[Pkg-utopia-maintainers] Bug#995935: flatpak: GHSA-67h7-w3jq-vh4q: sandbox escape via recent VFS syscalls
Simon McVittie
smcv at debian.org
Fri Oct 8 20:53:37 BST 2021
On Fri, 08 Oct 2021 at 12:50:18 +0100, Simon McVittie wrote:
> Flatpak 1.12.0 and 1.10.4 fix a security vulnerability in the portal
> support. Some recently added syscalls were not blocked by the seccomp
> rules which allowed the application to create sub-sandboxes which can
> confuse the sandboxing verification mechanisms of the portal. This has
> been addressed by extending the seccomp rules.
Unfortunately, this has caused regressions, which are fixed in 1.12.1
and 1.10.5, at the cost of weakening the protection against the
vulnerability (it will now "fail open" for syscalls that libseccomp does
not know about).
I'm continuing to look into this upstream, but a full solution is likely
to require a new version of bubblewrap, because bubblewrap can currently
only add one seccomp filter, but I don't think we can achieve the desired
semantics without adding a second seccomp filter. If you can help, please
contact https://github.com/flatpak/flatpak/pull/4462 or
flatpak-security at lists.freedesktop.org.
I don't think the upstream solution is sufficiently settled yet to be
issuing stable updates for this.
smcv
More information about the Pkg-utopia-maintainers
mailing list