CVE-2021-21381

NameCVE-2021-21381
DescriptionFlatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. In Flatpack since version 0.9.4 and before version 1.10.2 has a vulnerability in the "file forwarding" feature which can be used by an attacker to gain access to files that would not ordinarily be allowed by the app's permissions. By putting the special tokens `@@` and/or `@@u` in the Exec field of a Flatpak app's .desktop file, a malicious app publisher can trick flatpak into behaving as though the user had chosen to open a target file with their Flatpak app, which automatically makes that file available to the Flatpak app. This is fixed in version 1.10.2. A minimal solution is the first commit "`Disallow @@ and @@U usage in desktop files`". The follow-up commits "`dir: Reserve the whole @@ prefix`" and "`dir: Refuse to export .desktop files with suspicious uses of @@ tokens`" are recommended, but not strictly required. As a workaround, avoid installing Flatpak apps from untrusted sources, or check the contents of the exported `.desktop` files in `exports/share/applications/*.desktop` (typically `~/.local/share/flatpak/exports/share/applications/*.desktop` and `/var/lib/flatpak/exports/share/applications/*.desktop`) to make sure that literal filenames do not follow `@@` or `@@u`.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDSA-4868-1
Debian Bugs984859

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
flatpak (PTS)stretch0.8.9-0+deb9u3fixed
stretch (security), stretch (lts)0.8.9-0+deb9u2fixed
buster (security), buster, buster (lts)1.2.5-0+deb10u4fixed
bullseye (security), bullseye1.10.8-0+deb11u2fixed
bookworm (security), bookworm1.14.10-1~deb12u1fixed
sid, trixie1.14.10-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
flatpaksourcestretch(not affected)
flatpaksourcebuster1.2.5-0+deb10u4DSA-4868-1
flatpaksource(unstable)1.10.1-4984859

Notes

[stretch] - flatpak <not-affected> (Vulnerable code introduced later)
https://github.com/flatpak/flatpak/issues/4146
https://github.com/flatpak/flatpak/security/advisories/GHSA-xgh4-387p-hqpp

Search for package or bug name: Reporting problems