oss-sec mailing list archives
CVE-2021-21261: Flatpak sandbox escape via spawn portal (aka GHSA-4ppf-fxf6-vxg2)
From: Simon McVittie <smcv () debian org>
Date: Thu, 21 Jan 2021 19:13:13 +0000
Affected versions: flatpak >= 0.11.4 Fixed versions: flatpak >= 1.10.0, and 1.8.x >= 1.8.5 Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. I discovered a bug in the flatpak-portal service that can allow sandboxed applications to execute arbitrary code on the host system (a sandbox escape). This is fixed in 1.10.0 and 1.8.5. The initial fixed versions introduced a regression for users of 'flatpak build' on systems where a setuid version of bubblewrap (bwrap) is required. Version 1.10.1 additionally resolves the regression. The regression fix has been backported to the flatpak-1.8.x branch but is not currently in any 1.8.x release. More details: https://github.com/flatpak/flatpak/security/advisories/GHSA-4ppf-fxf6-vxg2
Current thread:
- CVE-2021-21261: Flatpak sandbox escape via spawn portal (aka GHSA-4ppf-fxf6-vxg2) Simon McVittie (Jan 21)