Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. A bug was discovered in the flatpak-portal
service that can allow sandboxed applications to execute arbitrary code on the host system (a sandbox escape). This sandbox-escape bug is present in versions from 0.11.4 and before fixed versions 1.8.5 and 1.10.0. The Flatpak portal D-Bus service (flatpak-portal
, also known by its D-Bus service name org.freedesktop.portal.Flatpak
) allows apps in a Flatpak sandbox to launch their own subprocesses in a new sandbox instance, either with the same security settings as the caller or with more restrictive security settings. For example, this is used in Flatpak-packaged web browsers such as Chromium to launch subprocesses that will process untrusted web content, and give those subprocesses a more restrictive sandbox than the browser itself. In vulnerable versions, the Flatpak portal service passes caller-specified environment variables to non-sandboxed processes on the host system, and in particular to the flatpak run
command that is used to launch the new sandbox instance. A malicious or compromised Flatpak app could set environment variables that are trusted by the flatpak run
command, and use them to execute arbitrary code that is not in a sandbox. As a workaround, this vulnerability can be mitigated by preventing the flatpak-portal
service from starting, but that mitigation will prevent many Flatpak apps from working correctly. This is fixed in versions 1.8.5 and 1.10.0.
{ "vanir_signatures": [ { "digest": { "threshold": 0.9, "line_hashes": [ "187884336905612395231330406807632357540", "119966363514582499525315861909166376099", "46012603303833455347858473125643287427", "151763468982046354621867926977057407996", "147841209049247011411836960548228474009", "210586123448264467490491665920891689504" ] }, "target": { "file": "common/flatpak-bwrap.c" }, "deprecated": false, "source": "https://github.com/flatpak/flatpak/commit/6d1773d2a54dde9b099043f07a2094a4f1c2f486", "signature_version": "v1", "id": "CVE-2021-21261-0548202b", "signature_type": "Line" }, { "digest": { "threshold": 0.9, "line_hashes": [ "168417353790797368165839907690445508493", "327012681670393743305787150072641325411", "23688458601150324176395771316217294730", "49729934599472863566897555018543408450", "9450908212238931453333786533088716078", "184028996534785543118806081166217184330", "141419741360300883951586041005272492896", "206249337290032327518896842942263903489", "90318883290108511492839356082770308365", "12932935097118578644062154051992084777", "144774528113192030728296602362033592877", "79201547501775564610540632545667244027", "268846712764991704531477048056715863846", "278171116430610011995476595605264549622", "198046183515048329716552688201140766062", "186874874185981287271469462079034122186", "256515148011437925207635412414066159130", "3346186902999804577361326057752316291", "254409286826292135473128319948286163718", "141533511151258764870094348930568640143", "259454807294067507133633282981503554384", "191389743288879362348653886153241129053", "194637151052508142939035967020326419871", "205972780634195676094809405714121723252", "23392054317266148780655332786943982622", "34547951232220976726414035075532117100" ] }, "target": { "file": "common/flatpak-run.c" }, "deprecated": false, "source": "https://github.com/flatpak/flatpak/commit/6d1773d2a54dde9b099043f07a2094a4f1c2f486", "signature_version": "v1", "id": "CVE-2021-21261-2cb9cfb5", "signature_type": "Line" }, { "digest": { "length": 1224.0, "function_hash": "116696172303620550801466906987719068366" }, "target": { "file": "portal/flatpak-portal.c", "function": "child_setup_func" }, "deprecated": false, "source": "https://github.com/flatpak/flatpak/commit/aeb6a7ab0abaac4a8f4ad98b3df476d9de6b8bd4", "signature_version": "v1", "id": "CVE-2021-21261-33525b89", "signature_type": "Function" }, { "digest": { "threshold": 0.9, "line_hashes": [ "181467856496703161714286787676753514560", "262003444876501901294604323868568402193", "150489235987664807730600990675707141516", "308914679741222343840220446431887347020", "22914194553643468080754179086792170796", "294736744238137854585260502181037366798", "257931896619599938072240305823517035948" ] }, "target": { "file": "common/flatpak-context.c" }, "deprecated": false, "source": "https://github.com/flatpak/flatpak/commit/6e5ae7a109cdfa9735ea7ccbd8cb79f9e8d3ae8b", "signature_version": "v1", "id": "CVE-2021-21261-4a832f75", "signature_type": "Line" }, { "digest": { "length": 4242.0, "function_hash": "33047310530798657115268533786732258227" }, "target": { "file": "common/flatpak-run.c", "function": "flatpak_run_add_environment_args" }, "deprecated": false, "source": "https://github.com/flatpak/flatpak/commit/6d1773d2a54dde9b099043f07a2094a4f1c2f486", "signature_version": "v1", "id": "CVE-2021-21261-89757ad9", "signature_type": "Function" }, { "digest": { "threshold": 0.9, "line_hashes": [ "271845509910812711137384046118951455179", "102416855131910788437706480729441538709", "51213083205691676287204730805029338261", "88873101976548655118981504411646758366", "276629679408525911711405358044738720536", "295864476410362513706402887219810128860", "187672123155510881918023627336945040586" ] }, "target": { "file": "portal/flatpak-portal.c" }, "deprecated": false, "source": "https://github.com/flatpak/flatpak/commit/cc1401043c075268ecc652eac557ef8076b5eaba", "signature_version": "v1", "id": "CVE-2021-21261-90336293", "signature_type": "Line" }, { "digest": { "length": 15275.0, "function_hash": "13648073397090505178352368602612080075" }, "target": { "file": "portal/flatpak-portal.c", "function": "handle_spawn" }, "deprecated": false, "source": "https://github.com/flatpak/flatpak/commit/cc1401043c075268ecc652eac557ef8076b5eaba", "signature_version": "v1", "id": "CVE-2021-21261-c441fdeb", "signature_type": "Function" }, { "digest": { "length": 10642.0, "function_hash": "121856444566269508847150148348225191560" }, "target": { "file": "common/flatpak-run.c", "function": "flatpak_run_app" }, "deprecated": false, "source": "https://github.com/flatpak/flatpak/commit/6d1773d2a54dde9b099043f07a2094a4f1c2f486", "signature_version": "v1", "id": "CVE-2021-21261-cc0442da", "signature_type": "Function" }, { "digest": { "threshold": 0.9, "line_hashes": [ "186753914006100194516954110745550884424", "12753299659279139043630104728458776064", "269889525867134572535695503617087983501", "208208283627142296061927458336690996509", "180501221704741290327491119284995032025", "176111972974236863265595961229486818247", "96681180801602239017311502751839799173", "198705453584377096480089798889685337457" ] }, "target": { "file": "common/flatpak-bwrap-private.h" }, "deprecated": false, "source": "https://github.com/flatpak/flatpak/commit/6d1773d2a54dde9b099043f07a2094a4f1c2f486", "signature_version": "v1", "id": "CVE-2021-21261-e4aba771", "signature_type": "Line" }, { "digest": { "threshold": 0.9, "line_hashes": [ "250583380488175601669317137946174719794", "311312556761816106744451561827799888308", "296511374797103482356447941591751752716", "163819300700743363828332066461507542872", "256646176672544301483717845513293989867", "283066343764066525662795773450547192544", "307830766081670044218645905522083376346", "314613757453546637160749133659371754136", "33477874074197511545467797114432888206", "217867266162192291486524756726822760936", "40016216926295346927460055704050908419", "202058260553356883764319272044505786272", "232829783943157726400537389676411531144", "142269808049044781331577504304469511031", "228461531246778135043747909129711248394", "158813393187993092148429072759724546882" ] }, "target": { "file": "portal/flatpak-portal.c" }, "deprecated": false, "source": "https://github.com/flatpak/flatpak/commit/aeb6a7ab0abaac4a8f4ad98b3df476d9de6b8bd4", "signature_version": "v1", "id": "CVE-2021-21261-f081ded5", "signature_type": "Line" }, { "digest": { "length": 14396.0, "function_hash": "138027983890393511308692566048484423621" }, "target": { "file": "portal/flatpak-portal.c", "function": "handle_spawn" }, "deprecated": false, "source": "https://github.com/flatpak/flatpak/commit/aeb6a7ab0abaac4a8f4ad98b3df476d9de6b8bd4", "signature_version": "v1", "id": "CVE-2021-21261-f0f82716", "signature_type": "Function" } ] }