Package: flatpak Version: 0.9.4-1 Severity: grave Tags: patch upstream security Justification: user security hole Forwarded: https://github.com/flatpak/flatpak/issues/4146 X-Debbugs-Cc: Debian Security Team <t...@security.debian.org> Control: close -1 1.10.1-4
flatpak since 0.9.4 has a bug in the "file forwarding" feature, which can be used by an attacker to gain access to files that would not ordinarily be allowed by the app's permissions. By putting the special tokens @@ and/or @@u in the Exec field of a Flatpak app's .desktop file, a malicious app publisher can trick flatpak into behaving as though the user had chosen to open a target file with their Flatpak app, which automatically makes that file available to the Flatpak app. There is no CVE ID available for this yet, so I'm tracking it using the upstream issue reference flatpak#4146. I've already fixed this in unstable and contacted the security team. Mitigations: Flatpak apps need to be at least partially trusted, because they are executing arbitrary code in a sandbox that is unlikely to be fully robust against a determined attacker; the permissions are chosen by the publisher (although end users can override them), so granting yourself access to the desired file is a lot easier than making use of this vulnerability and will likely have the same result for most users; and sites like Flathub that publish apps on behalf of third-party developers are in a position to detect and prevent this attack if they want to. stretch does not appear to be vulnerable: the feature that had the bug was not yet present in 0.8.x. smcv