USN-7046-1: Flatpak and Bubblewrap vulnerability

Releases

• Ubuntu 24.04 LTS
• Ubuntu 22.04 LTS
• Ubuntu 20.04 LTS

Packages

• bubblewrap - setuid wrapper for unprivileged chroot and namespace manipulation
• flatpak - Application deployment framework for desktop apps

Details

It was discovered that Flatpak incorrectly handled certain persisted
directories. An attacker could possibly use this issue to read
and write files in locations it would not normally have access to.
A patch was also needed to Bubblewrap in order to avoid race
conditions caused by this fix.

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 24.04

• bubblewrap - 0.9.0-1ubuntu0.1
• flatpak - 1.14.6-1ubuntu0.1
• libflatpak0 - 1.14.6-1ubuntu0.1

Ubuntu 22.04

• bubblewrap - 0.6.1-1ubuntu0.1
• flatpak - 1.12.7-1ubuntu0.1
• libflatpak0 - 1.12.7-1ubuntu0.1

Ubuntu 20.04

• bubblewrap - 0.4.0-1ubuntu4.1
• flatpak - 1.6.5-0ubuntu0.5
• libflatpak0 - 1.6.5-0ubuntu0.5

In general, a standard system update will make all the necessary changes.

References

• CVE-2024-42472
• https://launchpad.net/bugs/2077087