Headline
CVE-2023-28101: Ensure special characters in permissions and metadata are escaped · flatpak/flatpak@6cac99d
Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. In versions prior to 1.10.8, 1.12.8, 1.14.4, and 1.15.4, if an attacker publishes a Flatpak app with elevated permissions, they can hide those permissions from users of the flatpak(1) command-line interface by setting other permissions to crafted values that contain non-printable control characters such as ESC. A fix is available in versions 1.10.8, 1.12.8, 1.14.4, and 1.15.4. As a workaround, use a GUI like GNOME Software rather than the command-line interface, or only install apps whose maintainers you trust.
@@ -613,7 +613,7 @@ load_kernel_module_list (void) g_autofree char *modules_data = NULL; g_autoptr(GError) error = NULL; char *start, *end;
if (!g_file_get_contents ("/proc/modules", &modules_data, NULL, &error)) { g_info ("Failed to read /proc/modules: %s", error->message); @@ -9222,6 +9222,86 @@ flatpak_uri_equal (const char *uri1, return g_strcmp0 (uri1_norm, uri2_norm) == 0; }
static gboolean is_char_safe (gunichar c) { return g_unichar_isgraph © || c == ' '; }
static gboolean should_hex_escape (gunichar c, FlatpakEscapeFlags flags) { if ((flags & FLATPAK_ESCAPE_ALLOW_NEWLINES) && c == ‘\n’) return FALSE;
return !is_char_safe ©; }
static void append_hex_escaped_character (GString *result, gunichar c) { if (c <= 0xFF) g_string_append_printf (result, "\\x%02X", c); else if (c <= 0xFFFF) g_string_append_printf (result, "\\u%04X", c); else g_string_append_printf (result, "\\U%08X", c); }
char * flatpak_escape_string (const char *s, FlatpakEscapeFlags flags) { g_autoptr(GString) res = g_string_new (“”); gboolean did_escape = FALSE;
while (*s) { gunichar c = g_utf8_get_char_validated (s, -1); if (c == (gunichar)-2 || c == (gunichar)-1) { /* Need to convert to unsigned first, to avoid negative chars becoming huge gunichars. */ append_hex_escaped_character (res, (unsigned char)*s++); did_escape = TRUE; continue; } else if (should_hex_escape (c, flags)) { append_hex_escaped_character (res, c); did_escape = TRUE; } else if (c == ‘\\’ || (!(flags & FLATPAK_ESCAPE_DO_NOT_QUOTE) && c == ‘\’’)) { g_string_append_printf (res, "\\%c", (char) c); did_escape = TRUE; } else g_string_append_unichar (res, c);
s = g_utf8_find_next_char (s, NULL); }
if (did_escape && !(flags & FLATPAK_ESCAPE_DO_NOT_QUOTE)) { g_string_prepend_c (res, ‘\’’); g_string_append_c (res, ‘\’’); }
return g_string_free (g_steal_pointer (&res), FALSE); }
void flatpak_print_escaped_string (const char *s, FlatpakEscapeFlags flags) { g_autofree char *escaped = flatpak_escape_string (s, flags); g_print ("%s", escaped); }
gboolean running_under_sudo (void) {
Related news
Gentoo Linux Security Advisory 202312-12 - Several vulnerabilities have been found in Flatpack, the worst of which lead to privilege escalation and sandbox escape. Versions greater than or equal to 1.14.4 are affected.