CVE-2022-21682

Name
CVE-2022-21682
Description
Flatpak is a Linux application sandboxing and distribution framework. A path traversal vulnerability affects versions of Flatpak prior to 1.12.3 and 1.10.6. flatpak-builder applies `finish-args` last in the build. At this point the build directory will have the full access that is specified in the manifest, so running `flatpak build` against it will gain those permissions. Normally this will not be done, so this is not problem. However, if `--mirror-screenshots-url` is specified, then flatpak-builder will launch `flatpak build --nofilesystem=host appstream-utils mirror-screenshots` after finalization, which can lead to issues even with the `--nofilesystem=host` protection. In normal use, the only issue is that these empty directories can be created wherever the user has write permissions. However, a malicious application could replace the `appstream-util` binary and potentially do something more hostile. This has been resolved in Flatpak 1.12.3 and 1.10.6 by changing the behaviour of `--nofilesystem=home` and `--nofilesystem=host`.
NVD Severity
unknown
Other trackers
Mailing lists
Exploits
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
CONFIRM https://github.com/flatpak/flatpak/security/advisories/GHSA-8ch7-5j3h-g4fx
MISC https://github.com/flatpak/flatpak/commit/4d11f77aa7fd3e64cfa80af89d92567ab9e8e6fa
MISC https://github.com/flatpak/flatpak/commit/445bddeee657fdc8d2a0a1f0de12975400d4fc1a
FEDORA https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/APFTBYGJJVJPFVHRXUW5PII5XOAFI4KH/
DEBIAN https://www.debian.org/security/2022/dsa-5049
FEDORA https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IXKBERLJRYV7KXKGXOLI6IOXVBQNN4DP/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/APFTBYGJJVJPFVHRXUW5PII5XOAFI4KH/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IXKBERLJRYV7KXKGXOLI6IOXVBQNN4DP/
security-advisories@github.com https://security.gentoo.org/glsa/202312-12

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:flatpak:flatpak:*:*:*:*:*:*:*:* flatpak >= None < 1.10.7
cpe:2.3:a:flatpak:flatpak:*:*:*:*:*:*:*:* flatpak >= 1.11.1 < 1.12.4
cpe:2.3:a:flatpak:flatpak-builder:*:*:*:*:*:*:*:* flatpak-builder >= None < 1.2.2

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
flatpak-builder 3.15-community 1.0.14-r0 André Klitzing <aklitzing@gmail.com> possibly vulnerable
flatpak 3.15-community 1.12.5-r0 André Klitzing <aklitzing@gmail.com> fixed
flatpak-builder 3.16-community 1.2.2-r0 André Klitzing <aklitzing@gmail.com> fixed