Ubuntu
flatpak package

CVE-2024-32462: Sandbox escape via RequestBackground portal and CWE-88

Bug #2062406 reported by Simon McVittie
288
This bug affects 6 people
Affects Status Importance Assigned to Milestone
flatpak (Ubuntu)
Fix Released
High
Jeremy Bícha
Jammy
Confirmed
Undecided
Unassigned
Mantic
Confirmed
Undecided
Unassigned

Bug Description

Upstream advisory: https://github.com/flatpak/flatpak/security/advisories/GHSA-phv6-cpc2-2fgj

If possible please sync 1.14.6-1 from Debian instead of backporting fixes. That version only fixes the security issue and one other high-visibility bug (app developer names showing in the CLI as though they were the app's name).

https://github.com/flatpak/flatpak/compare/1.14.5...1.14.6

See original description

CVE References

Simon McVittie (smcv)
information type: Private Security → Public Security
Jeremy Bícha (jbicha)
Changed in flatpak (Ubuntu):
status: New → In Progress
assignee: nobody → Jeremy Bícha (jbicha)
importance: Undecided → High
Jeremy Bícha (jbicha)
tags: added: noble upgrade-software-version
description: updated
Jeremy Bícha (jbicha)
Changed in flatpak (Ubuntu):
status: In Progress → Fix Committed
Revision history for this message
Jeremy Bícha (jbicha) wrote (last edit ):

I'm manually closing the bug now since it was accepted into noble-proposed without a LP bug number. I'll watch to make sure it migrates to noble release

https://launchpad.net/ubuntu/+source/flatpak/1.14.6-1

Changed in flatpak (Ubuntu):
status: Fix Committed → Fix Released
Revision history for this message
Jeff (jeff09) wrote :

Covering just Noble isn't really enough with Mantic and Jammy still providing vulnerable packages according to the advisory listing affected versions as:
- < 1.10.9
- 1.12.x < 1.12.9
- 1.14.x < 1.14.6
- 1.15.x < 1.15.8

Revision history for this message
Jeremy Bícha (jbicha) wrote :

I'm not working on the stable security updates now but I opened tasks for them in case someone else wants to contribute.

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in flatpak (Ubuntu Jammy):
status: New → Confirmed
Changed in flatpak (Ubuntu Mantic):
status: New → Confirmed
Revision history for this message
Simon McVittie (smcv) wrote :

This also affects focal, bionic, and older LTS suites.

If it's possible to update focal to 1.12.9 from the upstream 1.12.x stable branch, that would also resolve LP: #2063034 and LP: #2063035. There isn't much point in the upstream developers doing 1.12.x releases if distributions aren't going to pick them up.

Revision history for this message
Jeff (jeff09) wrote :

While I'm not fully familiar with how things are done here, is it really sensible that the "Fix Released" status prevents search on the main page from even finding this issue?

We aren't far from the upstream fixes being available for a week already without any of the supported releases of Ubuntu getting a fix, and even the visibility of the problem is significantly limited.

It's a sandbox escape vulnerability, therefore privilege escalation. Upstream took it seriously, as smcv mentioned there are even multiple fixed versions to choose from to update to, but regular users don't even get to know that they have been affected by a vulnerability marked with high severity upstream for so long.

Revision history for this message
Jeremy Bícha (jbicha) wrote :

Jeff, that's just how Launchpad is configured. Sorry.

But there is a better way to look for security issues in a package than trying to navigate Launchpad:

https://ubuntu.com/security/cves?package=flatpak

To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.