CVE-2024-32462

Name of the Vulnerable Software and Affected Versions Flatpak versions prior to 1.10.9 Flatpak versions prior to 1.12.9 Flatpak versions prior to 1.14.6 Flatpak versions prior to 1.15.8

Description The issue is related to a sandbox escape vulnerability in Flatpak, which is a system for building, distributing, and running sandboxed desktop applications on Linux. A malicious or compromised Flatpak app could execute arbitrary code outside its sandbox by passing bwrap arguments to the --command option, such as --bind. This can be achieved by passing an arbitrary commandline to the portal interface org.freedesktop.portal.Background.RequestBackground from within a Flatpak app. The vulnerability can be used to escape the sandbox and access files in the underlying system.

Recommendations For versions prior to 1.10.9, update to version 1.10.9 or later. For versions prior to 1.12.9, update to version 1.12.9 or later. For versions prior to 1.14.6, update to version 1.14.6 or later. For versions prior to 1.15.8, update to version 1.15.8 or later. As a temporary workaround, consider passing the -- argument to bwrap, which makes it stop processing options. Additionally, xdg-desktop-portal version 1.18.4 will mitigate this vulnerability by only allowing Flatpak apps to create .desktop files for commands that do not start with --.