CVE-2024-32462

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2024-32462

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-32462.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2024-32462

Related

Published

2024-04-18T18:15:09Z

Modified

2025-01-15T05:13:21.731997Z

Summary

[none]

Details

Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. in versions before 1.10.9, 1.12.9, 1.14.6, and 1.15.8, a malicious or compromised Flatpak app could execute arbitrary code outside its sandbox. Normally, the --command argument of flatpak run expects to be given a command to run in the specified Flatpak app, optionally along with some arguments. However it is possible to instead pass bwrap arguments to --command=, such as --bind. It's possible to pass an arbitrary commandline to the portal interface org.freedesktop.portal.Background.RequestBackground from within a Flatpak app. When this is converted into a --command and arguments, it achieves the same effect of passing arguments directly to bwrap, and thus can be used for a sandbox escape. The solution is to pass the -- argument to bwrap, which makes it stop processing options. This has been supported since bubblewrap 0.3.0. All supported versions of Flatpak require at least that version of bubblewrap. xdg-desktop-portal version 1.18.4 will mitigate this vulnerability by only allowing Flatpak apps to create .desktop files for commands that do not start with --. The vulnerability is patched in 1.15.8, 1.10.9, 1.12.9, and 1.14.6.

References

Affected packages

Debian:11 / flatpak

Package

Name: flatpak
Purl: pkg:deb/debian/flatpak?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.10.8-0+deb11u2

Affected versions

1.*

1.10.2-3

1.10.3-0+deb11u1~bpo11+1

1.10.3-0+deb11u1

1.10.5-0+deb11u1~bpo10+1

1.10.5-0+deb11u1

1.10.7-0+deb11u1~bpo10+1

1.10.7-0+deb11u1

1.10.8-0+deb11u1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / flatpak

Package

Name: flatpak
Purl: pkg:deb/debian/flatpak?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.14.4-1+deb12u1

Affected versions

1.*

1.14.4-1

1.14.4-1+deb12u1~bpo11+1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / flatpak

Package

Name: flatpak
Purl: pkg:deb/debian/flatpak?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.14.6-1

Affected versions

1.*

1.14.4-1

1.14.4-2

1.14.5-1

1.14.6-1~deb13u1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Git / github.com/flatpak/flatpak

Affected ranges

Type: GIT
Repo: https://github.com/flatpak/flatpak
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

72016e3fce8fcbeab707daf4f1a02b931fcc004d

Fixed

72016e3fce8fcbeab707daf4f1a02b931fcc004d

Fixed

81abe2a37d363f5099c3d0bdcd0caad6efc5bf97

Fixed

81abe2a37d363f5099c3d0bdcd0caad6efc5bf97

Fixed

b7c1a558e58aaeb1d007d29529bbb270dc4ff11e

Fixed

b7c1a558e58aaeb1d007d29529bbb270dc4ff11e

Fixed

bbab7ed1e672356d1a78b422462b210e8e875931

Fixed

bbab7ed1e672356d1a78b422462b210e8e875931

Affected versions

0.*

0.1

0.10.0

0.10.1

0.10.2

0.11.1

0.11.2

0.11.3

0.11.4

0.11.5

0.11.6

0.11.7

0.11.8

0.11.8.1

0.11.8.2

0.11.8.3

0.2

0.2.1

0.3

0.3.1

0.3.2

0.3.3

0.3.4

0.3.5

0.3.6

0.4.0

0.4.1

0.4.10

0.4.11

0.4.12

0.4.13

0.4.2

0.4.2.1

0.4.3

0.4.4

0.4.5

0.4.6

0.4.7

0.4.8

0.4.9

0.5.0

0.5.1

0.5.2

0.6.0

0.6.1

0.6.10

0.6.11

0.6.12

0.6.13

0.6.14

0.6.2

0.6.3

0.6.4

0.6.5

0.6.6

0.6.7

0.6.8

0.6.9

0.8.0

0.8.1

0.9.1

0.9.10

0.9.11

0.9.12

0.9.2

0.9.3

0.9.4

0.9.5

0.9.6

0.9.7

0.9.8

0.9.9

0.9.98

0.9.98.1

0.9.98.2

0.9.99

0.99.1

0.99.2

0.99.3

1.*

1.0.0

1.0.1

1.0.2

1.0.3

1.1.0

1.1.1

1.1.2

1.1.3

1.10.0

1.10.1

1.10.2

1.10.3

1.10.4

1.10.5

1.10.6

1.10.7

1.10.8

1.11.1

1.11.2

1.11.3

1.12.0

1.12.1

1.12.2

1.12.3

1.12.4

1.12.5

1.12.6

1.12.7

1.12.8

1.13.1

1.13.2

1.13.3

1.14.0

1.14.1

1.14.2

1.14.3

1.14.4

1.14.5

1.15.0

1.15.1

1.15.2

1.15.3

1.15.4

1.15.6

1.15.7

1.2.0

1.2.1

1.3.0

1.3.1

1.3.2

1.3.3

1.3.4

1.4.0

1.5.0

1.5.1

1.5.2

1.6.0

1.6.1

1.6.2

1.7.1

1.7.2

1.7.3

1.8.0

1.9.1

1.9.2

1.9.3