CVE-2021-41133
Summary
| CVE | CVE-2021-41133 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2021-10-08 14:15:00 UTC |
| Updated | 2023-12-23 10:15:00 UTC |
| Description | Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. In versions prior to 1.10.4 and 1.12.0, Flatpak apps with direct access to AF_UNIX sockets such as those used by Wayland, Pipewire or pipewire-pulse can trick portals and other host-OS services into treating the Flatpak app as though it was an ordinary, non-sandboxed host-OS process. They can do this by manipulating the VFS using recent mount-related syscalls that are not blocked by Flatpak's denylist seccomp filter, in order to substitute a crafted `/.flatpak-info` or make that file disappear entirely. Flatpak apps that act as clients for AF_UNIX sockets such as those used by Wayland, Pipewire or pipewire-pulse can escalate the privileges that the corresponding services will believe the Flatpak app has. Note that protocols that operate entirely over the D-Bus session bus (user bus), system bus or accessibility bus are not affected by this. This is due to the use of a proxy process `xdg-dbus-proxy`, whose VFS cannot be manipulated by the Flatpak app, when interacting with these buses. Patches exist for versions 1.10.4 and 1.12.0, and as of time of publication, a patch for version 1.8.2 is being planned. There are no workarounds aside from upgrading to a patched version. |
Risk And Classification
Problem Types: NVD-CWE-Other
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Operating System | Debian | Debian Linux | 11.0 | All | All | All |
| Operating System | Fedoraproject | Fedora | 33 | All | All | All |
| Operating System | Fedoraproject | Fedora | 34 | All | All | All |
| Application | Flatpak | Flatpak | All | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| [SECURITY] Fedora 33 Update: flatpak-1.10.5-1.fc33 - package-announce - Fedora Mailing-Lists | lists.fedoraproject.org | ||
| common: Add a list of recently-added Linux syscalls · flatpak/flatpak@26b1248 · GitHub | MISC | github.com | |
| run: Add cross-references for some other seccomp syscall filters · flatpak/flatpak@89ae9fe · GitHub | MISC | github.com | |
| run: Don't allow unmounting filesystems · flatpak/flatpak@1330662 · GitHub | MISC | github.com | |
| run: Disallow recently-added mount-manipulation syscalls · flatpak/flatpak@9766ee0 · GitHub | MISC | github.com | |
| [SECURITY] Fedora 33 Update: flatpak-1.10.5-1.fc33 - package-announce - Fedora Mailing-Lists | FEDORA | lists.fedoraproject.org | |
| Debian -- Security Information -- DSA-4984-1 flatpak | DEBIAN | www.debian.org | |
| run: Add an errno value to seccomp filters · flatpak/flatpak@e26ac75 · GitHub | MISC | github.com | |
| run: Don't allow chroot() · flatpak/flatpak@462fca2 · GitHub | MISC | github.com | |
| CVE-2021-41133: Sandbox bypass via recent VFS-manipulating syscalls · Advisory · flatpak/flatpak · GitHub | CONFIRM | github.com | |
| oss-security - WebKitGTK and WPE WebKit Security Advisory WSA-2021-0006 | MLIST | www.openwall.com | |
| run: Block clone3() in sandbox · flatpak/flatpak@a10f52a · GitHub | MISC | github.com | |
| run: Block setns() · flatpak/flatpak@4c34815 · GitHub | MISC | github.com | |
| Flatpak: Multiple Vulnerabilities (GLSA 202312-12) — Gentoo security | security.gentoo.org | ||
| [SECURITY] Fedora 34 Update: flatpak-1.10.5-1.fc34 - package-announce - Fedora Mailing-Lists | FEDORA | lists.fedoraproject.org | |
| [SECURITY] Fedora 34 Update: flatpak-1.10.5-1.fc34 - package-announce - Fedora Mailing-Lists | lists.fedoraproject.org | ||
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
Legacy QID Mappings
- 159441 Oracle Enterprise Linux Security Update for flatpak (ELSA-2021-4042)
- 159442 Oracle Enterprise Linux Security Update for flatpak (ELSA-2021-4044)
- 178821 Debian Security Update for flatpak (DSA 4984-1)
- 182702 Debian Security Update for flatpak (CVE-2021-41133)
- 198605 Ubuntu Security Notification for Flatpak Vulnerability (USN-5191-1)
- 239746 Red Hat Update for flatpak (RHSA-2021:4044)
- 239747 Red Hat Update for flatpak (RHSA-2021:4042)
- 239763 Red Hat Update for flatpak (RHSA-2021:4107)
- 239770 Red Hat Update for flatpak (RHSA-2021:4106)
- 257125 CentOS Security Update for flatpak (CESA-2021:4044)
- 281974 Fedora Security Update for flatpak (FEDORA-2021-4b201d15e6)
- 282022 Fedora Security Update for flatpak (FEDORA-2021-c5a9c85737)
- 296061 Oracle Solaris 11.4 Support Repository Update (SRU) 42.113.1 Missing (CPUJAN2022)
- 355398 Amazon Linux Security Advisory for flatpak : ALAS2-2023-2076
- 376874 Alibaba Cloud Linux Security Update for flatpak (ALINUX2-SA-2021:0063)
- 377096 Alibaba Cloud Linux Security Update for flatpak (ALINUX3-SA-2021:0075)
- 501849 Alpine Linux Security Update for flatpak
- 502083 Alpine Linux Security Update for flatpak
- 671162 EulerOS Security Update for flatpak (EulerOS-SA-2021-2799)
- 710812 Gentoo Linux Flatpak Multiple Vulnerabilities (GLSA 202312-12)
- 751256 OpenSUSE Security Update for flatpak (openSUSE-SU-2021:3472-1)
- 751305 OpenSUSE Security Update for flatpak (openSUSE-SU-2021:1400-1)
- 752593 SUSE Enterprise Linux Security Update for flatpak (SUSE-SU-2022:3284-1)
- 752628 SUSE Enterprise Linux Security Update for flatpak (SUSE-SU-2022:3439-1)
- 940169 AlmaLinux Security Update for flatpak (ALSA-2021:4042)
- 960040 Rocky Linux Security Update for flatpak (RLSA-2021:4042)