In the world of Flatpak tools designed to create self-sufficient packages that are not tied to specific distributions of Linux and isolated from the rest of the system, a recently revealed vulnerability (cve-2024-32462 ) has been discovered. This vulnerability allows malicious or compromised applications supplied in Flatpak packages to bypass the installed Sandbox insulation mode and gain access to files in the main system. The issue arises in packages using Freedesktop portals, specifically the xdg-desktop-portal, which are used to manage access to user resources from isolated applications. The vulnerability has been addressed in corrective updates such as Flatpak 1.15.8, 1.14.6, 1.12.9, and 1.10.9. Additionally, a bypass for protection has been proposed in the releases of xdg-desktop-portal 1.16.1 and 1.18.4.
Exploiting the vulnerability in the isolated environment allows the application to use the XDG-Desktop-Portal interface to create a file called “Desktop” when launching an application from Flatpak, thereby gaining access to files in the main system. To exit the isolated environment, manipulations with the “–command” parameter are employed, which transmits the name of the program in the Flatpak package that should launch in an isolated environment. In this process, Flatpak calls the BWRAP utility to configure the isolated environment. When a program name begins with “-“, it will be misconstrued as an option by the BWRAP utility. For example, launching “Flatpak Run –command=LS Org.gnome.gedit” will actually run “BWRAP LS Org.gnome.gedit”.
The vulnerability is exacerbated by the d-BUS interface “Org.freedesktop.portal.background.requestbackground” in Flatpak, allowing the application to specify any command to execute “Flatpak Run –command”, even those starting with “-“. The assumption that any commands