CVE-2022-21682
📋 TL;DR
Flatpak versions before 1.12.3 and 1.10.6 contain a path traversal vulnerability in flatpak-builder when using the --mirror-screenshots-url option. This allows malicious applications to potentially execute arbitrary code by replacing the appstream-util binary. Users and developers building Flatpak applications with this option are affected.
💻 Affected Systems
- Flatpak
📦 What is this software?
Fedora by Fedoraproject
Flatpak by Flatpak
Flatpak by Flatpak
⚠️ Risk & Real-World Impact
Worst Case
Arbitrary code execution with the permissions of the user running flatpak-builder, potentially leading to full system compromise if run with elevated privileges.
Likely Case
Creation of empty directories in unintended locations where the user has write permissions, causing minor system disruption.
If Mitigated
No impact if the vulnerable option is not used or if proper file permissions prevent binary replacement.
🎯 Exploit Status
Exploitation requires building a malicious Flatpak application and convincing users to build it with the vulnerable option.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.12.3 or 1.10.6
Vendor Advisory: https://github.com/flatpak/flatpak/security/advisories/GHSA-8ch7-5j3h-g4fx
Restart Required: No
Instructions:
1. Update Flatpak using your distribution's package manager. 2. For Ubuntu/Debian: sudo apt update && sudo apt upgrade flatpak. 3. For Fedora/RHEL: sudo dnf update flatpak. 4. For Arch: sudo pacman -Syu flatpak.
🔧 Temporary Workarounds
Avoid vulnerable option
linuxDo not use --mirror-screenshots-url when building Flatpak applications
🧯 If You Can't Patch
- Avoid building Flatpak applications with --mirror-screenshots-url option
- Run flatpak-builder with minimal privileges and in isolated environments
🔍 How to Verify
Check if Vulnerable:
Check Flatpak version: flatpak --version. If version is below 1.12.3 or 1.10.6, you are vulnerable when using --mirror-screenshots-url.Check Version:
flatpak --versionVerify Fix Applied:
Run flatpak --version and confirm version is 1.12.3, 1.10.6 or higher.📡 Detection & Monitoring
Log Indicators:
- flatpak-builder processes using --mirror-screenshots-url option
- unexpected appstream-util executions during builds
Network Indicators:
- No network indicators for this local vulnerability
SIEM Query:
process.name:flatpak-builder AND command_line:*mirror-screenshots-url*🔗 References
- https://github.com/flatpak/flatpak/commit/445bddeee657fdc8d2a0a1f0de12975400d4fc1a
- https://github.com/flatpak/flatpak/commit/4d11f77aa7fd3e64cfa80af89d92567ab9e8e6fa
- https://github.com/flatpak/flatpak/security/advisories/GHSA-8ch7-5j3h-g4fx
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/APFTBYGJJVJPFVHRXUW5PII5XOAFI4KH/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IXKBERLJRYV7KXKGXOLI6IOXVBQNN4DP/
- https://security.gentoo.org/glsa/202312-12
- https://www.debian.org/security/2022/dsa-5049
- https://github.com/flatpak/flatpak/commit/445bddeee657fdc8d2a0a1f0de12975400d4fc1a
- https://github.com/flatpak/flatpak/commit/4d11f77aa7fd3e64cfa80af89d92567ab9e8e6fa
- https://github.com/flatpak/flatpak/security/advisories/GHSA-8ch7-5j3h-g4fx
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/APFTBYGJJVJPFVHRXUW5PII5XOAFI4KH/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IXKBERLJRYV7KXKGXOLI6IOXVBQNN4DP/
- https://security.gentoo.org/glsa/202312-12
- https://www.debian.org/security/2022/dsa-5049
