Gergo Koteles discovered a sandbox escape when using Flatpak in conjunction with xdg-desktop-portal.
Impact
A malicious or compromised Flatpak app could execute arbitrary code outside its sandbox.
Description
Normally, the --command
argument of flatpak run
expects to be given a command to run in the specified Flatpak app, optionally along with some arguments. For example:
flatpak run --command=ls org.gnome.gedit
The original implementation of this was subject to CWE-88: in Flatpak versions that have this vulnerability, it is possible to pass a long option name to --command=
, such as --bind
, and it will be misinterpreted as a bwrap
option. For example, one may do
flatpak run --command=--bind org.gnome.gedit / /host ls -l /host
Which will run:
bwrap ...lots of stuff... --bind / /host ls -l /host
It is possible to pass an arbitrary commandline
to the portal interface org.freedesktop.portal.Background.RequestBackground
from within a Flatpak app. Normally this is safe, because it can only specify a command that exists inside the sandbox; but when a crafted commandline
is converted into a --command
and arguments, the app could achieve the same effect of passing arguments directly to bwrap
, and therefore achieve sandbox escape.
The solution is for Flatpak to use the --
argument to bwrap
, which makes it stop processing options, before appending the attacker-specified command. The --
argument has been supported since bubblewrap 0.3.0, and all supported versions of Flatpak already require at least that version of bubblewrap.
A mitigation is that xdg-desktop-portal
versions 1.18.4 and 1.16.1 no longer allow Flatpak apps to create new .desktop
files for commands that start with -
.
Patches
For the supported stable branches, this is fixed in 1.10.x ≥ 1.10.9, 1.12.x ≥ 1.12.9, 1.14.x ≥ 1.14.6.
For the development branch, this is fixed in version 1.15.8. As a reminder, all branches of the form 1.odd.x are development versions which do not have ongoing support.
If long-term support distributions want to backport the fix to older versions, the changes that were made in 1.10.x are likely to be the closest match. In very old versions, it might be necessary to either upgrade bubblewrap, or use env
instead of --
.
Workarounds
xdg-desktop-portal
versions 1.18.4 and 1.16.1 mitigate this vulnerability by only allowing Flatpak apps to create .desktop
files for commands that do not start with -
.
Gergo Koteles discovered a sandbox escape when using Flatpak in conjunction with xdg-desktop-portal.
Impact
A malicious or compromised Flatpak app could execute arbitrary code outside its sandbox.
Description
Normally, the
--command
argument offlatpak run
expects to be given a command to run in the specified Flatpak app, optionally along with some arguments. For example:The original implementation of this was subject to CWE-88: in Flatpak versions that have this vulnerability, it is possible to pass a long option name to
--command=
, such as--bind
, and it will be misinterpreted as abwrap
option. For example, one may doWhich will run:
It is possible to pass an arbitrary
commandline
to the portal interfaceorg.freedesktop.portal.Background.RequestBackground
from within a Flatpak app. Normally this is safe, because it can only specify a command that exists inside the sandbox; but when a craftedcommandline
is converted into a--command
and arguments, the app could achieve the same effect of passing arguments directly tobwrap
, and therefore achieve sandbox escape.The solution is for Flatpak to use the
--
argument tobwrap
, which makes it stop processing options, before appending the attacker-specified command. The--
argument has been supported since bubblewrap 0.3.0, and all supported versions of Flatpak already require at least that version of bubblewrap.A mitigation is that
xdg-desktop-portal
versions 1.18.4 and 1.16.1 no longer allow Flatpak apps to create new.desktop
files for commands that start with-
.Patches
For the supported stable branches, this is fixed in 1.10.x ≥ 1.10.9, 1.12.x ≥ 1.12.9, 1.14.x ≥ 1.14.6.
For the development branch, this is fixed in version 1.15.8. As a reminder, all branches of the form 1.odd.x are development versions which do not have ongoing support.
If long-term support distributions want to backport the fix to older versions, the changes that were made in 1.10.x are likely to be the closest match. In very old versions, it might be necessary to either upgrade bubblewrap, or use
env
instead of--
.Workarounds
xdg-desktop-portal
versions 1.18.4 and 1.16.1 mitigate this vulnerability by only allowing Flatpak apps to create.desktop
files for commands that do not start with-
.