*** This bug is a security vulnerability *** Public security bug reported:
"A malicious or compromised Flatpak app using persistent directories could read and write files in locations it would not normally have access to, which is an attack on integrity and confidentiality." —https://github.com/flatpak/flatpak/security/advisories/GHSA-7hgv-f2j8-xw87 Fixed upstream in 1.14.10 and 1.15.10. I'm reporting this here as a courtesy to Ubuntu, but the Flatpak team does not have the resources to prepare stable updates and SRUs for all distributions, so someone else will have to take over from here. Please note that solving this CVE without race conditions requires a new bubblewrap (bwrap) feature. There are four possible approaches: 1. Update bubblewrap to 0.10.0, and give Flatpak a versioned dependency on it. This is what we did in Debian unstable and experimental, and in the Flatpak team's backports PPAs for noble and jammy: https://salsa.debian.org/debian/flatpak/-/commit/0b47cdbb10d5183239299dba27053055d8fa1ec0 2. Backport the --bind-fd feature to an older bubblewrap, and give Flatpak a suitable versioned dependency on it. This is what we did for Flatpak 1.14.10 in Debian 12 'bookworm': https://salsa.debian.org/debian/bubblewrap/-/commit/258ab8fb3a3faa54a811631d81fe43b9ca2d2936 https://salsa.debian.org/debian/flatpak/-/commit/37a25fd50181e93f5329c8cfbec7f69dce406a63 3. Instead of using the bwrap package, build Flatpak with its vendored convenience copy (`--without-system-bubblewrap`), and if necessary backport the new feature into that (in the 1.14.10 upstream release, this was already done). This is what we did in the Flatpak team's backports PPAs for focal and bionic: https://github.com/flatpak/ppa- flatpak/commit/e22a18b1ba36c39515750bf1fcf99bf2206b7e0d 4. Only apply a partial solution (mitigation) for the CVE. If an instance of a malicious or compromised app runs in parallel with a second instance being started, it can attempt to exploit a race condition to give the second instance access to files outside the sandbox (probably difficult to achieve in practice, but I'm not an exploit developer, and maybe there is a trick that can make the timing easier). ** Affects: flatpak (Ubuntu) Importance: Undecided Status: New ** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2077087 Title: CVE-2024-42472: Access to files outside sandbox for apps using persistent= (--persist) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/2077087/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
