Flatpak Patch Addresses Major Sandbox Escape Flaw

Critical CVE-2024-32462 exposed in Flatpak, allowing unauthorized code execution. Update urgently to fixed versions 1.14.6 and above.

Linux users who rely on Flatpak to run sandboxed desktop applications might want to pay attention to a recent discovery.

A new vulnerability identified as CVE-2024-32462 has been found in Flatpak, potentially allowing malicious applications to execute commands outside of their secure environment.

Typically, applications running in Flatpak are limited to a secure environment where they can’t interact with the broader system. This setup is supposed to prevent any rogue app from harming the underlying system.

However, Gergo Koteles recently discovered a flaw where a Flatpak application could bypass this security through a mechanism involving the xdg-desktop-portal interface.

The flaw centers on misusing the --command parameter, which can unintentionally be tricked into executing additional commands. Attackers can manipulate the system to execute arbitrary commands outside the Flatpak sandbox by entering a sequence that includes --bind.

This could potentially allow a compromised application to cause broader harm to the user’s system, breaking Flatpak’s primary security feature.

Thankfully, the Flatpak team has promptly responded with patches to this vulnerability. Users are strongly encouraged to update their Flatpak installations to the following versions to ensure they are protected:

  • For users on the stable branch, Flatpak version 1.14.6 or newer.
  • For those on older stable branches, version 1.12.9 or 1.10.9 are the safe bets.
  • Developers using the developmental branch should update to version 1.15.8 or above.

Please note that Flatpak’s versions older than 1.10.9, including the entire 1.8.x series are no longer supported and will not receive this crucial update.

You can perform a simple test to verify whether your system is affected. Install any Flatpak application and run it with the --command=--help followed by the application’s ID. If the system returns an error message stating that the help command is not found, your Flatpak installation is not vulnerable.

Unaffected version of Flatpak.
Unaffected version of Flatpak.

However, if it displays an output similar to that of the bwrap --help command, it means your version is still at risk.

Flatpak vulnerable version.
Flatpak vulnerable version.

For more detailed information and ongoing updates, visit Flatpak’s official security advisory page on GitHub.

Bobby Borisov

Bobby Borisov

Bobby, an editor-in-chief at Linuxiac, is a Linux professional with over 20 years of experience. With a strong focus on Linux and open-source software, he has worked as a Senior Linux System Administrator, Software Developer, and DevOps Engineer for small and large multinational companies.

Think You're an Ubuntu Expert? Let's Find Out!

Put your knowledge to the test in our lightning-fast Ubuntu quiz!
Ten questions to challenge yourself to see if you're a Linux legend or just a penguin in the making.

1 / 10

Ubuntu is an ancient African word that means:

2 / 10

Who is the Ubuntu's founder?

3 / 10

What year was the first official Ubuntu release?

4 / 10

What does the Ubuntu logo symbolize?

5 / 10

What package format does Ubuntu use for installing software?

6 / 10

When are Ubuntu's LTS versions released?

7 / 10

What is Unity?

8 / 10

What are Ubuntu versions named after?

9 / 10

What's Ubuntu Core?

10 / 10

Which Ubuntu version is Snap introduced?

The average score is 68%