CVE-2021-43860

Published on: Not Yet Published

Last Modified on: 02/10/2022 03:03:00 PM UTC

CVE-2021-43860 - advisory for GHSA-qpjc-vq3c-572j

Source: Mitre Source: NIST CVE.ORG Print: PDF PDF
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N

Certain versions of Debian Linux from Debian contain the following vulnerability:

Flatpak is a Linux application sandboxing and distribution framework. Prior to versions 1.12.3 and 1.10.6, Flatpak doesn't properly validate that the permissions displayed to the user for an app at install time match the actual permissions granted to the app at runtime, in the case that there's a null byte in the metadata file of an app. Therefore apps can grant themselves permissions without the consent of the user. Flatpak shows permissions to the user during install by reading them from the "xa.metadata" key in the commit metadata. This cannot contain a null terminator, because it is an untrusted GVariant. Flatpak compares these permissions to the *actual* metadata, from the "metadata" file to ensure it wasn't lied to. However, the actual metadata contents are loaded in several places where they are read as simple C-style strings. That means that, if the metadata file includes a null terminator, only the content of the file from *before* the terminator gets compared to xa.metadata. Thus, any permissions that appear in the metadata file after a null terminator are applied at runtime but not shown to the user. So maliciously crafted apps can give themselves hidden permissions. Users who have Flatpaks installed from untrusted sources are at risk in case the Flatpak has a maliciously crafted metadata file, either initially or in an update. This issue is patched in versions 1.12.3 and 1.10.6. As a workaround, users can manually check the permissions of installed apps by checking the metadata file or the xa.metadata key on the commit metadata.

  • CVE-2021-43860 has been assigned by URL Logo [email protected] to track the vulnerability - currently rated as HIGH severity.
  • Affected Vendor/Software: URL Logo flatpak - flatpak version >= 1.11.0, < 1.12.3
  • Affected Vendor/Software: URL Logo flatpak - flatpak version < 1.10.6

CVSS3 Score: 8.6 - HIGH

Attack
Vector 		Attack
Complexity		 Privileges
Required		 User
Interaction
LOCAL LOW NONE REQUIRED
Scope Confidentiality
Impact		 Integrity
Impact		 Availability
Impact
CHANGED HIGH HIGH HIGH

CVSS2 Score: 6.8 - MEDIUM

Access
Vector		 Access
Complexity		 Authentication
NETWORK MEDIUM NONE
Confidentiality
Impact		 Integrity
Impact		 Availability
Impact
PARTIAL PARTIAL PARTIAL

CVE References

Description Tags Link
Release Release 1.12.3 · flatpak/flatpak · GitHub github.com
text/html
 URL Logo MISC github.com/flatpak/flatpak/releases/tag/1.12.3
Add test for metadata validation · flatpak/[email protected] · GitHub github.com
text/html
 URL Logo MISC github.com/flatpak/flatpak/commit/54ec1a482dfc668127eaae57f135e6a8e0bc52da
Require metadata in commit also for OCI remotes · flatpak/[email protected] · GitHub github.com
text/html
 URL Logo MISC github.com/flatpak/flatpak/commit/93357d357119093804df05acc32ff335839c6451
Debian -- Security Information -- DSA-5049-1 flatpak www.debian.org
Depreciated Link
text/html
 URL Logo DEBIAN DSA-5049
Ensure that bundles have metadata on install · flatpak/[email protected] · GitHub github.com
text/html
 URL Logo MISC github.com/flatpak/flatpak/commit/65cbfac982cb1c83993a9e19aa424daee8e9f042
Fix metadata file contents after null terminators being ignored · flatpak/[email protected] · GitHub github.com
text/html
 URL Logo MISC github.com/flatpak/flatpak/commit/ba818f504c926baaf6e362be8159cfacf994310e
CVE-2021-43860: Permissions granted to applications can be hidden from the user at install time · Advisory · flatpak/flatpak · GitHub github.com
text/html
 URL Logo CONFIRM github.com/flatpak/flatpak/security/advisories/GHSA-qpjc-vq3c-572j
Release Release 1.10.6 · flatpak/flatpak · GitHub github.com
text/html
 URL Logo MISC github.com/flatpak/flatpak/releases/tag/1.10.6
Transaction: Fail the resolve if xa.metadata invalid or missing · flatpak/[email protected] · GitHub github.com
text/html
 URL Logo MISC github.com/flatpak/flatpak/commit/d9a8f9d8ccc0b7c1135d0ecde006a75d25f66aee
[SECURITY] Fedora 35 Update: flatpak-1.12.3-1.fc35 - package-announce - Fedora Mailing-Lists lists.fedoraproject.org
text/html
 URL Logo FEDORA FEDORA-2022-825ca6bf2b
By selecting these links, you may be leaving CVEreport webspace. We have provided these links to other websites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other websites that are more appropriate for your purpose. CVEreport does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, CVEreport does not endorse any commercial products that may be mentioned on these sites. Please address comments about any linked pages to [email protected].

Related QID Numbers

  • 159836 Oracle Enterprise Linux Security Update for flatpak (ELSA-2022-1792)
  • 179013 Debian Security Update for flatpak (DSA 5049-1)
  • 240297 Red Hat Update for flatpak (RHSA-2022:1792)
  • 282251 Fedora Security Update for flatpak (FEDORA-2022-825ca6bf2b)
  • 282319 Fedora Security Update for flatpak (FEDORA-2022-8c64cb0992)
  • 354313 Amazon Linux Security Advisory for flatpak : ALAS2022-2022-179
  • 354489 Amazon Linux Security Advisory for flatpak : ALAS2022-2022-021
  • 502084 Alpine Linux Security Update for flatpak
  • 751803 SUSE Enterprise Linux Security Update for flatpak (SUSE-SU-2022:0712-1)
  • 751816 OpenSUSE Security Update for flatpak (openSUSE-SU-2022:0712-1)
  • 752593 SUSE Enterprise Linux Security Update for flatpak (SUSE-SU-2022:3284-1)
  • 940529 AlmaLinux Security Update for flatpak (ALSA-2022:1792)
  • 960317 Rocky Linux Security Update for flatpak (RLSA-2022:1792)

Known Affected Configurations (CPE V2.3)

Type Vendor Product Version Update Edition Language
Operating
System		DebianDebian Linux10.0AllAllAll
Operating
System		DebianDebian Linux11.0AllAllAll
Operating
System		DebianDebian Linux9.0AllAllAll
Operating
System		FedoraprojectFedora35AllAllAll
ApplicationFlatpakFlatpakAllAllAllAll
ApplicationFlatpakFlatpakAllAllAllAll
Operating
System		RedhatEnterprise Linux8.0AllAllAll
  • cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*:
  • cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*:
  • cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*:
  • cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*:
  • cpe:2.3:a:flatpak:flatpak:*:*:*:*:*:*:*:*:
  • cpe:2.3:a:flatpak:flatpak:*:*:*:*:*:*:*:*:
  • cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*:

Social Mentions

Source Title Posted (UTC)
Twitter Icon @CVEreport CVE-2021-43860 : Flatpak is a #Linux application sandboxing and distribution framework. Prior to versions 1.12.3 an… twitter.com/i/web/status/1… 2022-01-12 21:44:40
Reddit Logo Icon /r/netcve CVE-2021-43860 2022-01-12 22:38:44
© CVE.report 2023 Twitter Nitter Twitter Viewer |

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

CVE.report and Source URL Uptime Status status.cve.report