Flatpak, a popular Linux application sandboxing and distribution framework, had previously contained a vulnerability in its persistent directory implementation. This potentially allowed a malicious or compromised Flatpak app with persistent directories to access and write files outside its normal scope, posing a risk to user confidentiality and data integrity. The issue affects versions of Flatpak prior to 1.14. and 1.15.10. This post aims to provide an in-depth description of the vulnerability, original references, exploit details, and how to mitigate this issue in your Flatpak deployment.

Exploit Details

The vulnerability exists in the way Flatpak handles persistent directories using the persistent=subdir permission (represented as --persist=subdir in the command-line interface). Normally, this feature should allow an app without access to the real user home directory to see an empty home directory with a writable subdirectory subdir. Behind the scenes, this directory is a bind mount and the data is stored in the per-application directory as ~/.var/app/$APPID/subdir.

However, due to the vulnerability, the application is also able to write to the application directory ~/.var/app/$APPID, which is considered outside of its normal scope. If the source directory for the persistent/--persist option is replaced by a symlink, the next time the application starts, the bind mount will follow the symlink and mount any directory it points to into the sandbox. This can potentially give an attacker access to unauthorized files or directories.

Mitigation

To partially protect against this vulnerability, Flatpak can be patched using the patches included in commits ceec2ffc and 98f79773, found here:
1. ceec2ffc
2. 98f79773

However, these patches still leave a race condition that can be exploited by two instances of a malicious app running in parallel. To completely patch this issue, one must update or patch the version of bubblewrap used by Flatpak to add the new --bind-fd option and subsequently patch Flatpak to use it.

For the 1.14.x stable branch, these changes are included in Flatpak 1.14.10. The bundled version of bubblewrap included in this release has been updated to .6.3. For the 1.15.x development branch, these changes are included in Flatpak 1.15.10. The bundled version of bubblewrap in this release is a Meson "wrap" subproject, which has been updated to .10..

Long-term support OS distributions should backport the individual changes into their versions of Flatpak and bubblewrap or update to newer versions if their stability policy allows it.

Workaround

As a temporary measure, users can avoid using applications that utilize the persistent (--persist) permission, thus reducing their risk of being affected by this vulnerability.

Conclusion

The CVE-2024-42472 Flatpak vulnerability in persistent directories posed a significant risk to users due to its potential for unauthorized access to files and directories outside of the application's normal scope. By arming yourself with knowledge about the vulnerability, understanding the exploit details, and implementing the proper patches and solutions, you can mitigate this issue and keep your Flatpak deployment safe and secure.

Timeline

Published on: 08/15/2024 19:15:19 UTC
Last modified on: 08/19/2024 13:00:23 UTC