In the Flatpak toolkit, designed to create self-contained packages that are not tied to specific Linux distributions and are isolated from the rest of the system, identified vulnerability (CVE-2024-32462). The vulnerability allows a malicious or compromised application supplied in the flatpak package to bypass the sandbox isolation mode and gain access to files on the main system. The problem only appears in packages that use Freedesktop portals (xdg-desktop-portal), used to organize access to resources of the user environment from isolated applications. Vulnerability fixed in corrective updates flatpak 1.15.8, 1.14.6, 1.12.9 and 1.10.9. A security workaround is also proposed in releases xdg-desktop-portal 1.16.1 and 1.18.4.
Thanks to the vulnerability, an application located in a sandboxed environment can use the xdg-desktop-portal interface to create a “.desktop” file with a command to launch the application from flatpak, allowing access to files on the main system. To exit the isolated environment, manipulate the “–command” parameter, which is used to pass the name of the program located inside the flatpak package, which needs to be launched in the isolated environment. To set up a sandboxed environment, flatpak calls the bwrap utility, passing it the specified program name. For example, to run the ls utility in an isolated environment of a package, you can use the construction “flatpak run –command=ls org.gnome.gedit” which will lead to the launch of “bwrap ‹isolation_parameters› ls”.
Advertisement
The essence of the vulnerability is that if the program name begins with the characters “–“, then it will be perceived by the bwrap utility as its own option. For example, running “flatpak run –command=–bind org.gnome.gedit / /host ls -l /host” will execute “bwrap ‹isolation_options› –bind / /host ls -l /host”, i.e. e. the name “–bind” will not be treated as the name of the application to be launched, but as a bwrap option.
The vulnerability is aggravated by the fact that the D-Bus interface “org.freedesktop.portal.Background.RequestBackground” allows an application from the Flatpak package to specify any command to be executed using “flatpak run –command”, including those starting with the character “–” . It was assumed that sending any commands was not dangerous, since they would be executed in an isolated environment of the package. But it was not taken into account that commands starting with “–” will be processed as options for the bwrap utility. As a result, the xdg-desktop-portal interface can be used to create a “.desktop” file with a command that exploits the vulnerability.
Thanks for reading: