefix.
- debian/patches/CVE-2021-21381-3.patch: dir: Refuse to export
.desktop files with suspicious uses.
- CVE-2021-21381
-- Andrew Hayzen <[email protected]> Wed, 10 Mar 2021 20:54:38 +0000
** Changed in: flatpak (Ubuntu Groovy)
Status: In Progress => Fix Released
** Changed in: flatpak (Ubuntu Focal)
Status: In Progress => Fix Released
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to flatpak in Ubuntu.
https://bugs.launchpad.net/bugs/1918482
Title:
Update for CVE-2021-21381
Status in flatpak package in Ubuntu:
Fix Released
Status in flatpak source package in Bionic:
Fix Released
Status in flatpak source package in Focal:
Fix Released
Status in flatpak source package in Groovy:
Fix Released
Status in flatpak package in Debian:
Fix Released
Bug description:
[Links]
https://github.com/flatpak/flatpak/security/advisories/GHSA-xgh4-387p-hqpp
https://github.com/flatpak/flatpak/pull/4156
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=984859
https://security-tracker.debian.org/tracker/CVE-2021-21381
[Impact]
Versions in Ubuntu right now:
Hirsute: 1.10.1-4
Groovy: 1.8.2-1ubuntu0.1
Focal: 1.6.5-0ubuntu0.2
Bionic: 1.0.9-0ubuntu0.2
Affected versions:
>= 0.9.4
Patched versions:
>= 1.10.2
[Test Case]
No test case has been mentioned yet, but in the patches there are
changes/additions to the unit tests.
[Regression Potential]
Flatpak has a test suite, which is run on build across all relevant
architectures and passes.
There is also a manual test plan
https://wiki.ubuntu.com/Process/Merges/TestPlan/flatpak .
Flatpak has autopkgtests enabled
http://autopkgtest.ubuntu.com/packages/f/flatpak .
Regression potential is low, and upstream is very responsive to any
issues raised.
[Other information]
Sandbox escape via special tokens in .desktop file (flatpak#4146)
Flatpak since 0.9.4 has a vulnerability in the "file forwarding" feature
which can be used by an attacker to gain access to files that would not
ordinarily be allowed by the app's permissions.
Impact
By putting the special tokens @@ and/or @@u in the Exec field of a
Flatpak app's .desktop file, a malicious app publisher can trick
flatpak into behaving as though the user had chosen to open a target
file with their Flatpak app, which automatically makes that file
available to the Flatpak app.
A minimal solution is the first commit "Disallow @@ and @@U usage in desktop
files". The follow-up commits "dir: Reserve the whole @@ prefix" and "dir:
Refuse to export .desktop files with suspicious uses of @@ tokens" are
recommended, but not strictly required.
Workarounds
Avoid installing Flatpak apps from untrusted sources, or check the contents
of the exported .desktop files in exports/share/applications/*.desktop
(typically ~/.local/share/flatpak/exports/share/applications/*.desktop and
/var/lib/flatpak/exports/share/applications/*.desktop) to make sure that
literal filenames do not follow @@ or @@u.
References
Acknowledgements
Thanks to @AntonLydike for reporting this issue, and @refi64 for
providing the initial solution.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/1918482/+subscriptions
--
Mailing list: https://launchpad.net/~desktop-packages
Post to : [email protected]
Unsubscribe : https://launchpad.net/~desktop-packages
More help : https://help.launchpad.net/ListHelp
