CVE-2017-5226 is a issue with bubblewrap that allows a program running in a sandbox to excape and get the same privileges as a the parent process. I recently discovered this by mistake and it is fairly concerning to me. ~~I believe it applies to Flatpak as Flatpak uses bubblewrap under the hood.~~
~~Many people like to boast about how secure and private flatpak and some even run untrusted software in it. However, the reality is that there hasn't been a lot of testing and the fact that this CVE still exists but isn't well known is concerning.~~
The reason it wasn't patched is that it is really hard to properly fix. The work around is to call bubblewrap with the --new-session
flag as this effectively prevents the excape. However, this breaks interactive programs such as htop. Also the bubblewrap team believes this is a issue that should be solved downstream as this CVE is technically not a CVE in the traditional sense.
I think it is still better to run flatpak over non flatpak but it is something to be aware of
Edit:
It doesn't apply to flatpak as it is patched in 1.3.1and higher https://github.com/flatpak/flatpak/security/advisories/GHSA-7gfv-rvfx-h87x
Basically this is a communication and people problem not a technical one
Edit2:
This isn't exploitable on modern systems with 6.1 or newer with the way most distros compile the kernel
my ubuntu 22 AWS VM only got 6.2 in september, and I haven't rebooted yet so it's still on 5.15. probably tons of desktops and servers are still using < 6.2
Which is why they said "modern" kernels. LTS systems are usually not going for modern. :)
we can disagree on the definition of modern.
That's true. It varies from person to person. I, for example, am an Arch user, so modern for me is only around a year or so. Ubuntu 22.04 is old in my eyes, mostly because a newer LTS was released after it.
You might define Ubuntu 22.04 as new, because it's still fully supported.
It's just a question of how you define modern/recent.
Well, “modern” is a relative term, so that might not have been a good pick...