CVE-2024-32462

EUVD-2024-30279

18.04.2024, 18:15

Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. in versions before 1.10.9, 1.12.9, 1.14.6, and 1.15.8, a malicious or compromised Flatpak app could execute arbitrary code outside its sandbox. Normally, the `--command` argument of `flatpak run` expects to be given a command to run in the specified Flatpak app, optionally along with some arguments. However it is possible to instead pass `bwrap` arguments to `--command=`, such as `--bind`. It's possible to pass an arbitrary `commandline` to the portal interface `org.freedesktop.portal.Background.RequestBackground` from within a Flatpak app. When this is converted into a `--command` and arguments, it achieves the same effect of passing arguments directly to `bwrap`, and thus can be used for a sandbox escape. The solution is to pass the `--` argument to `bwrap`, which makes it stop processing options. This has been supported since bubblewrap 0.3.0. All supported versions of Flatpak require at least that version of bubblewrap. xdg-desktop-portal version 1.18.4 will mitigate this vulnerability by only allowing Flatpak apps to create .desktop files for commands that do not start with --. The vulnerability is patched in 1.15.8, 1.10.9, 1.12.9, and 1.14.6.

Argument Injection

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	8.4 HIGH	LOCAL	LOW	LOW	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N

Base Score

CVSS 3.x

EPSS Score

Percentile: 48%

Affected Products (NVD)

Vendor	Product	Version
flatpak	flatpak	𝑥 < 1.10.9
flatpak	flatpak	1.12.0 ≤ 𝑥 < 1.12.9
flatpak	flatpak	1.14.0 ≤ 𝑥 < 1.14.6
flatpak	flatpak	1.15.0 ≤ 𝑥 < 1.15.8

𝑥

= Vulnerable software versions

Early Detection

Affected products identified ahead of NVD analysis through intelligence sources.

Vendor	Product	Version	Source
flatpak	flatpak	1.15.0 ≤ 𝑥 < 1.15.8	ADP

Debian Releases

Debian Product

Codename

flatpak

bookworm	1.14.10-1~deb12u1 fixed
bookworm (security)	1.14.10-1~deb12u1 fixed
bullseye	1.10.8-0+deb11u2 fixed
bullseye (security)	1.10.8-0+deb11u3 fixed
buster	ignored
forky	1.16.2-1 fixed
sid	1.16.2-1 fixed
trixie	1.16.1-1 fixed

Ubuntu Releases

Ubuntu Product

Codename

flatpak

bionic	needed
focal	needed
jammy	needed
mantic	ignored
noble	Fixed 1.14.6-1 released
oracular	Fixed 1.14.6-1 released
plucky	Fixed 1.14.6-1 released
questing	Fixed 1.14.6-1 released

openSUSE / SLES Releases

openSUSE Product

Release

bubblewrap

suse enterprise desktop 15 SP6	0.11.0-150500.3.9.1 fixed
suse enterprise desktop 15 SP7	0.11.0-150500.3.9.1 fixed
suse enterprise sap 15 SP6	0.11.0-150500.3.9.1 fixed
suse enterprise sap 15 SP7	0.11.0-150500.3.9.1 fixed
suse enterprise server 15 SP5	0.11.0-150500.3.9.1 fixed
suse enterprise server 15 SP6	0.11.0-150500.3.9.1 fixed
suse enterprise server 15 SP7	0.11.0-150500.3.9.1 fixed

bubblewrap-zsh-completion

suse enterprise desktop 15 SP6	0.11.0-150500.3.9.1 fixed
suse enterprise desktop 15 SP7	0.11.0-150500.3.9.1 fixed
suse enterprise sap 15 SP6	0.11.0-150500.3.9.1 fixed
suse enterprise sap 15 SP7	0.11.0-150500.3.9.1 fixed
suse enterprise server 15 SP5	0.11.0-150500.3.9.1 fixed
suse enterprise server 15 SP6	0.11.0-150500.3.9.1 fixed
suse enterprise server 15 SP7	0.11.0-150500.3.9.1 fixed

flatpak

suse enterprise desktop 15 SP5	1.14.5-150500.3.9.1 fixed
suse enterprise desktop 15 SP6	1.16.0-150600.3.6.1 fixed
suse enterprise desktop 15 SP7	1.16.0-150600.3.6.1 fixed
suse enterprise sap 15 SP2	1.10.8-150200.4.18.1 fixed
suse enterprise sap 15 SP3	1.10.8-150200.4.18.1 fixed
suse enterprise sap 15 SP5	1.14.5-150500.3.9.1 fixed
suse enterprise sap 15 SP6	1.16.0-150600.3.6.1 fixed
suse enterprise sap 15 SP7	1.16.0-150600.3.6.1 fixed
suse enterprise server 15 SP2	1.10.8-150200.4.18.1 fixed
suse enterprise server 15 SP3	1.10.8-150200.4.18.1 fixed
suse enterprise server 15 SP4	1.12.8-150400.3.6.1 fixed
suse enterprise server 15 SP5	1.16.0-150500.3.15.1 fixed
suse enterprise server 15 SP6	1.16.0-150600.3.6.1 fixed
suse enterprise server 15 SP7	1.16.0-150600.3.6.1 fixed

flatpak-devel

suse enterprise desktop 15 SP5	1.14.5-150500.3.9.1 fixed
suse enterprise desktop 15 SP6	1.16.0-150600.3.6.1 fixed
suse enterprise desktop 15 SP7	1.16.0-150600.3.6.1 fixed
suse enterprise sap 15 SP2	1.10.8-150200.4.18.1 fixed
suse enterprise sap 15 SP3	1.10.8-150200.4.18.1 fixed
suse enterprise sap 15 SP5	1.14.5-150500.3.9.1 fixed
suse enterprise sap 15 SP6	1.16.0-150600.3.6.1 fixed
suse enterprise sap 15 SP7	1.16.0-150600.3.6.1 fixed
suse enterprise server 15 SP2	1.10.8-150200.4.18.1 fixed
suse enterprise server 15 SP3	1.10.8-150200.4.18.1 fixed
suse enterprise server 15 SP4	1.12.8-150400.3.6.1 fixed
suse enterprise server 15 SP5	1.16.0-150500.3.15.1 fixed
suse enterprise server 15 SP6	1.16.0-150600.3.6.1 fixed
suse enterprise server 15 SP7	1.16.0-150600.3.6.1 fixed

flatpak-remote-flathub

suse enterprise desktop 15 SP5	1.14.5-150500.3.9.1 fixed
suse enterprise desktop 15 SP6	1.16.0-150600.3.6.1 fixed
suse enterprise desktop 15 SP7	1.16.0-150600.3.6.1 fixed
suse enterprise sap 15 SP5	1.14.5-150500.3.9.1 fixed
suse enterprise sap 15 SP6	1.16.0-150600.3.6.1 fixed
suse enterprise sap 15 SP7	1.16.0-150600.3.6.1 fixed
suse enterprise server 15 SP5	1.16.0-150500.3.15.1 fixed
suse enterprise server 15 SP6	1.16.0-150600.3.6.1 fixed
suse enterprise server 15 SP7	1.16.0-150600.3.6.1 fixed

flatpak-zsh-completion

suse enterprise desktop 15 SP5	1.14.5-150500.3.9.1 fixed
suse enterprise desktop 15 SP6	1.16.0-150600.3.6.1 fixed
suse enterprise desktop 15 SP7	1.16.0-150600.3.6.1 fixed
suse enterprise sap 15 SP2	1.10.8-150200.4.18.1 fixed
suse enterprise sap 15 SP3	1.10.8-150200.4.18.1 fixed
suse enterprise sap 15 SP5	1.14.5-150500.3.9.1 fixed
suse enterprise sap 15 SP6	1.16.0-150600.3.6.1 fixed
suse enterprise sap 15 SP7	1.16.0-150600.3.6.1 fixed
suse enterprise server 15 SP2	1.10.8-150200.4.18.1 fixed
suse enterprise server 15 SP3	1.10.8-150200.4.18.1 fixed
suse enterprise server 15 SP4	1.12.8-150400.3.6.1 fixed
suse enterprise server 15 SP5	1.16.0-150500.3.15.1 fixed
suse enterprise server 15 SP6	1.16.0-150600.3.6.1 fixed
suse enterprise server 15 SP7	1.16.0-150600.3.6.1 fixed

libflatpak0

suse enterprise desktop 15 SP5	1.14.5-150500.3.9.1 fixed
suse enterprise desktop 15 SP6	1.16.0-150600.3.6.1 fixed
suse enterprise desktop 15 SP7	1.16.0-150600.3.6.1 fixed
suse enterprise sap 15 SP2	1.10.8-150200.4.18.1 fixed
suse enterprise sap 15 SP3	1.10.8-150200.4.18.1 fixed
suse enterprise sap 15 SP5	1.14.5-150500.3.9.1 fixed
suse enterprise sap 15 SP6	1.16.0-150600.3.6.1 fixed
suse enterprise sap 15 SP7	1.16.0-150600.3.6.1 fixed
suse enterprise server 15 SP2	1.10.8-150200.4.18.1 fixed
suse enterprise server 15 SP3	1.10.8-150200.4.18.1 fixed
suse enterprise server 15 SP4	1.12.8-150400.3.6.1 fixed
suse enterprise server 15 SP5	1.16.0-150500.3.15.1 fixed
suse enterprise server 15 SP6	1.16.0-150600.3.6.1 fixed
suse enterprise server 15 SP7	1.16.0-150600.3.6.1 fixed

system-user-flatpak

suse enterprise desktop 15 SP5	1.14.5-150500.3.9.1 fixed
suse enterprise desktop 15 SP6	1.16.0-150600.3.6.1 fixed
suse enterprise desktop 15 SP7	1.16.0-150600.3.6.1 fixed
suse enterprise sap 15 SP2	1.10.8-150200.4.18.1 fixed
suse enterprise sap 15 SP3	1.10.8-150200.4.18.1 fixed
suse enterprise sap 15 SP5	1.14.5-150500.3.9.1 fixed
suse enterprise sap 15 SP6	1.16.0-150600.3.6.1 fixed
suse enterprise sap 15 SP7	1.16.0-150600.3.6.1 fixed
suse enterprise server 15 SP2	1.10.8-150200.4.18.1 fixed
suse enterprise server 15 SP3	1.10.8-150200.4.18.1 fixed
suse enterprise server 15 SP4	1.12.8-150400.3.6.1 fixed
suse enterprise server 15 SP5	1.16.0-150500.3.15.1 fixed
suse enterprise server 15 SP6	1.16.0-150600.3.6.1 fixed
suse enterprise server 15 SP7	1.16.0-150600.3.6.1 fixed

typelib-1_0-Flatpak-1_0

suse enterprise desktop 15 SP5	1.14.5-150500.3.9.1 fixed
suse enterprise desktop 15 SP6	1.16.0-150600.3.6.1 fixed
suse enterprise desktop 15 SP7	1.16.0-150600.3.6.1 fixed
suse enterprise sap 15 SP2	1.10.8-150200.4.18.1 fixed
suse enterprise sap 15 SP3	1.10.8-150200.4.18.1 fixed
suse enterprise sap 15 SP5	1.14.5-150500.3.9.1 fixed
suse enterprise sap 15 SP6	1.16.0-150600.3.6.1 fixed
suse enterprise sap 15 SP7	1.16.0-150600.3.6.1 fixed
suse enterprise server 15 SP2	1.10.8-150200.4.18.1 fixed
suse enterprise server 15 SP3	1.10.8-150200.4.18.1 fixed
suse enterprise server 15 SP4	1.12.8-150400.3.6.1 fixed
suse enterprise server 15 SP5	1.16.0-150500.3.15.1 fixed
suse enterprise server 15 SP6	1.16.0-150600.3.6.1 fixed
suse enterprise server 15 SP7	1.16.0-150600.3.6.1 fixed

wayland-protocols-devel

suse enterprise server 15 SP5

1.36-150500.3.3.1

fixed

xdg-desktop-portal

suse enterprise desktop 15 SP5	1.16.0-150500.3.6.1 fixed
suse enterprise desktop 15 SP6	1.18.2-150600.4.3.1 fixed
suse enterprise desktop 15 SP7	1.18.2-150600.4.3.1 fixed
suse enterprise sap 15 SP2	1.8.0-150200.5.6.1 fixed
suse enterprise sap 15 SP3	1.8.0-150200.5.6.1 fixed
suse enterprise sap 15 SP5	1.16.0-150500.3.6.1 fixed
suse enterprise sap 15 SP6	1.18.2-150600.4.3.1 fixed
suse enterprise sap 15 SP7	1.18.2-150600.4.3.1 fixed
suse enterprise server 15 SP2	1.8.0-150200.5.6.1 fixed
suse enterprise server 15 SP3	1.8.0-150200.5.6.1 fixed
suse enterprise server 15 SP4	1.10.1-150400.3.6.1 fixed
suse enterprise server 15 SP5	1.16.0-150500.3.6.1 fixed
suse enterprise server 15 SP6	1.18.2-150600.4.3.1 fixed
suse enterprise server 15 SP7	1.18.2-150600.4.3.1 fixed

xdg-desktop-portal-devel

suse enterprise desktop 15 SP5	1.16.0-150500.3.6.1 fixed
suse enterprise desktop 15 SP6	1.18.2-150600.4.3.1 fixed
suse enterprise desktop 15 SP7	1.18.2-150600.4.3.1 fixed
suse enterprise sap 15 SP2	1.8.0-150200.5.6.1 fixed
suse enterprise sap 15 SP3	1.8.0-150200.5.6.1 fixed
suse enterprise sap 15 SP5	1.16.0-150500.3.6.1 fixed
suse enterprise sap 15 SP6	1.18.2-150600.4.3.1 fixed
suse enterprise sap 15 SP7	1.18.2-150600.4.3.1 fixed
suse enterprise server 15 SP2	1.8.0-150200.5.6.1 fixed
suse enterprise server 15 SP3	1.8.0-150200.5.6.1 fixed
suse enterprise server 15 SP4	1.10.1-150400.3.6.1 fixed
suse enterprise server 15 SP5	1.16.0-150500.3.6.1 fixed
suse enterprise server 15 SP6	1.18.2-150600.4.3.1 fixed
suse enterprise server 15 SP7	1.18.2-150600.4.3.1 fixed

xdg-desktop-portal-lang

suse enterprise desktop 15 SP5	1.16.0-150500.3.6.1 fixed
suse enterprise desktop 15 SP6	1.18.2-150600.4.3.1 fixed
suse enterprise desktop 15 SP7	1.18.2-150600.4.3.1 fixed
suse enterprise sap 15 SP2	1.8.0-150200.5.6.1 fixed
suse enterprise sap 15 SP3	1.8.0-150200.5.6.1 fixed
suse enterprise sap 15 SP5	1.16.0-150500.3.6.1 fixed
suse enterprise sap 15 SP6	1.18.2-150600.4.3.1 fixed
suse enterprise sap 15 SP7	1.18.2-150600.4.3.1 fixed
suse enterprise server 15 SP2	1.8.0-150200.5.6.1 fixed
suse enterprise server 15 SP3	1.8.0-150200.5.6.1 fixed
suse enterprise server 15 SP4	1.10.1-150400.3.6.1 fixed
suse enterprise server 15 SP5	1.16.0-150500.3.6.1 fixed
suse enterprise server 15 SP6	1.18.2-150600.4.3.1 fixed
suse enterprise server 15 SP7	1.18.2-150600.4.3.1 fixed

Red Hat Enterprise Linux Releases

Red Hat Product

Release

flatpak

RHEL 7	0:1.0.9-13.el7_9 fixed
RHEL 8	0:1.12.9-1.el8_10 fixed
RHEL 8.2 AUS	0:1.6.2-7.el8_2 fixed
RHEL 8.4 AUS	0:1.8.5-5.el8_4 fixed
RHEL 8.4 E4S	0:1.8.5-5.el8_4 fixed
RHEL 8.4 TUS	0:1.8.5-5.el8_4 fixed
RHEL 8.6 AUS	0:1.8.7-2.el8_6 fixed
RHEL 8.6 E4S	0:1.8.7-2.el8_6 fixed
RHEL 8.6 TUS	0:1.8.7-2.el8_6 fixed
RHEL 8.8 AUS	0:1.10.7-2.el8_8 fixed
RHEL 8.8 E4S	0:1.10.7-2.el8_8 fixed
RHEL 8.8 EUS	0:1.10.7-2.el8_8 fixed
RHEL 8.8 TUS	0:1.10.7-2.el8_8 fixed
RHEL 9	0:1.12.9-1.el9_4 fixed

flatpak-builder

RHEL 7

0:1.0.0-13.el7_9

fixed

flatpak-devel

RHEL 7	0:1.0.9-13.el7_9 fixed
RHEL 8	0:1.12.9-1.el8_10 fixed
RHEL 8.8 AUS	0:1.10.7-2.el8_8 fixed
RHEL 8.8 E4S	0:1.10.7-2.el8_8 fixed
RHEL 8.8 EUS	0:1.10.7-2.el8_8 fixed
RHEL 8.8 TUS	0:1.10.7-2.el8_8 fixed
RHEL 9	0:1.12.9-1.el9_4 fixed

flatpak-libs

RHEL 7	0:1.0.9-13.el7_9 fixed
RHEL 8	0:1.12.9-1.el8_10 fixed
RHEL 8.2 AUS	0:1.6.2-7.el8_2 fixed
RHEL 8.4 AUS	0:1.8.5-5.el8_4 fixed
RHEL 8.4 E4S	0:1.8.5-5.el8_4 fixed
RHEL 8.4 TUS	0:1.8.5-5.el8_4 fixed
RHEL 8.6 AUS	0:1.8.7-2.el8_6 fixed
RHEL 8.6 E4S	0:1.8.7-2.el8_6 fixed
RHEL 8.6 TUS	0:1.8.7-2.el8_6 fixed
RHEL 8.8 AUS	0:1.10.7-2.el8_8 fixed
RHEL 8.8 E4S	0:1.10.7-2.el8_8 fixed
RHEL 8.8 EUS	0:1.10.7-2.el8_8 fixed
RHEL 8.8 TUS	0:1.10.7-2.el8_8 fixed
RHEL 9	0:1.12.9-1.el9_4 fixed

flatpak-selinux

RHEL 8	0:1.12.9-1.el8_10 fixed
RHEL 8.2 AUS	0:1.6.2-7.el8_2 fixed
RHEL 8.4 AUS	0:1.8.5-5.el8_4 fixed
RHEL 8.4 E4S	0:1.8.5-5.el8_4 fixed
RHEL 8.4 TUS	0:1.8.5-5.el8_4 fixed
RHEL 8.6 AUS	0:1.8.7-2.el8_6 fixed
RHEL 8.6 E4S	0:1.8.7-2.el8_6 fixed
RHEL 8.6 TUS	0:1.8.7-2.el8_6 fixed
RHEL 8.8 AUS	0:1.10.7-2.el8_8 fixed
RHEL 8.8 E4S	0:1.10.7-2.el8_8 fixed
RHEL 8.8 EUS	0:1.10.7-2.el8_8 fixed
RHEL 8.8 TUS	0:1.10.7-2.el8_8 fixed
RHEL 9	0:1.12.9-1.el9_4 fixed

flatpak-session-helper

RHEL 8	0:1.12.9-1.el8_10 fixed
RHEL 8.2 AUS	0:1.6.2-7.el8_2 fixed
RHEL 8.4 AUS	0:1.8.5-5.el8_4 fixed
RHEL 8.4 E4S	0:1.8.5-5.el8_4 fixed
RHEL 8.4 TUS	0:1.8.5-5.el8_4 fixed
RHEL 8.6 AUS	0:1.8.7-2.el8_6 fixed
RHEL 8.6 E4S	0:1.8.7-2.el8_6 fixed
RHEL 8.6 TUS	0:1.8.7-2.el8_6 fixed
RHEL 8.8 AUS	0:1.10.7-2.el8_8 fixed
RHEL 8.8 E4S	0:1.10.7-2.el8_8 fixed
RHEL 8.8 EUS	0:1.10.7-2.el8_8 fixed
RHEL 8.8 TUS	0:1.10.7-2.el8_8 fixed
RHEL 9	0:1.12.9-1.el9_4 fixed

Common Weakness Enumeration

CWE-88 - Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')
The software constructs a string for a command to executed by a separate component in another control sphere, but it does not properly delimit the intended arguments, options, or switches within that command string.

References

http://www.openwall.com/lists/oss-security/2024/04/18/5

https://github.com/flatpak/flatpak/commit/72016e3fce8fcbeab707daf4f1a02b931fcc004d

https://github.com/flatpak/flatpak/commit/81abe2a37d363f5099c3d0bdcd0caad6efc5bf97

https://github.com/flatpak/flatpak/commit/b7c1a558e58aaeb1d007d29529bbb270dc4ff11e

https://github.com/flatpak/flatpak/commit/bbab7ed1e672356d1a78b422462b210e8e875931

https://github.com/flatpak/flatpak/security/advisories/GHSA-phv6-cpc2-2fgj

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IB6VQAF5S2YOBULDHPUKPOEIKONOP5KO/

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZFNSCFJVMAQK5AF55JBN7OSJP3CREDBD/

http://www.openwall.com/lists/oss-security/2024/04/18/5

https://github.com/flatpak/flatpak/commit/72016e3fce8fcbeab707daf4f1a02b931fcc004d

https://github.com/flatpak/flatpak/commit/81abe2a37d363f5099c3d0bdcd0caad6efc5bf97

https://github.com/flatpak/flatpak/commit/b7c1a558e58aaeb1d007d29529bbb270dc4ff11e

https://github.com/flatpak/flatpak/commit/bbab7ed1e672356d1a78b422462b210e8e875931

https://github.com/flatpak/flatpak/security/advisories/GHSA-phv6-cpc2-2fgj

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IB6VQAF5S2YOBULDHPUKPOEIKONOP5KO/

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZFNSCFJVMAQK5AF55JBN7OSJP3CREDBD/