CVE-2021-42762: 
NixOS vulnerability analysis and mitigation

CVE-2021-42762 affects BubblewrapLauncher.cpp in WebKitGTK and WPE WebKit before version 2.34.1. The vulnerability was discovered in October 2021 and allows a limited sandbox bypass that enables a sandboxed process to trick host processes into thinking it is not confined by the sandbox (WebKit Bug, NVD).

The vulnerability exploits VFS syscalls that manipulate the filesystem namespace, allowing a sandboxed process to delete or modify the .flatpak-info file in the root of its filesystem namespace. The CVSS v3.1 base score is 5.3 (Medium), with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L (NVD).

The impact is limited to host services that create UNIX sockets that WebKit mounts inside its sandbox. While the sandboxed process remains otherwise confined, it can trick host processes into treating it as an ordinary, non-sandboxed host-OS process. The vulnerability does not affect protocols that operate entirely over D-Bus session bus, system bus, or accessibility bus due to the use of a proxy process xdg-dbus-proxy (WebKit Bug).

The vulnerability was fixed in WebKitGTK and WPE WebKit version 2.34.1. Updates were released for various distributions including Debian 10 (Buster), Debian 11 (Bullseye), and Fedora versions 33, 34, and 35. Users are recommended to upgrade to the patched versions (Debian Advisory, Fedora Advisory).