CVE-2021-21261
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2021-21261
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-21261.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2021-21261
- Downstream
- Related
- Published
- 2021-01-14T20:15:12.360Z
- Modified
- 2025-11-14T11:14:31.881307Z
- Severity
-
- 8.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H CVSS Calculator
- Summary
- [none]
- Details
-
Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. A bug was discovered in the
flatpak-portalservice that can allow sandboxed applications to execute arbitrary code on the host system (a sandbox escape). This sandbox-escape bug is present in versions from 0.11.4 and before fixed versions 1.8.5 and 1.10.0. The Flatpak portal D-Bus service (flatpak-portal, also known by its D-Bus service nameorg.freedesktop.portal.Flatpak) allows apps in a Flatpak sandbox to launch their own subprocesses in a new sandbox instance, either with the same security settings as the caller or with more restrictive security settings. For example, this is used in Flatpak-packaged web browsers such as Chromium to launch subprocesses that will process untrusted web content, and give those subprocesses a more restrictive sandbox than the browser itself. In vulnerable versions, the Flatpak portal service passes caller-specified environment variables to non-sandboxed processes on the host system, and in particular to theflatpak runcommand that is used to launch the new sandbox instance. A malicious or compromised Flatpak app could set environment variables that are trusted by theflatpak runcommand, and use them to execute arbitrary code that is not in a sandbox. As a workaround, this vulnerability can be mitigated by preventing theflatpak-portalservice from starting, but that mitigation will prevent many Flatpak apps from working correctly. This is fixed in versions 1.8.5 and 1.10.0. - References
-
- https://github.com/flatpak/flatpak/commit/6d1773d2a54dde9b099043f07a2094a4f1c2f486
- https://github.com/flatpak/flatpak/commit/6e5ae7a109cdfa9735ea7ccbd8cb79f9e8d3ae8b
- https://github.com/flatpak/flatpak/commit/aeb6a7ab0abaac4a8f4ad98b3df476d9de6b8bd4
- https://github.com/flatpak/flatpak/commit/cc1401043c075268ecc652eac557ef8076b5eaba
- https://github.com/flatpak/flatpak/releases/tag/1.8.5
- https://github.com/flatpak/flatpak/security/advisories/GHSA-4ppf-fxf6-vxg2
- https://security.gentoo.org/glsa/202101-21
- https://www.debian.org/security/2021/dsa-4830
Affected packages
Git / github.com/flatpak/flatpak
Affected ranges
- Type
- GIT
- Repo
- https://github.com/flatpak/flatpak
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixedFixedFixedFixedFixed
Affected versions
0.*
0.1
0.10.0
0.10.1
0.10.2
0.11.1
0.11.2
0.11.3
0.11.4
0.11.5
0.11.6
0.11.7
0.11.8
0.11.8.1
0.11.8.2
0.11.8.3
0.2
0.2.1
0.3
0.3.1
0.3.2
0.3.3
0.3.4
0.3.5
0.3.6
0.4.0
0.4.1
0.4.10
0.4.11
0.4.12
0.4.13
0.4.2
0.4.2.1
0.4.3
0.4.4
0.4.5
0.4.6
0.4.7
0.4.8
0.4.9
0.5.0
0.5.1
0.5.2
0.6.0
0.6.1
0.6.10
0.6.11
0.6.12
0.6.13
0.6.14
0.6.2
0.6.3
0.6.4
0.6.5
0.6.6
0.6.7
0.6.8
0.6.9
0.8.0
0.8.1
0.9.1
0.9.10
0.9.11
0.9.12
0.9.2
0.9.3
0.9.4
0.9.5
0.9.6
0.9.7
0.9.8
0.9.9
0.9.98
0.9.98.1
0.9.98.2
0.9.99
0.99.1
0.99.2
0.99.3
1.*
1.0.0
1.0.1
1.0.2
1.0.3
1.1.0
1.1.1
1.1.2
1.1.3
1.2.0
1.2.1
1.3.0
1.3.1
1.3.2
1.3.3
1.3.4
1.4.0
1.5.0
1.5.1
1.5.2
1.6.0
1.6.1
1.6.2
1.7.1
1.7.2
1.7.3
1.8.0
1.8.1
1.8.2
1.8.3
1.8.4
1.9.1
1.9.2
1.9.3
Database specific
vanir_signatures
[
{
"digest": {
"line_hashes": [
"187884336905612395231330406807632357540",
"119966363514582499525315861909166376099",
"46012603303833455347858473125643287427",
"151763468982046354621867926977057407996",
"147841209049247011411836960548228474009",
"210586123448264467490491665920891689504"
],
"threshold": 0.9
},
"target": {
"file": "common/flatpak-bwrap.c"
},
"deprecated": false,
"id": "CVE-2021-21261-0548202b",
"signature_version": "v1",
"signature_type": "Line",
"source": "https://github.com/flatpak/flatpak/commit/6d1773d2a54dde9b099043f07a2094a4f1c2f486"
},
{
"digest": {
"line_hashes": [
"168417353790797368165839907690445508493",
"327012681670393743305787150072641325411",
"23688458601150324176395771316217294730",
"49729934599472863566897555018543408450",
"9450908212238931453333786533088716078",
"184028996534785543118806081166217184330",
"141419741360300883951586041005272492896",
"206249337290032327518896842942263903489",
"90318883290108511492839356082770308365",
"12932935097118578644062154051992084777",
"144774528113192030728296602362033592877",
"79201547501775564610540632545667244027",
"268846712764991704531477048056715863846",
"278171116430610011995476595605264549622",
"198046183515048329716552688201140766062",
"186874874185981287271469462079034122186",
"256515148011437925207635412414066159130",
"3346186902999804577361326057752316291",
"254409286826292135473128319948286163718",
"141533511151258764870094348930568640143",
"259454807294067507133633282981503554384",
"191389743288879362348653886153241129053",
"194637151052508142939035967020326419871",
"205972780634195676094809405714121723252",
"23392054317266148780655332786943982622",
"34547951232220976726414035075532117100"
],
"threshold": 0.9
},
"target": {
"file": "common/flatpak-run.c"
},
"deprecated": false,
"id": "CVE-2021-21261-2cb9cfb5",
"signature_version": "v1",
"signature_type": "Line",
"source": "https://github.com/flatpak/flatpak/commit/6d1773d2a54dde9b099043f07a2094a4f1c2f486"
},
{
"digest": {
"length": 1224.0,
"function_hash": "116696172303620550801466906987719068366"
},
"target": {
"file": "portal/flatpak-portal.c",
"function": "child_setup_func"
},
"deprecated": false,
"id": "CVE-2021-21261-33525b89",
"signature_version": "v1",
"signature_type": "Function",
"source": "https://github.com/flatpak/flatpak/commit/aeb6a7ab0abaac4a8f4ad98b3df476d9de6b8bd4"
},
{
"digest": {
"line_hashes": [
"181467856496703161714286787676753514560",
"262003444876501901294604323868568402193",
"150489235987664807730600990675707141516",
"308914679741222343840220446431887347020",
"22914194553643468080754179086792170796",
"294736744238137854585260502181037366798",
"257931896619599938072240305823517035948"
],
"threshold": 0.9
},
"target": {
"file": "common/flatpak-context.c"
},
"deprecated": false,
"id": "CVE-2021-21261-4a832f75",
"signature_version": "v1",
"signature_type": "Line",
"source": "https://github.com/flatpak/flatpak/commit/6e5ae7a109cdfa9735ea7ccbd8cb79f9e8d3ae8b"
},
{
"digest": {
"length": 4242.0,
"function_hash": "33047310530798657115268533786732258227"
},
"target": {
"file": "common/flatpak-run.c",
"function": "flatpak_run_add_environment_args"
},
"deprecated": false,
"id": "CVE-2021-21261-89757ad9",
"signature_version": "v1",
"signature_type": "Function",
"source": "https://github.com/flatpak/flatpak/commit/6d1773d2a54dde9b099043f07a2094a4f1c2f486"
},
{
"digest": {
"length": 10642.0,
"function_hash": "121856444566269508847150148348225191560"
},
"target": {
"file": "common/flatpak-run.c",
"function": "flatpak_run_app"
},
"deprecated": false,
"id": "CVE-2021-21261-cc0442da",
"signature_version": "v1",
"signature_type": "Function",
"source": "https://github.com/flatpak/flatpak/commit/6d1773d2a54dde9b099043f07a2094a4f1c2f486"
},
{
"digest": {
"line_hashes": [
"186753914006100194516954110745550884424",
"12753299659279139043630104728458776064",
"269889525867134572535695503617087983501",
"208208283627142296061927458336690996509",
"180501221704741290327491119284995032025",
"176111972974236863265595961229486818247",
"96681180801602239017311502751839799173",
"198705453584377096480089798889685337457"
],
"threshold": 0.9
},
"target": {
"file": "common/flatpak-bwrap-private.h"
},
"deprecated": false,
"id": "CVE-2021-21261-e4aba771",
"signature_version": "v1",
"signature_type": "Line",
"source": "https://github.com/flatpak/flatpak/commit/6d1773d2a54dde9b099043f07a2094a4f1c2f486"
},
{
"digest": {
"line_hashes": [
"250583380488175601669317137946174719794",
"311312556761816106744451561827799888308",
"296511374797103482356447941591751752716",
"163819300700743363828332066461507542872",
"256646176672544301483717845513293989867",
"283066343764066525662795773450547192544",
"307830766081670044218645905522083376346",
"314613757453546637160749133659371754136",
"33477874074197511545467797114432888206",
"217867266162192291486524756726822760936",
"40016216926295346927460055704050908419",
"202058260553356883764319272044505786272",
"232829783943157726400537389676411531144",
"142269808049044781331577504304469511031",
"228461531246778135043747909129711248394",
"158813393187993092148429072759724546882"
],
"threshold": 0.9
},
"target": {
"file": "portal/flatpak-portal.c"
},
"deprecated": false,
"id": "CVE-2021-21261-f081ded5",
"signature_version": "v1",
"signature_type": "Line",
"source": "https://github.com/flatpak/flatpak/commit/aeb6a7ab0abaac4a8f4ad98b3df476d9de6b8bd4"
},
{
"digest": {
"length": 14396.0,
"function_hash": "138027983890393511308692566048484423621"
},
"target": {
"file": "portal/flatpak-portal.c",
"function": "handle_spawn"
},
"deprecated": false,
"id": "CVE-2021-21261-f0f82716",
"signature_version": "v1",
"signature_type": "Function",
"source": "https://github.com/flatpak/flatpak/commit/aeb6a7ab0abaac4a8f4ad98b3df476d9de6b8bd4"
}
]