Lucene search

K
ubuntucveUbuntu.comUB:CVE-2021-41133
HistoryOct 08, 2021 - 12:00 a.m.

CVE-2021-41133

2021-10-0800:00:00
ubuntu.com
ubuntu.com
10

CVSS2

4.6

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:L/AC:L/Au:N/C:P/I:P/A:P

CVSS3

8.8

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

EPSS

0.001

Percentile

17.0%

Flatpak is a system for building, distributing, and running sandboxed
desktop applications on Linux. In versions prior to 1.10.4 and 1.12.0,
Flatpak apps with direct access to AF_UNIX sockets such as those used by
Wayland, Pipewire or pipewire-pulse can trick portals and other host-OS
services into treating the Flatpak app as though it was an ordinary,
non-sandboxed host-OS process. They can do this by manipulating the VFS
using recent mount-related syscalls that are not blocked by Flatpak’s
denylist seccomp filter, in order to substitute a crafted /.flatpak-info
or make that file disappear entirely. Flatpak apps that act as clients for
AF_UNIX sockets such as those used by Wayland, Pipewire or pipewire-pulse
can escalate the privileges that the corresponding services will believe
the Flatpak app has. Note that protocols that operate entirely over the
D-Bus session bus (user bus), system bus or accessibility bus are not
affected by this. This is due to the use of a proxy process
xdg-dbus-proxy, whose VFS cannot be manipulated by the Flatpak app, when
interacting with these buses. Patches exist for versions 1.10.4 and 1.12.0,
and as of time of publication, a patch for version 1.8.2 is being planned.
There are no workarounds aside from upgrading to a patched version.

Bugs

Notes

Author Note
alexmurray Requires libseccomp>=2.5.0 - this is only in the updates pocket in focal and bionic so libseccomp needs to be published to the security pocket in those releases as well to ensure this vulnerability is properly mitigated.
OSVersionArchitecturePackageVersionFilename
ubuntu18.04noarchflatpak< 1.0.9-0ubuntu0.4UNKNOWN
ubuntu20.04noarchflatpak< 1.6.5-0ubuntu0.4UNKNOWN
ubuntu21.04noarchflatpak< 1.10.2-1ubuntu1.1UNKNOWN
ubuntu21.10noarchflatpak< 1.10.2-3ubuntu0.1UNKNOWN

CVSS2

4.6

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:L/AC:L/Au:N/C:P/I:P/A:P

CVSS3

8.8

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

EPSS

0.001

Percentile

17.0%