Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <Zrzl1Vi_mmbZlEHJ@descent>
Date: Wed, 14 Aug 2024 18:13:57 +0100
From: Simon McVittie <smcv@...labora.com>
To: flatpak@...ts.freedesktop.org, oss-security@...ts.openwall.com
Cc: flatpak-security@...ts.freedesktop.org
Subject: flatpak CVE-2024-42472: Access to files outside sandbox for apps
 using persistent= (--persist)

Flatpak is a system for building, distributing, and running sandboxed
desktop applications on Linux.

Chris Williams discovered an issue with how Flatpak mounts persistent
directories, which can allow an application using them to access host
files.

Advisory: https://github.com/flatpak/flatpak/security/advisories/GHSA-7hgv-f2j8-xw87
Affected: all < 1.14.10, 1.15.x < 1.15.10
Fixed: 1.14.x >= 1.14.10, all >= 1.15.10

Impact
======

A malicious or compromised Flatpak app using persistent directories could
read and write files in locations it would not normally have access to,
which is an attack on integrity and confidentiality.

Description
===========

When persistent=subdir is used in the application permissions (represented
as --persist=subdir in the command-line interface), that means that
an application which otherwise doesn't have access to the real user
home directory will see an empty home directory with a writeable
subdirectory `subdir`. Behind the scenes, this directory is actually a
bind mount and the data is stored in the per-application directory as
~/.var/app/$APPID/subdir. This allows existing apps that are not aware of
the per-application directory to still work as intended without general
home directory access.

However, the application does have write access to the application
directory ~/.var/app/$APPID where this directory is stored. If the source
directory for the persistent/--persist option is replaced by a symlink,
then the next time the application is started, the bind mount will follow
the symlink and mount whatever it points to into the sandbox.

For example, org.mozilla.Thunderbird has persistent=.thunderbird, and is
not meant to be able to access ~/.ssh.  In this example, % represents a
shell prompt on the host system, and $ represents a shell prompt inside
the app sandbox.

% flatpak run --command=sh org.mozilla.Thunderbird
$ mv ~/.var/app/org.mozilla.Thunderbird/.thunderbird{,.save}
$ ln -s ~/.ssh ~/.var/app/org.mozilla.Thunderbird/.thunderbird
$ exit
% flatpak run --command=sh org.mozilla.Thunderbird
$ ls ~/.thunderbird
{contents of ~/.ssh/}

Patches
=======

This was fixed in Flatpak 1.14.10 (stable release branch) and 1.15.10
(development prerelease branch).

For details of backportable patches suitable
for inclusion in LTS distributions, please see
<https://github.com/flatpak/flatpak/security/advisories/GHSA-7hgv-f2j8-xw87>.

Fully resolving this vulnerability requires adding a new --bind-fd option
to bubblewrap (a sandboxing component used by Flatpak) so that Flatpak
can avoid a time-of-check/time-of-use race condition. This feature was
added in bubblewrap 0.10.0, but can be backported. More details are
available via the link above.

Depending how Flatpak was configured at build time, the version of
bubblewrap that needs to be patched might either be separately installed
into the PATH (typically /usr/bin/bwrap from an OS vendor package),
or a bundled convenience copy that is private to Flatpak (typically
installed as /usr/libexec/flatpak-bwrap). The convenience copies that
are included in Flatpak versions 1.14.10 and 1.15.10 have been updated
to include the necessary feature.

Mitigations
===========

If patching bubblewrap is logistically difficult, a mitigation is to apply
only the patch "Don't follow symlinks when mounting persisted directories"
to Flatpak, and then avoid running two instances of the same untrusted
app at the same time; this should prevent the time-of-check/time-of-use
issue from being exploited.

Another mitigation is to avoid installing untrusted apps that have
the "persistent" sandboxing parameter set in their metadata, and also
avoid using `flatpak override --persist ...` to add that parameter to
untrusted apps.

-- 
Simon McVittie, Collabora Ltd. / Debian
on behalf of the Flatpak maintainers

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.