CVE-2024-42472: 
Rocky Linux vulnerability analysis and mitigation

CVE-2024-42472 is a sandbox escape vulnerability discovered in Flatpak, a Linux application sandboxing and distribution framework. The vulnerability was discovered by Chris Williams and affects all versions prior to 1.14.10 and 1.15.x versions prior to 1.15.10. The issue stems from a symlink-following vulnerability when mounting persistent directories, which could allow applications to access files outside their designated sandbox (GitHub Advisory, NVD).

The vulnerability occurs when using the persistent=subdir feature in application permissions (represented as --persist=subdir in the command-line interface). When this feature is used, applications that don't have access to the real user home directory are provided with an empty home directory containing a writeable subdirectory. The vulnerability arises because the application has write access to the application directory ~/.var/app/$APPID where this directory is stored. If the source directory for the persistent/--persist option is replaced with a symlink, subsequent application launches will follow the symlink and mount whatever it points to into the sandbox. The vulnerability has received a CVSS v3.1 base score of 10.0 (Critical) (GitHub Advisory).

A malicious or compromised Flatpak application using persistent directories could read and write files in locations it would not normally have access to, compromising both integrity and confidentiality of the system. For example, an application like Thunderbird with persistent=.thunderbird permission could potentially gain access to sensitive directories like ~/.ssh that should be outside its sandbox (GitHub Advisory).

The vulnerability has been fixed in Flatpak versions 1.14.10 and 1.15.10. The fix includes preventing symlink following when mounting persisted directories and implementing a new --bind-fd option in bubblewrap. As a workaround, users can avoid using applications with the persistent (--persist) permission. Users who need to move persistent directories to another filesystem due to space constraints should use bind mounts instead of symlinks (GitHub Advisory, ASEC).