CVE-2021-21261

Name of the Vulnerable Software and Affected Versions: Flatpak versions 0.11.4 through 1.8.4 Flatpak versions 1.9.0 through 1.9.3

Description: A bug was discovered in the flatpak-portal service that can allow sandboxed applications to execute arbitrary code on the host system. The Flatpak portal D-Bus service (flatpak-portal, also known by its D-Bus service name org.freedesktop.portal.Flatpak) allows apps in a Flatpak sandbox to launch their own subprocesses in a new sandbox instance. In vulnerable versions, the Flatpak portal service passes caller-specified environment variables to non-sandboxed processes on the host system, and in particular to the flatpak run command that is used to launch the new sandbox instance. A malicious or compromised Flatpak app could set environment variables that are trusted by the flatpak run command, and use them to execute arbitrary code that is not in a sandbox.

Recommendations: For versions 0.11.4 through 1.8.4, update to version 1.8.5 or later. For versions 1.9.0 through 1.9.3, update to version 1.9.4 or later. As a temporary workaround, consider preventing the flatpak-portal service from starting, but this mitigation will prevent many Flatpak apps from working correctly.