CVE-2024-32462: 
Rocky Linux vulnerability analysis and mitigation

CVE-2024-32462 affects Flatpak, a system for building, distributing, and running sandboxed desktop applications on Linux. The vulnerability was discovered by Gergo Koteles and affects versions before 1.10.9, 1.12.9, 1.14.6, and 1.15.8. The issue was disclosed on April 18, 2024 (GitHub Advisory).

The vulnerability stems from improper handling of the --command argument in flatpak run. When a long option name is passed to --command=, such as --bind, it can be misinterpreted as a bwrap option. This vulnerability allows manipulation of the org.freedesktop.portal.Background.RequestBackground portal interface, where a crafted commandline can be converted into a --command and arguments, potentially leading to sandbox escape (GitHub Advisory). The vulnerability has been assigned a CVSS v3.1 base score of 8.4 (High) with vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N (NVD).

A malicious or compromised Flatpak app could execute arbitrary code outside its sandbox, effectively bypassing the containment mechanisms that are fundamental to Flatpak's security model (GitHub Advisory).

The vulnerability has been patched in versions 1.15.8, 1.10.9, 1.12.9, and 1.14.6. The fix implements the use of the -- argument to bwrap, which prevents option processing before appending the attacker-specified command. Additionally, xdg-desktop-portal versions 1.18.4 and 1.16.1 provide mitigation by preventing Flatpak apps from creating .desktop files for commands that start with - (GitHub Advisory).