CVE-2024-32462
- Source
- https://cve.org/CVERecord?id=CVE-2024-32462
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-32462.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2024-32462
- Aliases
-
- GHSA-phv6-cpc2-2fgj
- Downstream
- Related
- Published
- 2024-04-18T18:11:27.680Z
- Modified
- 2026-03-03T02:54:18.361089Z
- Severity
-
- 8.4 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N CVSS Calculator
- Summary
- Flatpak vulnerable to a sandbox escape via RequestBackground portal due to bad argument parsing
- Details
-
Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. in versions before 1.10.9, 1.12.9, 1.14.6, and 1.15.8, a malicious or compromised Flatpak app could execute arbitrary code outside its sandbox. Normally, the
--commandargument offlatpak runexpects to be given a command to run in the specified Flatpak app, optionally along with some arguments. However it is possible to instead passbwraparguments to--command=, such as--bind. It's possible to pass an arbitrarycommandlineto the portal interfaceorg.freedesktop.portal.Background.RequestBackgroundfrom within a Flatpak app. When this is converted into a--commandand arguments, it achieves the same effect of passing arguments directly tobwrap, and thus can be used for a sandbox escape. The solution is to pass the--argument tobwrap, which makes it stop processing options. This has been supported since bubblewrap 0.3.0. All supported versions of Flatpak require at least that version of bubblewrap. xdg-desktop-portal version 1.18.4 will mitigate this vulnerability by only allowing Flatpak apps to create .desktop files for commands that do not start with --. The vulnerability is patched in 1.15.8, 1.10.9, 1.12.9, and 1.14.6. - Database specific
{ "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/32xxx/CVE-2024-32462.json", "cna_assigner": "GitHub_M", "cwe_ids": [ "CWE-88" ] }- References
-
- http://www.openwall.com/lists/oss-security/2024/04/18/5
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/32xxx/CVE-2024-32462.json
- https://github.com/flatpak/flatpak/commit/72016e3fce8fcbeab707daf4f1a02b931fcc004d
- https://github.com/flatpak/flatpak/commit/81abe2a37d363f5099c3d0bdcd0caad6efc5bf97
- https://github.com/flatpak/flatpak/commit/b7c1a558e58aaeb1d007d29529bbb270dc4ff11e
- https://github.com/flatpak/flatpak/commit/bbab7ed1e672356d1a78b422462b210e8e875931
- https://github.com/flatpak/flatpak/security/advisories/GHSA-phv6-cpc2-2fgj
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IB6VQAF5S2YOBULDHPUKPOEIKONOP5KO/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZFNSCFJVMAQK5AF55JBN7OSJP3CREDBD/
- https://nvd.nist.gov/vuln/detail/CVE-2024-32462
Affected packages
Git / github.com/flatpak/flatpak
Affected ranges
- Type
- GIT
- Repo
- https://github.com/flatpak/flatpak
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixedIntroduced0 Unknown introduced commit / All previous commits are affectedFixedIntroduced0 Unknown introduced commit / All previous commits are affectedFixedIntroduced0 Unknown introduced commit / All previous commits are affectedFixedIntroducedFixedIntroducedFixedIntroducedFixed
Affected versions
1.*
1.12.0
1.12.1
1.12.2
1.12.3
1.12.4
1.12.5
1.12.6
1.12.7
1.12.8
1.13.1
1.13.2
1.13.3
1.14.0
1.14.1
1.14.2
1.14.3
1.14.4
1.14.5
1.15.0
1.15.1
1.15.2
1.15.3
1.15.4
1.15.6
1.15.7
Database specific
vanir_signatures
[
{
"id": "CVE-2024-32462-0698af53",
"signature_version": "v1",
"deprecated": false,
"source": "https://github.com/flatpak/flatpak/commit/bbab7ed1e672356d1a78b422462b210e8e875931",
"target": {
"file": "common/flatpak-dir.c"
},
"digest": {
"threshold": 0.9,
"line_hashes": [
"317769743648359304758329909821865367787",
"319436217136493251617755883489252570054",
"336373015549276148258444673140071363811",
"243828145650739975163817252022426979032"
]
},
"signature_type": "Line"
},
{
"id": "CVE-2024-32462-1773d0eb",
"signature_version": "v1",
"deprecated": false,
"source": "https://github.com/flatpak/flatpak/commit/81abe2a37d363f5099c3d0bdcd0caad6efc5bf97",
"target": {
"function": "flatpak_run_app",
"file": "common/flatpak-run.c"
},
"digest": {
"length": 13560.0,
"function_hash": "109913409286668749569561208472089366551"
},
"signature_type": "Function"
},
{
"id": "CVE-2024-32462-1b727b31",
"signature_version": "v1",
"deprecated": false,
"source": "https://github.com/flatpak/flatpak/commit/bbab7ed1e672356d1a78b422462b210e8e875931",
"target": {
"function": "flatpak_builtin_build",
"file": "app/flatpak-builtins-build.c"
},
"digest": {
"length": 10037.0,
"function_hash": "208236299568725957026369299329212808673"
},
"signature_type": "Function"
},
{
"id": "CVE-2024-32462-1c2894d7",
"signature_version": "v1",
"deprecated": false,
"source": "https://github.com/flatpak/flatpak/commit/b7c1a558e58aaeb1d007d29529bbb270dc4ff11e",
"target": {
"file": "app/flatpak-builtins-build.c"
},
"digest": {
"threshold": 0.9,
"line_hashes": [
"118471398715978625219295879568900055403",
"20025332458569613793533901463776785882",
"189579782292545310696055241004848827188",
"154938707910802800210569888298073220483"
]
},
"signature_type": "Line"
},
{
"id": "CVE-2024-32462-3c5c8d7b",
"signature_version": "v1",
"deprecated": false,
"source": "https://github.com/flatpak/flatpak/commit/72016e3fce8fcbeab707daf4f1a02b931fcc004d",
"target": {
"function": "flatpak_builtin_build",
"file": "app/flatpak-builtins-build.c"
},
"digest": {
"length": 9817.0,
"function_hash": "163588664375792742057312413402510238378"
},
"signature_type": "Function"
},
{
"id": "CVE-2024-32462-456b1c1e",
"signature_version": "v1",
"deprecated": false,
"source": "https://github.com/flatpak/flatpak/commit/b7c1a558e58aaeb1d007d29529bbb270dc4ff11e",
"target": {
"function": "flatpak_builtin_build",
"file": "app/flatpak-builtins-build.c"
},
"digest": {
"length": 9995.0,
"function_hash": "335593857996861262461975364276361972319"
},
"signature_type": "Function"
},
{
"id": "CVE-2024-32462-45f67e2a",
"signature_version": "v1",
"deprecated": false,
"source": "https://github.com/flatpak/flatpak/commit/bbab7ed1e672356d1a78b422462b210e8e875931",
"target": {
"function": "flatpak_dir_run_triggers",
"file": "common/flatpak-dir.c"
},
"digest": {
"length": 2146.0,
"function_hash": "200579764972954978415763017127709428648"
},
"signature_type": "Function"
},
{
"id": "CVE-2024-32462-4d6b1d94",
"signature_version": "v1",
"deprecated": false,
"source": "https://github.com/flatpak/flatpak/commit/81abe2a37d363f5099c3d0bdcd0caad6efc5bf97",
"target": {
"file": "common/flatpak-dir.c"
},
"digest": {
"threshold": 0.9,
"line_hashes": [
"317769743648359304758329909821865367787",
"319436217136493251617755883489252570054",
"336373015549276148258444673140071363811",
"243828145650739975163817252022426979032"
]
},
"signature_type": "Line"
},
{
"id": "CVE-2024-32462-58f88854",
"signature_version": "v1",
"deprecated": false,
"source": "https://github.com/flatpak/flatpak/commit/72016e3fce8fcbeab707daf4f1a02b931fcc004d",
"target": {
"function": "add_bwrap_wrapper",
"file": "common/flatpak-run.c"
},
"digest": {
"length": 1698.0,
"function_hash": "278148503921999970531051325527233897139"
},
"signature_type": "Function"
},
{
"id": "CVE-2024-32462-68066267",
"signature_version": "v1",
"deprecated": false,
"source": "https://github.com/flatpak/flatpak/commit/81abe2a37d363f5099c3d0bdcd0caad6efc5bf97",
"target": {
"function": "flatpak_dir_run_triggers",
"file": "common/flatpak-dir.c"
},
"digest": {
"length": 2125.0,
"function_hash": "289856988089759279109298409562696033542"
},
"signature_type": "Function"
},
{
"id": "CVE-2024-32462-703a80ef",
"signature_version": "v1",
"deprecated": false,
"source": "https://github.com/flatpak/flatpak/commit/bbab7ed1e672356d1a78b422462b210e8e875931",
"target": {
"file": "app/flatpak-builtins-build.c"
},
"digest": {
"threshold": 0.9,
"line_hashes": [
"118471398715978625219295879568900055403",
"20025332458569613793533901463776785882",
"189579782292545310696055241004848827188",
"154938707910802800210569888298073220483"
]
},
"signature_type": "Line"
},
{
"id": "CVE-2024-32462-7a483525",
"signature_version": "v1",
"deprecated": false,
"source": "https://github.com/flatpak/flatpak/commit/72016e3fce8fcbeab707daf4f1a02b931fcc004d",
"target": {
"file": "common/flatpak-dir.c"
},
"digest": {
"threshold": 0.9,
"line_hashes": [
"317769743648359304758329909821865367787",
"319436217136493251617755883489252570054",
"336373015549276148258444673140071363811",
"243828145650739975163817252022426979032"
]
},
"signature_type": "Line"
},
{
"id": "CVE-2024-32462-7c6d520c",
"signature_version": "v1",
"deprecated": false,
"source": "https://github.com/flatpak/flatpak/commit/bbab7ed1e672356d1a78b422462b210e8e875931",
"target": {
"function": "add_bwrap_wrapper",
"file": "common/flatpak-run-dbus.c"
},
"digest": {
"length": 1747.0,
"function_hash": "65042962968422244001954748261736317558"
},
"signature_type": "Function"
},
{
"id": "CVE-2024-32462-81ab9bf5",
"signature_version": "v1",
"deprecated": false,
"source": "https://github.com/flatpak/flatpak/commit/81abe2a37d363f5099c3d0bdcd0caad6efc5bf97",
"target": {
"function": "add_bwrap_wrapper",
"file": "common/flatpak-run.c"
},
"digest": {
"length": 1698.0,
"function_hash": "278148503921999970531051325527233897139"
},
"signature_type": "Function"
},
{
"id": "CVE-2024-32462-93c4820c",
"signature_version": "v1",
"deprecated": false,
"source": "https://github.com/flatpak/flatpak/commit/b7c1a558e58aaeb1d007d29529bbb270dc4ff11e",
"target": {
"file": "common/flatpak-run.c"
},
"digest": {
"threshold": 0.9,
"line_hashes": [
"330762700364318858044760854883322074642",
"47443605241193744693354227288728767104",
"211970635136706510616166223980677422942",
"246182905536897567126587492449763505222",
"219747996955212092350011752328363779573",
"46225423996768789458063305237027922098",
"96896721729740781962316630159747739336"
]
},
"signature_type": "Line"
},
{
"id": "CVE-2024-32462-9e9cb812",
"signature_version": "v1",
"deprecated": false,
"source": "https://github.com/flatpak/flatpak/commit/b7c1a558e58aaeb1d007d29529bbb270dc4ff11e",
"target": {
"file": "common/flatpak-dir.c"
},
"digest": {
"threshold": 0.9,
"line_hashes": [
"317769743648359304758329909821865367787",
"319436217136493251617755883489252570054",
"336373015549276148258444673140071363811",
"243828145650739975163817252022426979032"
]
},
"signature_type": "Line"
},
{
"id": "CVE-2024-32462-9ef72b9e",
"signature_version": "v1",
"deprecated": false,
"source": "https://github.com/flatpak/flatpak/commit/b7c1a558e58aaeb1d007d29529bbb270dc4ff11e",
"target": {
"function": "add_bwrap_wrapper",
"file": "common/flatpak-run.c"
},
"digest": {
"length": 1747.0,
"function_hash": "65042962968422244001954748261736317558"
},
"signature_type": "Function"
},
{
"id": "CVE-2024-32462-a134d38c",
"signature_version": "v1",
"deprecated": false,
"source": "https://github.com/flatpak/flatpak/commit/72016e3fce8fcbeab707daf4f1a02b931fcc004d",
"target": {
"function": "flatpak_run_app",
"file": "common/flatpak-run.c"
},
"digest": {
"length": 10823.0,
"function_hash": "116639477181726702656461057101522348529"
},
"signature_type": "Function"
},
{
"id": "CVE-2024-32462-a80c8470",
"signature_version": "v1",
"deprecated": false,
"source": "https://github.com/flatpak/flatpak/commit/81abe2a37d363f5099c3d0bdcd0caad6efc5bf97",
"target": {
"file": "common/flatpak-run.c"
},
"digest": {
"threshold": 0.9,
"line_hashes": [
"330762700364318858044760854883322074642",
"47443605241193744693354227288728767104",
"211970635136706510616166223980677422942",
"246182905536897567126587492449763505222",
"219747996955212092350011752328363779573",
"46225423996768789458063305237027922098",
"96896721729740781962316630159747739336"
]
},
"signature_type": "Line"
},
{
"id": "CVE-2024-32462-cbe06f05",
"signature_version": "v1",
"deprecated": false,
"source": "https://github.com/flatpak/flatpak/commit/b7c1a558e58aaeb1d007d29529bbb270dc4ff11e",
"target": {
"function": "flatpak_dir_run_triggers",
"file": "common/flatpak-dir.c"
},
"digest": {
"length": 2125.0,
"function_hash": "289856988089759279109298409562696033542"
},
"signature_type": "Function"
},
{
"id": "CVE-2024-32462-cd2b76ff",
"signature_version": "v1",
"deprecated": false,
"source": "https://github.com/flatpak/flatpak/commit/b7c1a558e58aaeb1d007d29529bbb270dc4ff11e",
"target": {
"function": "flatpak_run_app",
"file": "common/flatpak-run.c"
},
"digest": {
"length": 14297.0,
"function_hash": "228947040055073626105463498559555420040"
},
"signature_type": "Function"
},
{
"id": "CVE-2024-32462-d6c665a2",
"signature_version": "v1",
"deprecated": false,
"source": "https://github.com/flatpak/flatpak/commit/bbab7ed1e672356d1a78b422462b210e8e875931",
"target": {
"function": "flatpak_run_app",
"file": "common/flatpak-run.c"
},
"digest": {
"length": 14656.0,
"function_hash": "27107804023291048665905029837043147751"
},
"signature_type": "Function"
},
{
"id": "CVE-2024-32462-da0ab89a",
"signature_version": "v1",
"deprecated": false,
"source": "https://github.com/flatpak/flatpak/commit/bbab7ed1e672356d1a78b422462b210e8e875931",
"target": {
"file": "common/flatpak-run-dbus.c"
},
"digest": {
"threshold": 0.9,
"line_hashes": [
"173953116240382667356606877338432503369",
"47443605241193744693354227288728767104",
"327395398367859154578757166920687881873"
]
},
"signature_type": "Line"
},
{
"id": "CVE-2024-32462-de37092f",
"signature_version": "v1",
"deprecated": false,
"source": "https://github.com/flatpak/flatpak/commit/bbab7ed1e672356d1a78b422462b210e8e875931",
"target": {
"file": "common/flatpak-run.c"
},
"digest": {
"threshold": 0.9,
"line_hashes": [
"246182905536897567126587492449763505222",
"219747996955212092350011752328363779573",
"46225423996768789458063305237027922098",
"96896721729740781962316630159747739336"
]
},
"signature_type": "Line"
},
{
"id": "CVE-2024-32462-dfbebd6e",
"signature_version": "v1",
"deprecated": false,
"source": "https://github.com/flatpak/flatpak/commit/72016e3fce8fcbeab707daf4f1a02b931fcc004d",
"target": {
"function": "flatpak_dir_run_triggers",
"file": "common/flatpak-dir.c"
},
"digest": {
"length": 2200.0,
"function_hash": "30464788194787519836043672269285636301"
},
"signature_type": "Function"
},
{
"id": "CVE-2024-32462-eeafc64e",
"signature_version": "v1",
"deprecated": false,
"source": "https://github.com/flatpak/flatpak/commit/81abe2a37d363f5099c3d0bdcd0caad6efc5bf97",
"target": {
"file": "app/flatpak-builtins-build.c"
},
"digest": {
"threshold": 0.9,
"line_hashes": [
"118471398715978625219295879568900055403",
"20025332458569613793533901463776785882",
"189579782292545310696055241004848827188",
"154938707910802800210569888298073220483"
]
},
"signature_type": "Line"
},
{
"id": "CVE-2024-32462-f19a4e33",
"signature_version": "v1",
"deprecated": false,
"source": "https://github.com/flatpak/flatpak/commit/72016e3fce8fcbeab707daf4f1a02b931fcc004d",
"target": {
"file": "app/flatpak-builtins-build.c"
},
"digest": {
"threshold": 0.9,
"line_hashes": [
"118471398715978625219295879568900055403",
"20025332458569613793533901463776785882",
"189579782292545310696055241004848827188",
"154938707910802800210569888298073220483"
]
},
"signature_type": "Line"
},
{
"id": "CVE-2024-32462-faf1a5fb",
"signature_version": "v1",
"deprecated": false,
"source": "https://github.com/flatpak/flatpak/commit/72016e3fce8fcbeab707daf4f1a02b931fcc004d",
"target": {
"file": "common/flatpak-run.c"
},
"digest": {
"threshold": 0.9,
"line_hashes": [
"330762700364318858044760854883322074642",
"47443605241193744693354227288728767104",
"211970635136706510616166223980677422942",
"246182905536897567126587492449763505222",
"219747996955212092350011752328363779573",
"46225423996768789458063305237027922098",
"96896721729740781962316630159747739336"
]
},
"signature_type": "Line"
},
{
"id": "CVE-2024-32462-fdf19660",
"signature_version": "v1",
"deprecated": false,
"source": "https://github.com/flatpak/flatpak/commit/81abe2a37d363f5099c3d0bdcd0caad6efc5bf97",
"target": {
"function": "flatpak_builtin_build",
"file": "app/flatpak-builtins-build.c"
},
"digest": {
"length": 9988.0,
"function_hash": "71440669775031959586668012640547353550"
},
"signature_type": "Function"
}
]
source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-32462.json"