Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <YAnSSXu4Kpq6Avco@espresso.pseudorandom.co.uk>
Date: Thu, 21 Jan 2021 19:13:13 +0000
From: Simon McVittie <smcv@...ian.org>
To: oss-security@...ts.openwall.com
Subject: CVE-2021-21261: Flatpak sandbox escape via spawn portal (aka
 GHSA-4ppf-fxf6-vxg2)

Affected versions: flatpak >= 0.11.4
Fixed versions: flatpak >= 1.10.0, and 1.8.x >= 1.8.5

Flatpak is a system for building, distributing, and running sandboxed
desktop applications on Linux.

I discovered a bug in the flatpak-portal service that can allow sandboxed
applications to execute arbitrary code on the host system (a sandbox
escape). This is fixed in 1.10.0 and 1.8.5.

The initial fixed versions introduced a regression for users of
'flatpak build' on systems where a setuid version of bubblewrap (bwrap)
is required. Version 1.10.1 additionally resolves the regression. The
regression fix has been backported to the flatpak-1.8.x branch but is
not currently in any 1.8.x release.

More details:
https://github.com/flatpak/flatpak/security/advisories/GHSA-4ppf-fxf6-vxg2

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.