Flatpak hasta 1.10.5/1.12.2 Metadata File escalada de privilegios

Una vulnerabilidad clasificada como crítica ha sido encontrada en Flatpak hasta 1.10.5/1.12.2. Una función desconocida del componente Metadata File Handler es afectada por esta vulnerabilidad. Una actualización a la versión 1.10.6 o 1.12.3 elimina esta vulnerabilidad. La actualización se puede descargar de github.com. Aplicando el parche 54ec1a482dfc668127eaae57f135e6a8e0bc52da es posible eliminar el problema. El parche puede ser descargado de github.com. El mejor modo sugerido para mitigar el problema es actualizar a la última versión.

Campo2022-01-13 06:292022-01-15 11:462022-01-15 11:53
nameFlatpakFlatpakFlatpak
version<=1.10.5/1.12.2<=1.10.5/1.12.2<=1.10.5/1.12.2
componentMetadata File HandlerMetadata File HandlerMetadata File Handler
cwe269 (escalada de privilegios)269 (escalada de privilegios)269 (escalada de privilegios)
risk222
cvss3_vuldb_avNNN
cvss3_vuldb_acLLL
cvss3_vuldb_prLLL
cvss3_vuldb_uiNNN
cvss3_vuldb_sUUU
cvss3_vuldb_cHHH
cvss3_vuldb_iHHH
cvss3_vuldb_aHHH
cvss3_vuldb_rlOOO
cvss3_vuldb_rcCCC
cvss3_cna_avLLL
cvss3_cna_acLLL
cvss3_cna_prNNN
cvss3_cna_uiRRR
cvss3_cna_sCCC
cvss3_cna_cHHH
cvss3_cna_iHHH
cvss3_cna_aNNN
identifierGHSA-qpjc-vq3c-572jGHSA-qpjc-vq3c-572jGHSA-qpjc-vq3c-572j
urlhttps://github.com/flatpak/flatpak/security/advisories/GHSA-qpjc-vq3c-572jhttps://github.com/flatpak/flatpak/security/advisories/GHSA-qpjc-vq3c-572jhttps://github.com/flatpak/flatpak/security/advisories/GHSA-qpjc-vq3c-572j
nameUpgradeUpgradeUpgrade
upgrade_version1.10.6/1.12.31.10.6/1.12.31.10.6/1.12.3
upgrade_urlhttps://github.com/flatpak/flatpak/releases/tag/1.12.3https://github.com/flatpak/flatpak/releases/tag/1.12.3https://github.com/flatpak/flatpak/releases/tag/1.12.3
patch_name54ec1a482dfc668127eaae57f135e6a8e0bc52da54ec1a482dfc668127eaae57f135e6a8e0bc52da54ec1a482dfc668127eaae57f135e6a8e0bc52da
patch_urlhttps://github.com/flatpak/flatpak/commit/54ec1a482dfc668127eaae57f135e6a8e0bc52dahttps://github.com/flatpak/flatpak/commit/54ec1a482dfc668127eaae57f135e6a8e0bc52dahttps://github.com/flatpak/flatpak/commit/54ec1a482dfc668127eaae57f135e6a8e0bc52da
cveCVE-2021-43860CVE-2021-43860CVE-2021-43860
cve_assigned1637017200 (2021-11-16)1637017200 (2021-11-16)1637017200 (2021-11-16)
cve_cnaGitHub, Inc.GitHub, Inc.GitHub, Inc.
date1642028400 (2022-01-13)1642028400 (2022-01-13)1642028400 (2022-01-13)
cvss2_vuldb_avNNN
cvss2_vuldb_acLLL
cvss2_vuldb_ciCCC
cvss2_vuldb_iiCCC
cvss2_vuldb_aiCCC
cvss2_vuldb_rcCCC
cvss2_vuldb_rlOFOFOF
cvss2_vuldb_auSSS
cvss2_vuldb_eNDNDND
cvss3_vuldb_eXXX
cvss3_cna_basescore8.28.28.2
cvss2_vuldb_basescore9.09.09.0
cvss2_vuldb_tempscore7.87.87.8
cvss3_vuldb_basescore8.88.88.8
cvss3_vuldb_tempscore8.48.48.4
cvss3_meta_basescore8.58.58.5
cvss3_meta_tempscore8.38.38.3
price_0day$0-$5k$0-$5k$0-$5k
confirm_urlhttps://github.com/flatpak/flatpak/security/advisories/GHSA-qpjc-vq3c-572jhttps://github.com/flatpak/flatpak/security/advisories/GHSA-qpjc-vq3c-572j
cve_nvd_summaryFlatpak is a Linux application sandboxing and distribution framework. Prior to versions 1.12.3 and 1.10.6, Flatpak doesn't properly validate that the permissions displayed to the user for an app at install time match the actual permissions granted to the app at runtime, in the case that there's a null byte in the metadata file of an app. Therefore apps can grant themselves permissions without the consent of the user. Flatpak shows permissions to the user during install by reading them from the "xa.metadata" key in the commit metadata. This cannot contain a null terminator, because it is an untrusted GVariant. Flatpak compares these permissions to the *actual* metadata, from the "metadata" file to ensure it wasn't lied to. However, the actual metadata contents are loaded in several places where they are read as simple C-style strings. That means that, if the metadata file includes a null terminator, only the content of the file from *before* the terminator gets compared to xa.metadata. Thus, any permissions that appear in the metadata file after a null terminator are applied at runtime but not shown to the user. So maliciously crafted apps can give themselves hidden permissions. Users who have Flatpaks installed from untrusted sources are at risk in case the Flatpak has a maliciously crafted metadata file, either initially or in an update. This issue is patched in versions 1.12.3 and 1.10.6. As a workaround, users can manually check the permissions of installed apps by checking the metadata file or the xa.metadata key on the commit metadata.Flatpak is a Linux application sandboxing and distribution framework. Prior to versions 1.12.3 and 1.10.6, Flatpak doesn&#039;t properly validate that the permissions displayed to the user for an app at install time match the actual permissions granted to the app at runtime, in the case that there&#039;s a null byte in the metadata file of an app. Therefore apps can grant themselves permissions without the consent of the user. Flatpak shows permissions to the user during install by reading them from the "xa.metadata" key in the commit metadata. This cannot contain a null terminator, because it is an untrusted GVariant. Flatpak compares these permissions to the *actual* metadata, from the "metadata" file to ensure it wasn&#039;t lied to. However, the actual metadata contents are loaded in several places where they are read as simple C-style strings. That means that, if the metadata file includes a null terminator, only the content of the file from *before* the terminator gets compared to xa.metadata. Thus, any permissions that appear in the metadata file after a null terminator are applied at runtime but not shown to the user. So maliciously crafted apps can give themselves hidden permissions. Users who have Flatpaks installed from untrusted sources are at risk in case the Flatpak has a maliciously crafted metadata file, either initially or in an update. This issue is patched in versions 1.12.3 and 1.10.6. As a workaround, users can manually check the permissions of installed apps by checking the metadata file or the xa.metadata key on the commit metadata.

Interested in the pricing of exploits?

See the underground prices here!