oss-sec mailing list archives
CVE-2017-9780: Flatpak: privilege escalation via setuid/world-writable file permissions
From: Simon McVittie <smcv () debian org>
Date: Thu, 22 Jun 2017 22:01:10 +0100
Impact: privilege escalation Attack range: local Vulnerable: all versions < 0.8.7, 0.9.x < 0.9.6 Fixed in: 0.8.x >= 0.8.7, all versions >= 0.9.6 Reference: https://github.com/flatpak/flatpak/issues/845 Flatpak is a desktop application distribution framework for Linux. Colin Walters discovered a security vulnerability in versions of Flatpak prior to 0.8.7. A third-party app repository could include malicious apps that contain files with inappropriate permissions, for example setuid or world-writable. Older Flatpak versions would deploy the files with those permissions, which would let a local attacker run the setuid executable (escalating their privileges) or write to the world-writable location. In the case of the system helper used when an app is installed system-wide, files deployed as part of the app are owned by root, so in the worst case the app repository could arrange for a setuid root executable to be present. There are several mitigations: * The sandboxed apps installed by Flatpak are run with PR_SET_NO_NEW_PRIVS, so the Flatpak app itself cannot escalate privileges via setuid. * The attacker making use of these inappropriate permissions to escalate privileges must be local. * If you are using Flatpak to install apps from a third-party vendor, then there is already a trust relationship: the app is sandboxed, but the third-party vendor chooses what parameters are used for the sandbox. * The default polkit policies will not allow apps to be installed system-wide unless a privileged (root-equivalent) user has added the third-party app repository, which indicates that the privileged user trusts the operator of that repository. This vulnerability is tracked as <https://github.com/flatpak/flatpak/issues/845>, and as CVE-2017-9780. In the 0.8.x stable branch this vulnerability was fixed in version 0.8.7. In the 0.9.x development branch this vulnerability was fixed in version 0.9.6. Regards, S -- Simon McVittie Collabora Ltd. / Debian
Current thread:
- CVE-2017-9780: Flatpak: privilege escalation via setuid/world-writable file permissions Simon McVittie (Jun 22)
- Re: CVE-2017-9780: Flatpak: privilege escalation via setuid/world-writable file permissions Florian Weimer (Jun 22)
- Re: CVE-2017-9780: Flatpak: privilege escalation via setuid/world-writable file permissions Simon McVittie (Jun 23)
- Re: CVE-2017-9780: Flatpak: privilege escalation via setuid/world-writable file permissions Florian Weimer (Jun 22)