Flatpak 1.2.4 Released To Address Security Issue - Sandbox Bypass Vulnerability

Flatpak 1.2.4 was issued today as an emergency release to address a new CVE vulnerability.

CVE-2019-10063 is a Flatpak vulnerability affecting versions going back to the 0.8 series that allow for a potential bypassing of its sandbox.

Flatpak was previously patched to address CVE-2017-5226, which is a vulnerability where a non-privileged session could escape the parent session in a bubblewrap sandbox by using the TIOCSTI ioctl (TIOCSTI is used for faking input in the input queue) to escape the sandbox. But two years later it turns out their addressing of that former CVE by using a SECCOMP filter was inadequate on 64-bit platforms. Up to now in Flatpak on 64-bit platforms, the sandbox could still be bypassed/escaped as the filter wasn't properly handled on 64-bit architectures. Details in CVE-2019-10063.

As a result, Flatpak 1.2.4 was released with the proper mitigation.

This Flatpak update also has handling for multiple NVIDIA graphics cards on the same system, a fix for Gentoo and other platforms around XDG_RUNTIME_DIR being a symlink, a potential crash when updating applications, and ensuring flatpak list --arch works.

For those on the older Flatpak 1.0 series, Flatpak 1.0.8 was also released this morning.