CVE-2021-21261
Summary
| CVE | CVE-2021-21261 |
|---|
| State | PUBLIC |
|---|
| Assigner | [email protected] |
|---|
| Source Priority | CVE Program / NVD first with legacy fallback |
|---|
| Published | 2021-01-14 20:15:00 UTC |
|---|
| Updated | 2021-01-27 19:34:00 UTC |
|---|
| Description | Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. A bug was discovered in the `flatpak-portal` service that can allow sandboxed applications to execute arbitrary code on the host system (a sandbox escape). This sandbox-escape bug is present in versions from 0.11.4 and before fixed versions 1.8.5 and 1.10.0. The Flatpak portal D-Bus service (`flatpak-portal`, also known by its D-Bus service name `org.freedesktop.portal.Flatpak`) allows apps in a Flatpak sandbox to launch their own subprocesses in a new sandbox instance, either with the same security settings as the caller or with more restrictive security settings. For example, this is used in Flatpak-packaged web browsers such as Chromium to launch subprocesses that will process untrusted web content, and give those subprocesses a more restrictive sandbox than the browser itself. In vulnerable versions, the Flatpak portal service passes caller-specified environment variables to non-sandboxed processes on the host system, and in particular to the `flatpak run` command that is used to launch the new sandbox instance. A malicious or compromised Flatpak app could set environment variables that are trusted by the `flatpak run` command, and use them to execute arbitrary code that is not in a sandbox. As a workaround, this vulnerability can be mitigated by preventing the `flatpak-portal` service from starting, but that mitigation will prevent many Flatpak apps from working correctly. This is fixed in versions 1.8.5 and 1.10.0. |
|---|
NVD Known Affected Configurations (CPE 2.3)
References
| Reference | Source | Link | Tags |
|---|
| Debian -- Security Information -- DSA-4830-1 flatpak |
DEBIAN |
www.debian.org |
Third Party Advisory |
| portal: Convert --env in extra-args into --env-fd · flatpak/flatpak@aeb6a7a · GitHub |
MISC |
github.com |
Patch, Third Party Advisory |
| portal: Do not use caller-supplied variables in environment · flatpak/flatpak@cc14010 · GitHub |
MISC |
github.com |
Third Party Advisory |
| context: Add --env-fd option · flatpak/flatpak@6e5ae7a · GitHub |
MISC |
github.com |
Patch, Third Party Advisory |
| Release Release 1.8.5 · flatpak/flatpak · GitHub |
MISC |
github.com |
Third Party Advisory |
| Flatpak: Sandbox escape (GLSA 202101-21) — Gentoo security |
GENTOO |
security.gentoo.org |
Third Party Advisory |
| CVE-2021-21261: Flatpak sandbox escape via spawn portal · Advisory · flatpak/flatpak · GitHub |
CONFIRM |
github.com |
Third Party Advisory |
| run: Convert all environment variables into bwrap arguments · flatpak/flatpak@6d1773d · GitHub |
MISC |
github.com |
Patch, Third Party Advisory |
| CVE Program record |
CVE.ORG |
www.cve.org |
canonical |
| NVD vulnerability detail |
NVD |
nvd.nist.gov |
canonical, analysis |
No vendor comments have been submitted for this CVE.
Legacy QID Mappings
- 174877 SUSE Enterprise Linux Security Update for flatpak, libostree, xdg-desktop-portal, xdg-desktop-portal-gtk (SUSE-SU-2021:1094-1)
- 180296 Debian Security Update for flatpak (CVE-2021-21261)
- 376873 Alibaba Cloud Linux Security Update for flatpak (ALINUX2-SA-2021:0009)
- 377160 Alibaba Cloud Linux Security Update for flatpak (ALINUX3-SA-2021:0001)
- 501560 Alpine Linux Security Update for flatpak
- 670536 EulerOS Security Update for flatpak (EulerOS-SA-2021-2294)
- 750278 OpenSUSE Security Update for flatpak, libostree, xdg-desktop-portal, xdg-desktop-portal-gtk (openSUSE-SU-2021:0520-1)
- 752538 SUSE Enterprise Linux Security Update for flatpak (SUSE-SU-2022:2990-1)
- 752593 SUSE Enterprise Linux Security Update for flatpak (SUSE-SU-2022:3284-1)
- 940074 AlmaLinux Security Update for flatpak (ALSA-2021:0304)
