CVE-2021-41133

Name of the Vulnerable Software and Affected Versions: Flatpak versions prior to 1.10.4 and 1.12.0

Description: The issue is related to the lack of blocking in the seccomp filter for mount-related system calls, which can be exploited to gain access to confidential data, disrupt its integrity, and cause a denial of service. Flatpak apps with direct access to AF UNIX sockets, such as those used by Wayland, Pipewire, or pipewire-pulse, can trick portals and other host-OS services into treating the Flatpak app as a non-sandboxed host-OS process. This can be achieved by manipulating the VFS using recent mount-related syscalls to substitute a crafted /.flatpak-info or make that file disappear entirely. Protocols operating entirely over the D-Bus session bus, system bus, or accessibility bus are not affected due to the use of a proxy process xdg-dbus-proxy.

Recommendations: For versions prior to 1.10.4 and 1.12.0, upgrade to a patched version, as patches exist for versions 1.10.4 and 1.12.0, and a patch for version 1.8.2 is being planned. There are no workarounds aside from upgrading to a patched version. As a temporary workaround, consider restricting the use of AF UNIX sockets, such as those used by Wayland, Pipewire, or pipewire-pulse, to minimize the risk of exploitation.