CVE-2017-5226 is a issue with bubblewrap that allows a program running in a sandbox to excape and get the same privileges as a the parent process. I recently discovered this by mistake and it is fairly concerning to me. I believe it applies to Flatpak as Flatpak uses bubblewrap under the hood.

Many people like to boast about how secure and private flatpak and some even run untrusted software in it. However, the reality is that there hasn’t been a lot of testing and the fact that this CVE still exists but isn’t well known is concerning.

The reason it wasn’t patched is that it is really hard to properly fix. The work around is to call bubblewrap with the --new-session flag as this effectively prevents the excape. However, this breaks interactive programs such as htop. Also the bubblewrap team believes this is a issue that should be solved downstream as this CVE is technically not a CVE in the traditional sense.

I think it is still better to run flatpak over non flatpak but it is something to be aware of

Edit:

It doesn’t apply to flatpak as it is patched in 1.3.1and higher https://github.com/flatpak/flatpak/security/advisories/GHSA-7gfv-rvfx-h87x

Basically this is a communication and people problem not a technical one

Edit2:

This isn’t exploitable on modern systems with 6.1 or newer with the way most distros compile the kernel

      • Bero@lemmy.world
        link
        fedilink
        arrow-up
        6
        arrow-down
        1
        ·
        4 months ago

        Well the exploit in the CVE needs the kernel function.
        And it’s disabled as default since 6.2.

        • refalo
          link
          fedilink
          arrow-up
          3
          ·
          edit-2
          4 months ago

          my ubuntu 22 AWS VM only got 6.2 in september, and I haven’t rebooted yet so it’s still on 5.15. probably tons of desktops and servers are still using < 6.2

            • refalo
              link
              fedilink
              arrow-up
              5
              ·
              4 months ago

              we can disagree on the definition of modern.

              • Strit@lemmy.linuxuserspace.show
                link
                fedilink
                arrow-up
                2
                arrow-down
                1
                ·
                4 months ago

                That’s true. It varies from person to person. I, for example, am an Arch user, so modern for me is only around a year or so. Ubuntu 22.04 is old in my eyes, mostly because a newer LTS was released after it.

                You might define Ubuntu 22.04 as new, because it’s still fully supported.

                It’s just a question of how you define modern/recent.