Announcement

**cybertraveler** · 27 March 2019, 06:19 AM

For those curious:

It uses bubblewrap for the sandboxing, as stated in the NEWS file which referenced the original CVE (CVE-2017-5226):

flatpak/NEWS at ea48f6874959d1ec81a599c1f1313f4e45dddf0d · flatpak/flatpak

https://github.com/flatpak/flatpak/blob/ea48f6874959d1ec81a599c1f1313f4e45dddf0d/NEWS#L1247

Linux application sandboxing and distribution framework - flatpak/flatpak

The original bubblewrap bug report for CVE-2017-5226:

CVE-2017-5226 -- bubblewrap escape via TIOCSTI ioctl · Issue #142 · containers/bubblewrap

https://github.com/projectatomic/bubblewrap/issues/142

On Debian bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=850702, Federico Bento writes: When executing a program via the bubblewrap sandbox, the nonpriv ses...

The more recent issue on the flatpak github:

CVE-2019-10063: incomplete TIOCSTI filtering, similar to snapd's CVE-2019-7303 · Issue #2782 · flatpak/flatpak

https://github.com/flatpak/flatpak/issues/2782

On containers/bubblewrap#309, @wland32 wrote: Snap just had a vulnerability where the TIOCSTI seccomp filter could be circumvented. https://www.exploit-db.com/exploits/46594 Is bubblewrap also affe...

Note that snapd was also affected.

If you open "man 7 capabilities" you can find info on the capability which exposes this terminal input feature. It's called: "CAP_SYS_ADMIN". You'll see that this capability enables the process to do many different things including employing "TIOCSTI ioctl(2) to insert characters into the input queue". Hopefully there are no other CAP_SYS_ADMIN features which a confined process could use to escape the Flatpak/bubblewrap/snapd sandboxes.

**Weasel** · 27 March 2019, 11:45 AM

BTW sandbox makes you safe, no need to take proper security measures yourself.

Ah the ignorance.

**RealNC** · 27 March 2019, 12:59 PM

Last week I tried to Flatpak one of my applications. It's horrible :-/ To me, AppImage seems to be the superior solution.

**Britoid** · 27 March 2019, 01:22 PM

Originally posted by RealNC View Post

Last week I tried to Flatpak one of my applications. It's horrible :-/ To me, AppImage seems to be the superior solution.

How's it horrible?

**starshipeleven** · 27 March 2019, 02:55 PM

Originally posted by Weasel View Post

BTW sandbox makes you safe, no need to take proper security measures yourself.

None said that ever.

**starshipeleven** · 27 March 2019, 02:56 PM

Originally posted by RealNC View Post

Last week I tried to Flatpak one of my applications. It's horrible :-/ To me, AppImage seems to be the superior solution.

Did you find a way to make an AppImage that runs in any distro without bundling the whole Ubuntu (or whatever you use as a base) in your AppImage?

**RealNC** · 27 March 2019, 03:50 PM

Originally posted by starshipeleven View Post

Did you find a way to make an AppImage that runs in any distro without bundling the whole Ubuntu (or whatever you use as a base) in your AppImage?

I used linuxdeployqt (https://github.com/probonopd/linuxdeployqt) and an Ubuntu 16.04 VM. It copies some libraries, but not all of them. I built Qt by myself (since I want the latest version of that, 5.12), and then also built latest VLC myself (for libVLC, as I use that for video support.) The resulting appimage is 30MB and it runs on everything I tested it on, including all Ubuntu versions from 16.04 and up, but also Gentoo and Arch (which usually don't work well with binary applications due to their rolling release nature.)

**RealNC** · 27 March 2019, 03:57 PM

Originally posted by Britoid View Post

How's it horrible?

Creating the flatpak seems borderline impossible. Maybe I'm too stupid, I don't know :-/ My issue is that there's no build environment. I can't build and install my dependencies into, say, /home/me/deps and then work from that. You need to use flatpak-builder every time, then you need to install the result into a testing repo and run from there. After two days of trying, I ran out of patience. If your application only uses libraries already in one of the flatpak SDKs, or they are trivial to build, then I guess it's easy. But if you need non-trivial deps, good luck. (I need libVLC, for example.)

AppImage on the other hand was very easy to deal with. You build your dependencies yourself, and thus things are easy to test and experiment with.

**Weasel** · 27 March 2019, 05:12 PM

Originally posted by starshipeleven View Post

None said that ever.

But they implied it. Para-phrasing hreindl "ROFL at you dumb idiot download some trash from internet and get burned hard while I enjoy sandbox protections, my Fedora systems up and running since 1752."

The difference is, I'm careful with what I download and/or do checks and sandbox manually if it's from shady site (custom setup is harder to get out of, because people won't target your system specifically, they target the defaults for dummies). He isn't because he has "teh sandbox protections", and ignorance is what silent malware loves the most: people who think they are protected.

Announcement

Flatpak 1.2.4 Released To Address Security Issue - Sandbox Bypass Vulnerability

Flatpak 1.2.4 Released To Address Security Issue - Sandbox Bypass Vulnerability

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment