Security update for xdg-desktop-portal SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2024:1803-1 Final 1 1 2024-05-28T14:21:16Z current 2024-05-28T14:21:16Z 2024-05-28T14:21:16Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for xdg-desktop-portal This update for xdg-desktop-portal fixes the following issues: - CVE-2024-32462: Fixed sandbox escape via RequestBackground portal (bsc#1223110). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2024-1803,SUSE-SLE-Module-Desktop-Applications-15-SP5-2024-1803,openSUSE-SLE-15.5-2024-1803 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2024/suse-su-20241803-1/ Link for SUSE-SU-2024:1803-1 https://lists.suse.com/pipermail/sle-updates/2024-May/035373.html E-Mail link for SUSE-SU-2024:1803-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1223110 SUSE Bug 1223110 https://www.suse.com/security/cve/CVE-2024-32462/ SUSE CVE CVE-2024-32462 page SUSE Linux Enterprise Module for Desktop Applications 15 SP5 openSUSE Leap 15.5 xdg-desktop-portal-1.16.0-150500.3.6.1 xdg-desktop-portal-devel-1.16.0-150500.3.6.1 xdg-desktop-portal-lang-1.16.0-150500.3.6.1 xdg-desktop-portal-1.16.0-150500.3.6.1 as a component of SUSE Linux Enterprise Module for Desktop Applications 15 SP5 xdg-desktop-portal-devel-1.16.0-150500.3.6.1 as a component of SUSE Linux Enterprise Module for Desktop Applications 15 SP5 xdg-desktop-portal-lang-1.16.0-150500.3.6.1 as a component of SUSE Linux Enterprise Module for Desktop Applications 15 SP5 xdg-desktop-portal-1.16.0-150500.3.6.1 as a component of openSUSE Leap 15.5 xdg-desktop-portal-devel-1.16.0-150500.3.6.1 as a component of openSUSE Leap 15.5 xdg-desktop-portal-lang-1.16.0-150500.3.6.1 as a component of openSUSE Leap 15.5 Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. in versions before 1.10.9, 1.12.9, 1.14.6, and 1.15.8, a malicious or compromised Flatpak app could execute arbitrary code outside its sandbox. Normally, the `--command` argument of `flatpak run` expects to be given a command to run in the specified Flatpak app, optionally along with some arguments. However it is possible to instead pass `bwrap` arguments to `--command=`, such as `--bind`. It's possible to pass an arbitrary `commandline` to the portal interface `org.freedesktop.portal.Background.RequestBackground` from within a Flatpak app. When this is converted into a `--command` and arguments, it achieves the same effect of passing arguments directly to `bwrap`, and thus can be used for a sandbox escape. The solution is to pass the `--` argument to `bwrap`, which makes it stop processing options. This has been supported since bubblewrap 0.3.0. All supported versions of Flatpak require at least that version of bubblewrap. xdg-desktop-portal version 1.18.4 will mitigate this vulnerability by only allowing Flatpak apps to create .desktop files for commands that do not start with --. The vulnerability is patched in 1.15.8, 1.10.9, 1.12.9, and 1.14.6. CVE-2024-32462 SUSE Linux Enterprise Module for Desktop Applications 15 SP5:xdg-desktop-portal-1.16.0-150500.3.6.1 SUSE Linux Enterprise Module for Desktop Applications 15 SP5:xdg-desktop-portal-devel-1.16.0-150500.3.6.1 SUSE Linux Enterprise Module for Desktop Applications 15 SP5:xdg-desktop-portal-lang-1.16.0-150500.3.6.1 openSUSE Leap 15.5:xdg-desktop-portal-1.16.0-150500.3.6.1 openSUSE Leap 15.5:xdg-desktop-portal-devel-1.16.0-150500.3.6.1 openSUSE Leap 15.5:xdg-desktop-portal-lang-1.16.0-150500.3.6.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20241803-1/ https://www.suse.com/security/cve/CVE-2024-32462.html CVE-2024-32462 https://bugzilla.suse.com/1223110 SUSE Bug 1223110