Flatpak self-contained package toolkit detected vulnerability ( CVE-2021-21261 ) to bypass sandbox isolation and execute arbitrary code in the host environment. The issue was fixed in versions 1.10.0 and 1.8.5, but later a hotfix surfaced regressive change causing build issues on systems with a bubblewrap layer set with the setuid flag. Regression was fixed in 1.10.1 (update for 1.8.x branch is not yet available).
The vulnerability is present in the D-Bus service flatpak-portal, which provides the launch of “portals” that are used to organize access to resources outside the container. The service allows sandboxed applications to start their own child process in a new sandbox environment, to which the same or stronger isolation settings are applied (for example, to handle untrusted content). The vulnerability is that flatpak-portal passes environment variables specific to the process calling the service to handlers that are not isolated from the main system (for example, by running the “flatpak run” command). A malicious application can expose environment variables that affect the flatpak run and run any code on the host side.
It should be recalled that many flatpak developers disable isolation mode or leave full access to the home directory. For example, the GIMP, VSCodium, PyCharm, Octave, Inkscape, Audacity and VLC packages come with limited isolation mode. If packages with access to the home directory are compromised, despite the presence of the “sandboxed” tag in the package description, an attacker needs to modify the ~ / .bashrc file to execute his code.