CVE-2021-21261

Source
https://nvd.nist.gov/vuln/detail/CVE-2021-21261
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-21261.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2021-21261
Downstream
Related
Published
2021-01-14T20:15:12Z
Modified
2025-10-14T17:59:32.573603Z
Severity
  • 8.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. A bug was discovered in the flatpak-portal service that can allow sandboxed applications to execute arbitrary code on the host system (a sandbox escape). This sandbox-escape bug is present in versions from 0.11.4 and before fixed versions 1.8.5 and 1.10.0. The Flatpak portal D-Bus service (flatpak-portal, also known by its D-Bus service name org.freedesktop.portal.Flatpak) allows apps in a Flatpak sandbox to launch their own subprocesses in a new sandbox instance, either with the same security settings as the caller or with more restrictive security settings. For example, this is used in Flatpak-packaged web browsers such as Chromium to launch subprocesses that will process untrusted web content, and give those subprocesses a more restrictive sandbox than the browser itself. In vulnerable versions, the Flatpak portal service passes caller-specified environment variables to non-sandboxed processes on the host system, and in particular to the flatpak run command that is used to launch the new sandbox instance. A malicious or compromised Flatpak app could set environment variables that are trusted by the flatpak run command, and use them to execute arbitrary code that is not in a sandbox. As a workaround, this vulnerability can be mitigated by preventing the flatpak-portal service from starting, but that mitigation will prevent many Flatpak apps from working correctly. This is fixed in versions 1.8.5 and 1.10.0.

References

Affected packages

Git / github.com/flatpak/flatpak

Affected ranges

Type
GIT
Repo
https://github.com/flatpak/flatpak
Events

Affected versions

0.*

0.1
0.10.0
0.10.1
0.10.2
0.11.1
0.11.2
0.11.3
0.11.4
0.11.5
0.11.6
0.11.7
0.11.8
0.11.8.1
0.11.8.2
0.11.8.3
0.2
0.2.1
0.3
0.3.1
0.3.2
0.3.3
0.3.4
0.3.5
0.3.6
0.4.0
0.4.1
0.4.10
0.4.11
0.4.12
0.4.13
0.4.2
0.4.2.1
0.4.3
0.4.4
0.4.5
0.4.6
0.4.7
0.4.8
0.4.9
0.5.0
0.5.1
0.5.2
0.6.0
0.6.1
0.6.10
0.6.11
0.6.12
0.6.13
0.6.14
0.6.2
0.6.3
0.6.4
0.6.5
0.6.6
0.6.7
0.6.8
0.6.9
0.8.0
0.8.1
0.9.1
0.9.10
0.9.11
0.9.12
0.9.2
0.9.3
0.9.4
0.9.5
0.9.6
0.9.7
0.9.8
0.9.9
0.9.98
0.9.98.1
0.9.98.2
0.9.99
0.99.1
0.99.2
0.99.3

1.*

1.0.0
1.0.1
1.0.2
1.0.3
1.1.0
1.1.1
1.1.2
1.1.3
1.2.0
1.2.1
1.3.0
1.3.1
1.3.2
1.3.3
1.3.4
1.4.0
1.5.0
1.5.1
1.5.2
1.6.0
1.6.1
1.6.2
1.7.1
1.7.2
1.7.3
1.8.0
1.8.1
1.8.2
1.8.3
1.8.4
1.9.1
1.9.2
1.9.3

Database specific

{
    "vanir_signatures": [
        {
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "187884336905612395231330406807632357540",
                    "119966363514582499525315861909166376099",
                    "46012603303833455347858473125643287427",
                    "151763468982046354621867926977057407996",
                    "147841209049247011411836960548228474009",
                    "210586123448264467490491665920891689504"
                ]
            },
            "target": {
                "file": "common/flatpak-bwrap.c"
            },
            "deprecated": false,
            "source": "https://github.com/flatpak/flatpak/commit/6d1773d2a54dde9b099043f07a2094a4f1c2f486",
            "signature_version": "v1",
            "id": "CVE-2021-21261-0548202b",
            "signature_type": "Line"
        },
        {
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "168417353790797368165839907690445508493",
                    "327012681670393743305787150072641325411",
                    "23688458601150324176395771316217294730",
                    "49729934599472863566897555018543408450",
                    "9450908212238931453333786533088716078",
                    "184028996534785543118806081166217184330",
                    "141419741360300883951586041005272492896",
                    "206249337290032327518896842942263903489",
                    "90318883290108511492839356082770308365",
                    "12932935097118578644062154051992084777",
                    "144774528113192030728296602362033592877",
                    "79201547501775564610540632545667244027",
                    "268846712764991704531477048056715863846",
                    "278171116430610011995476595605264549622",
                    "198046183515048329716552688201140766062",
                    "186874874185981287271469462079034122186",
                    "256515148011437925207635412414066159130",
                    "3346186902999804577361326057752316291",
                    "254409286826292135473128319948286163718",
                    "141533511151258764870094348930568640143",
                    "259454807294067507133633282981503554384",
                    "191389743288879362348653886153241129053",
                    "194637151052508142939035967020326419871",
                    "205972780634195676094809405714121723252",
                    "23392054317266148780655332786943982622",
                    "34547951232220976726414035075532117100"
                ]
            },
            "target": {
                "file": "common/flatpak-run.c"
            },
            "deprecated": false,
            "source": "https://github.com/flatpak/flatpak/commit/6d1773d2a54dde9b099043f07a2094a4f1c2f486",
            "signature_version": "v1",
            "id": "CVE-2021-21261-2cb9cfb5",
            "signature_type": "Line"
        },
        {
            "digest": {
                "length": 1224.0,
                "function_hash": "116696172303620550801466906987719068366"
            },
            "target": {
                "file": "portal/flatpak-portal.c",
                "function": "child_setup_func"
            },
            "deprecated": false,
            "source": "https://github.com/flatpak/flatpak/commit/aeb6a7ab0abaac4a8f4ad98b3df476d9de6b8bd4",
            "signature_version": "v1",
            "id": "CVE-2021-21261-33525b89",
            "signature_type": "Function"
        },
        {
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "181467856496703161714286787676753514560",
                    "262003444876501901294604323868568402193",
                    "150489235987664807730600990675707141516",
                    "308914679741222343840220446431887347020",
                    "22914194553643468080754179086792170796",
                    "294736744238137854585260502181037366798",
                    "257931896619599938072240305823517035948"
                ]
            },
            "target": {
                "file": "common/flatpak-context.c"
            },
            "deprecated": false,
            "source": "https://github.com/flatpak/flatpak/commit/6e5ae7a109cdfa9735ea7ccbd8cb79f9e8d3ae8b",
            "signature_version": "v1",
            "id": "CVE-2021-21261-4a832f75",
            "signature_type": "Line"
        },
        {
            "digest": {
                "length": 4242.0,
                "function_hash": "33047310530798657115268533786732258227"
            },
            "target": {
                "file": "common/flatpak-run.c",
                "function": "flatpak_run_add_environment_args"
            },
            "deprecated": false,
            "source": "https://github.com/flatpak/flatpak/commit/6d1773d2a54dde9b099043f07a2094a4f1c2f486",
            "signature_version": "v1",
            "id": "CVE-2021-21261-89757ad9",
            "signature_type": "Function"
        },
        {
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "271845509910812711137384046118951455179",
                    "102416855131910788437706480729441538709",
                    "51213083205691676287204730805029338261",
                    "88873101976548655118981504411646758366",
                    "276629679408525911711405358044738720536",
                    "295864476410362513706402887219810128860",
                    "187672123155510881918023627336945040586"
                ]
            },
            "target": {
                "file": "portal/flatpak-portal.c"
            },
            "deprecated": false,
            "source": "https://github.com/flatpak/flatpak/commit/cc1401043c075268ecc652eac557ef8076b5eaba",
            "signature_version": "v1",
            "id": "CVE-2021-21261-90336293",
            "signature_type": "Line"
        },
        {
            "digest": {
                "length": 15275.0,
                "function_hash": "13648073397090505178352368602612080075"
            },
            "target": {
                "file": "portal/flatpak-portal.c",
                "function": "handle_spawn"
            },
            "deprecated": false,
            "source": "https://github.com/flatpak/flatpak/commit/cc1401043c075268ecc652eac557ef8076b5eaba",
            "signature_version": "v1",
            "id": "CVE-2021-21261-c441fdeb",
            "signature_type": "Function"
        },
        {
            "digest": {
                "length": 10642.0,
                "function_hash": "121856444566269508847150148348225191560"
            },
            "target": {
                "file": "common/flatpak-run.c",
                "function": "flatpak_run_app"
            },
            "deprecated": false,
            "source": "https://github.com/flatpak/flatpak/commit/6d1773d2a54dde9b099043f07a2094a4f1c2f486",
            "signature_version": "v1",
            "id": "CVE-2021-21261-cc0442da",
            "signature_type": "Function"
        },
        {
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "186753914006100194516954110745550884424",
                    "12753299659279139043630104728458776064",
                    "269889525867134572535695503617087983501",
                    "208208283627142296061927458336690996509",
                    "180501221704741290327491119284995032025",
                    "176111972974236863265595961229486818247",
                    "96681180801602239017311502751839799173",
                    "198705453584377096480089798889685337457"
                ]
            },
            "target": {
                "file": "common/flatpak-bwrap-private.h"
            },
            "deprecated": false,
            "source": "https://github.com/flatpak/flatpak/commit/6d1773d2a54dde9b099043f07a2094a4f1c2f486",
            "signature_version": "v1",
            "id": "CVE-2021-21261-e4aba771",
            "signature_type": "Line"
        },
        {
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "250583380488175601669317137946174719794",
                    "311312556761816106744451561827799888308",
                    "296511374797103482356447941591751752716",
                    "163819300700743363828332066461507542872",
                    "256646176672544301483717845513293989867",
                    "283066343764066525662795773450547192544",
                    "307830766081670044218645905522083376346",
                    "314613757453546637160749133659371754136",
                    "33477874074197511545467797114432888206",
                    "217867266162192291486524756726822760936",
                    "40016216926295346927460055704050908419",
                    "202058260553356883764319272044505786272",
                    "232829783943157726400537389676411531144",
                    "142269808049044781331577504304469511031",
                    "228461531246778135043747909129711248394",
                    "158813393187993092148429072759724546882"
                ]
            },
            "target": {
                "file": "portal/flatpak-portal.c"
            },
            "deprecated": false,
            "source": "https://github.com/flatpak/flatpak/commit/aeb6a7ab0abaac4a8f4ad98b3df476d9de6b8bd4",
            "signature_version": "v1",
            "id": "CVE-2021-21261-f081ded5",
            "signature_type": "Line"
        },
        {
            "digest": {
                "length": 14396.0,
                "function_hash": "138027983890393511308692566048484423621"
            },
            "target": {
                "file": "portal/flatpak-portal.c",
                "function": "handle_spawn"
            },
            "deprecated": false,
            "source": "https://github.com/flatpak/flatpak/commit/aeb6a7ab0abaac4a8f4ad98b3df476d9de6b8bd4",
            "signature_version": "v1",
            "id": "CVE-2021-21261-f0f82716",
            "signature_type": "Function"
        }
    ]
}