CVE-2021-43860
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2021-43860
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-43860.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2021-43860
- Downstream
- Related
- Published
- 2022-01-12T22:15:07Z
- Modified
- 2025-10-14T18:55:36.545105Z
- Severity
-
- 8.6 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H CVSS Calculator
- Summary
- [none]
- Details
-
Flatpak is a Linux application sandboxing and distribution framework. Prior to versions 1.12.3 and 1.10.6, Flatpak doesn't properly validate that the permissions displayed to the user for an app at install time match the actual permissions granted to the app at runtime, in the case that there's a null byte in the metadata file of an app. Therefore apps can grant themselves permissions without the consent of the user. Flatpak shows permissions to the user during install by reading them from the "xa.metadata" key in the commit metadata. This cannot contain a null terminator, because it is an untrusted GVariant. Flatpak compares these permissions to the actual metadata, from the "metadata" file to ensure it wasn't lied to. However, the actual metadata contents are loaded in several places where they are read as simple C-style strings. That means that, if the metadata file includes a null terminator, only the content of the file from before the terminator gets compared to xa.metadata. Thus, any permissions that appear in the metadata file after a null terminator are applied at runtime but not shown to the user. So maliciously crafted apps can give themselves hidden permissions. Users who have Flatpaks installed from untrusted sources are at risk in case the Flatpak has a maliciously crafted metadata file, either initially or in an update. This issue is patched in versions 1.12.3 and 1.10.6. As a workaround, users can manually check the permissions of installed apps by checking the metadata file or the xa.metadata key on the commit metadata.
- References
-
- https://github.com/flatpak/flatpak/commit/54ec1a482dfc668127eaae57f135e6a8e0bc52da
- https://github.com/flatpak/flatpak/commit/65cbfac982cb1c83993a9e19aa424daee8e9f042
- https://github.com/flatpak/flatpak/commit/93357d357119093804df05acc32ff335839c6451
- https://github.com/flatpak/flatpak/commit/ba818f504c926baaf6e362be8159cfacf994310e
- https://github.com/flatpak/flatpak/commit/d9a8f9d8ccc0b7c1135d0ecde006a75d25f66aee
- https://github.com/flatpak/flatpak/releases/tag/1.10.6
- https://github.com/flatpak/flatpak/releases/tag/1.12.3
- https://github.com/flatpak/flatpak/security/advisories/GHSA-qpjc-vq3c-572j
- https://security.gentoo.org/glsa/202312-12
- https://www.debian.org/security/2022/dsa-5049
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/APFTBYGJJVJPFVHRXUW5PII5XOAFI4KH/
Affected packages
Git / github.com/flatpak/flatpak
Affected ranges
- Type
- GIT
- Repo
- https://github.com/flatpak/flatpak
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixedFixedFixedFixedFixedFixedFixed
Affected versions
0.*
0.1
0.10.0
0.10.1
0.10.2
0.11.1
0.11.2
0.11.3
0.11.4
0.11.5
0.11.6
0.11.7
0.11.8
0.11.8.1
0.11.8.2
0.11.8.3
0.2
0.2.1
0.3
0.3.1
0.3.2
0.3.3
0.3.4
0.3.5
0.3.6
0.4.0
0.4.1
0.4.10
0.4.11
0.4.12
0.4.13
0.4.2
0.4.2.1
0.4.3
0.4.4
0.4.5
0.4.6
0.4.7
0.4.8
0.4.9
0.5.0
0.5.1
0.5.2
0.6.0
0.6.1
0.6.10
0.6.11
0.6.12
0.6.13
0.6.14
0.6.2
0.6.3
0.6.4
0.6.5
0.6.6
0.6.7
0.6.8
0.6.9
0.8.0
0.8.1
0.9.1
0.9.10
0.9.11
0.9.12
0.9.2
0.9.3
0.9.4
0.9.5
0.9.6
0.9.7
0.9.8
0.9.9
0.9.98
0.9.98.1
0.9.98.2
0.9.99
0.99.1
0.99.2
0.99.3
1.*
1.0.0
1.0.1
1.0.2
1.0.3
1.1.0
1.1.1
1.1.2
1.1.3
1.10.0
1.10.1
1.10.2
1.10.3
1.10.4
1.10.5
1.11.1
1.11.2
1.11.3
1.12.0
1.12.1
1.12.2
1.2.0
1.2.1
1.3.0
1.3.1
1.3.2
1.3.3
1.3.4
1.4.0
1.5.0
1.5.1
1.5.2
1.6.0
1.6.1
1.6.2
1.7.1
1.7.2
1.7.3
1.8.0
1.9.1
1.9.2
1.9.3
Database specific
{
"vanir_signatures": [
{
"digest": {
"length": 1013.0,
"function_hash": "72166912600114214266076760149189219172"
},
"target": {
"function": "resolve_op_from_commit",
"file": "common/flatpak-transaction.c"
},
"signature_type": "Function",
"source": "https://github.com/flatpak/flatpak/commit/d9a8f9d8ccc0b7c1135d0ecde006a75d25f66aee",
"deprecated": false,
"signature_version": "v1",
"id": "CVE-2021-43860-36468008"
},
{
"digest": {
"length": 2046.0,
"function_hash": "339737247405246731989476675945704742036"
},
"target": {
"function": "upgrade_deploy_data",
"file": "common/flatpak-dir.c"
},
"signature_type": "Function",
"source": "https://github.com/flatpak/flatpak/commit/ba818f504c926baaf6e362be8159cfacf994310e",
"deprecated": false,
"signature_version": "v1",
"id": "CVE-2021-43860-3eb1334a"
},
{
"digest": {
"length": 3261.0,
"function_hash": "108157274676217845558974616427300781636"
},
"target": {
"function": "flatpak_dir_pull",
"file": "common/flatpak-dir.c"
},
"signature_type": "Function",
"source": "https://github.com/flatpak/flatpak/commit/ba818f504c926baaf6e362be8159cfacf994310e",
"deprecated": false,
"signature_version": "v1",
"id": "CVE-2021-43860-5594e418"
},
{
"digest": {
"length": 1185.0,
"function_hash": "142872958903960001710705119440647793968"
},
"target": {
"function": "mark_op_resolved",
"file": "common/flatpak-transaction.c"
},
"signature_type": "Function",
"source": "https://github.com/flatpak/flatpak/commit/d9a8f9d8ccc0b7c1135d0ecde006a75d25f66aee",
"deprecated": false,
"signature_version": "v1",
"id": "CVE-2021-43860-5b7ace36"
},
{
"digest": {
"length": 588.0,
"function_hash": "201869370587402139055417088224536499509"
},
"target": {
"function": "validate_commit_metadata",
"file": "common/flatpak-dir.c"
},
"signature_type": "Function",
"source": "https://github.com/flatpak/flatpak/commit/ba818f504c926baaf6e362be8159cfacf994310e",
"deprecated": false,
"signature_version": "v1",
"id": "CVE-2021-43860-5ca9d5b1"
},
{
"digest": {
"line_hashes": [
"113906060814615388250958943980426724459",
"176940875076191891269846162397044897961",
"2850567047899330314015378116175590207",
"101180647974771639536099394259175212427",
"289709447313296564554677975858121294327",
"231731912727897892085635547454843088114",
"291834660848745439830088635366627079967",
"218792257955215717086817293712330694505",
"60279110464370607946918913336977017899",
"317668202017520570742558513134732992724",
"150870807653931058537814641782374260902",
"265402850110289985844196242841832435522",
"217126854792704372889979877386226921706",
"334484318941778813222511243406795808752",
"141080186632941684667378085511060069913",
"187771840317557026038908382312344157842",
"313900450927211279900662706492698418908",
"268023618968753751289512861849931802853",
"101827564124797451647439813651155862909",
"50756745178298175683455892556951269265",
"16573105038800407010960711323116759938",
"321009502898708228700944344729869858615",
"112722907110318564105701046942059025842",
"150248590608283089730688085096838475848",
"213178837288014714223647895324175427962",
"227107901386578860573420462951371465789",
"328965565139110626740864294014787063214",
"273851668236455340667705458997159668507",
"23137554467035870665872908200354444307",
"272609309585095650454685528630767879074",
"142994434065710059772785345327213480302",
"232616095289602701867115145264683808488",
"117356317841148710037848821460628760498",
"131955345433866921287030309753766818115",
"179598129764717015350400042085013782316",
"339414202889473142307643944975954104012",
"52242946207213376658111699111451374055",
"256868658528190592680678777579149544645",
"87580117319930201975028396264494435387",
"269195271688570305048597750441994356452",
"86535097828903668676602669554643088636",
"192921292416269012823533753150471277556",
"4069462766814140087117412744185563641",
"85925118605704720585472579221782045763",
"335967016865171630593054352403198006774",
"25112074829882955399624709390192926083",
"203687230538998254504502339858857912271",
"212747165822216459556939592738193073382",
"108859695548172462225321819005856048581",
"234821476795901049204871870418586295291",
"304084885100800463084071990348038840487",
"66078822036470659144230149710285604275",
"121850760267769933114757163291369770783",
"135488234881649149468753675604121177069",
"259522684114347344518950359396904737198",
"320705484119821672307187881127568028546",
"35039739573046115916370192168006445900",
"329366806494639514928452277975991752849",
"85903228099650784518719945404171694252",
"296667237429480005016887321786683012499",
"61636712300706474001439058240294416112",
"77425943753379300985456224730390594033",
"135929676009272874451971485705602739130",
"49535617750990182053086350885676251462",
"33093153364960835950107932712302248566",
"225828864127289279921631622465974272262",
"79552568967556752798876914827463897153",
"333410181382288534824612319161829565673",
"176541068430625443980465508504582927512",
"168763759043810477002339022667318381678",
"331446700013639118708788535359201420254",
"155821766547486912171878411543998170111",
"58805356026095635832561191414997722458",
"99478570042327571537016778884384472730",
"333198278653344325639517405329165219299",
"125657544851565095256207088577436661723",
"239388980532439167434774870513742444418",
"270417850196932116785063177384387752083",
"5801530637509105560467689807237342717",
"20088633092441532646650728584560939559",
"42227335557464549010010414722436480917",
"83677434866771941295931151765314791457",
"177876332645596899893387754574563645196",
"227578307401345944109284943623988652836",
"1634520939855509107196698310393509536",
"76920695806038359049937337612482095975",
"230443769047555086793817637875159852835",
"286941051521258308774577060726131505363",
"326494712029138037058902409418515720528",
"46913028736989141746481103152322865734",
"273228920086417022959403044733870944246",
"5485597252794390319117476009855436311"
],
"threshold": 0.9
},
"target": {
"file": "common/flatpak-transaction.c"
},
"signature_type": "Line",
"source": "https://github.com/flatpak/flatpak/commit/d9a8f9d8ccc0b7c1135d0ecde006a75d25f66aee",
"deprecated": false,
"signature_version": "v1",
"id": "CVE-2021-43860-6d0d7a3c"
},
{
"digest": {
"line_hashes": [
"124588171243196159017325245423169724344",
"297426710713466060605088962606546847769",
"165934389046901228074990493218186080362",
"114060730018427728106657663031172015011",
"23142527110121917314341611571392501718",
"62518153213670252093757051117906746599",
"49410270569780855872032560277951466771",
"298771084599194939213039736243316336751",
"68015049258757301742784802346844661454",
"69272348257012032869529327589425445737",
"142365861560506242528150096585612340899",
"126370255795860806015291009246548187126",
"251641431207220062934404017557492285965",
"42223758317497889650179176523099628456"
],
"threshold": 0.9
},
"target": {
"file": "common/flatpak-utils.c"
},
"signature_type": "Line",
"source": "https://github.com/flatpak/flatpak/commit/ba818f504c926baaf6e362be8159cfacf994310e",
"deprecated": false,
"signature_version": "v1",
"id": "CVE-2021-43860-7367118b"
},
{
"digest": {
"length": 1323.0,
"function_hash": "233027807320338073607589774600227767042"
},
"target": {
"function": "try_resolve_op_from_metadata",
"file": "common/flatpak-transaction.c"
},
"signature_type": "Function",
"source": "https://github.com/flatpak/flatpak/commit/ba818f504c926baaf6e362be8159cfacf994310e",
"deprecated": false,
"signature_version": "v1",
"id": "CVE-2021-43860-77ff53a6"
},
{
"digest": {
"length": 2410.0,
"function_hash": "130268887356355324802151301214002533830"
},
"target": {
"function": "flatpak_pull_from_bundle",
"file": "common/flatpak-utils.c"
},
"signature_type": "Function",
"source": "https://github.com/flatpak/flatpak/commit/ba818f504c926baaf6e362be8159cfacf994310e",
"deprecated": false,
"signature_version": "v1",
"id": "CVE-2021-43860-a16dbd17"
},
{
"digest": {
"length": 1017.0,
"function_hash": "35507444413538165187572202229198735844"
},
"target": {
"function": "resolve_op_from_commit",
"file": "common/flatpak-transaction.c"
},
"signature_type": "Function",
"source": "https://github.com/flatpak/flatpak/commit/ba818f504c926baaf6e362be8159cfacf994310e",
"deprecated": false,
"signature_version": "v1",
"id": "CVE-2021-43860-b3e431be"
},
{
"digest": {
"line_hashes": [
"100737419827060205170198414800389184387",
"147773516081525001554295588253374388184",
"226225098825430752395285439407341201299",
"303147884397468597738662709471431570791",
"241641131146341495441644568526422954398",
"88043545392854206544277765936902990586",
"59500614890680722908205740340948755221",
"168256884569841067884185050026736665062",
"259357256558738351504726465500188503747",
"181138335075233938374465241475198759983",
"127017229258498961023957720820318952800",
"28042782009037569120671434122320668804",
"231012024652166073477797178561391339267",
"6489037587716790811367711182929614153",
"313828336662594673455220358967849379802",
"145946474572252029719996614458748132423",
"105378569069162234850768369549942688277",
"183321967984024006210163039148144222295",
"316107473565103082443988270586501569191",
"98223543383625866905502946294220025283",
"78003675036132145024940266323136981023",
"159828783754817344216548204969522165493",
"83960354187234932446953270250865777970",
"105443273874021836890860840303759115755",
"181224744156650566400872879786794734155",
"81887701916145403750761171648458072429",
"70032870353621431751052726394536128812",
"28494434730770681077016801247642358209",
"243157794437306587665422466713735513865",
"252828546703910787814860840973790694651",
"314445975014033486486876501564521805295",
"214481218969469092082669095116137988979",
"338412271555581422031928028987357398958",
"226218761533293436320315337539252089534",
"187733715585570057798640888719938202345",
"82629542228865644247658191515657695735",
"59509183817093369878375538042218526829",
"257878910756238708787772132690214606659",
"252140756641509854650757499695224544643",
"100899753757084331058382048621250040764",
"25506175481870640167739428453839082526",
"284763049928881514111373346329127519135",
"179660368344375117315951300530965121794",
"56925722711802919112719619249771525804",
"80891711527026972231675690018738210259"
],
"threshold": 0.9
},
"target": {
"file": "common/flatpak-dir.c"
},
"signature_type": "Line",
"source": "https://github.com/flatpak/flatpak/commit/ba818f504c926baaf6e362be8159cfacf994310e",
"deprecated": false,
"signature_version": "v1",
"id": "CVE-2021-43860-bc88dfd3"
},
{
"digest": {
"length": 969.0,
"function_hash": "5925686855147228042481882271521756390"
},
"target": {
"function": "load_deployed_metadata",
"file": "common/flatpak-transaction.c"
},
"signature_type": "Function",
"source": "https://github.com/flatpak/flatpak/commit/ba818f504c926baaf6e362be8159cfacf994310e",
"deprecated": false,
"signature_version": "v1",
"id": "CVE-2021-43860-ccdc3492"
},
{
"digest": {
"length": 3928.0,
"function_hash": "286898616012752349634334808800709437464"
},
"target": {
"function": "resolve_ops",
"file": "common/flatpak-transaction.c"
},
"signature_type": "Function",
"source": "https://github.com/flatpak/flatpak/commit/d9a8f9d8ccc0b7c1135d0ecde006a75d25f66aee",
"deprecated": false,
"signature_version": "v1",
"id": "CVE-2021-43860-d1c4aa3f"
},
{
"digest": {
"length": 2672.0,
"function_hash": "2696867275489056180011282615357340171"
},
"target": {
"function": "flatpak_transaction_add_ref",
"file": "common/flatpak-transaction.c"
},
"signature_type": "Function",
"source": "https://github.com/flatpak/flatpak/commit/ba818f504c926baaf6e362be8159cfacf994310e",
"deprecated": false,
"signature_version": "v1",
"id": "CVE-2021-43860-e4782c3e"
},
{
"digest": {
"line_hashes": [
"210648484732517088296769330734129106940",
"46629451896094101670571230274217458358",
"162445486178380282586568069834911329075",
"111740388813201847549500563602858560156",
"150481912879845550593135711365509310769",
"256193446523528562998242946403058041632",
"235817528180193076402361451869924316677",
"208198275019053322225600353267922397967",
"248933591574767209822627382570382408461",
"290473216411275696532154990853373061300",
"13497216911047613904274732569591815499",
"182487748692728740097300994311861168371",
"311053415847645923945277703357330979141",
"298409011616285831933306185866212696719",
"124492121589322149192915062175388484543",
"50843910737737449487675448893836490152"
],
"threshold": 0.9
},
"target": {
"file": "common/flatpak-transaction.c"
},
"signature_type": "Line",
"source": "https://github.com/flatpak/flatpak/commit/ba818f504c926baaf6e362be8159cfacf994310e",
"deprecated": false,
"signature_version": "v1",
"id": "CVE-2021-43860-ef0a0517"
},
{
"digest": {
"length": 1319.0,
"function_hash": "311279097478529110885827916821625603360"
},
"target": {
"function": "try_resolve_op_from_metadata",
"file": "common/flatpak-transaction.c"
},
"signature_type": "Function",
"source": "https://github.com/flatpak/flatpak/commit/d9a8f9d8ccc0b7c1135d0ecde006a75d25f66aee",
"deprecated": false,
"signature_version": "v1",
"id": "CVE-2021-43860-ef69eb0b"
},
{
"digest": {
"length": 9504.0,
"function_hash": "344809701562139156707791863798175169"
},
"target": {
"function": "flatpak_dir_deploy",
"file": "common/flatpak-dir.c"
},
"signature_type": "Function",
"source": "https://github.com/flatpak/flatpak/commit/ba818f504c926baaf6e362be8159cfacf994310e",
"deprecated": false,
"signature_version": "v1",
"id": "CVE-2021-43860-f076299d"
},
{
"digest": {
"length": 327.0,
"function_hash": "292667963680028786439017636975465809109"
},
"target": {
"function": "resolve_op_end",
"file": "common/flatpak-transaction.c"
},
"signature_type": "Function",
"source": "https://github.com/flatpak/flatpak/commit/d9a8f9d8ccc0b7c1135d0ecde006a75d25f66aee",
"deprecated": false,
"signature_version": "v1",
"id": "CVE-2021-43860-fd52db7a"
}
]
}