CVE-2024-42472

Name of the Vulnerable Software and Affected Versions Flatpak versions prior to 1.14.0 and 1.15.10

Description The issue is related to how Flatpak handles persistent directories, allowing a malicious or compromised Flatpak app to access and write files outside of its intended sandbox. This is achieved when the persistent=subdir option is used in the application permissions, creating a bind mount that can be exploited if the source directory is replaced with a symlink. The vulnerability can be partially mitigated by patching Flatpak using specific commits, but a complete fix requires updating or patching the version of bubblewrap used by Flatpak to add a new option and then patching Flatpak to use it.

Recommendations For versions prior to 1.14.0 and 1.15.10, update to Flatpak 1.14.10 or 1.15.10, which include the necessary patches for bubblewrap. If Flatpak has been configured at build-time with -Dsystem bubblewrap=bwrap or a similar option, patch the system copy of bubblewrap, typically /usr/bin/bwrap. If Flatpak has been configured at build-time with -Dsystem bubblewrap= or without system bubblewrap, patch the bundled version of bubblewrap, typically /usr/libexec/flatpak-bwrap. As a temporary workaround, avoid using applications that utilize the persistent (--persist) permission.