CVE-2021-43860

Flatpak is a Linux application sandboxing and distribution framework. Prior
to versions 1.12.3 and 1.10.6, Flatpak doesn’t properly validate that the
permissions displayed to the user for an app at install time match the
actual permissions granted to the app at runtime, in the case that there’s
a null byte in the metadata file of an app. Therefore apps can grant
themselves permissions without the consent of the user. Flatpak shows
permissions to the user during install by reading them from the
“xa.metadata” key in the commit metadata. This cannot contain a null
terminator, because it is an untrusted GVariant. Flatpak compares these
permissions to the actual metadata, from the “metadata” file to ensure it
wasn’t lied to. However, the actual metadata contents are loaded in several
places where they are read as simple C-style strings. That means that, if
the metadata file includes a null terminator, only the content of the file
from before the terminator gets compared to xa.metadata. Thus, any
permissions that appear in the metadata file after a null terminator are
applied at runtime but not shown to the user. So maliciously crafted apps
can give themselves hidden permissions. Users who have Flatpaks installed
from untrusted sources are at risk in case the Flatpak has a maliciously
crafted metadata file, either initially or in an update. This issue is
patched in versions 1.12.3 and 1.10.6. As a workaround, users can manually
check the permissions of installed apps by checking the metadata file or
the xa.metadata key on the commit metadata.

Bugs

• <https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/1957716&gt;