Package: flatpak Version: 0.5.0-1 Severity: important Tags: security Justification: user security hole X-Debbugs-Cc: Debian Security Team <t...@security.debian.org>
https://github.com/flatpak/flatpak/security/advisories/GHSA-67h7-w3jq-vh4q Flatpak 1.12.0 and 1.10.4 fix a security vulnerability in the portal support. Some recently added syscalls were not blocked by the seccomp rules which allowed the application to create sub-sandboxes which can confuse the sandboxing verification mechanisms of the portal. This has been addressed by extending the seccomp rules. Mitigation: this does not affect the standard D-Bus session or system buses, or the AT-SPI accessibility bus, due to the way Flatpak mediates access to those sockets with a proxy. It can affect other AF_UNIX-based protocols, potentially including X11, Wayland, PulseAudio and Pipewire. Mitigation: this only affects users of relatively recent kernels. This was unexpectedly unembargoed on my day off work, so I'm preparing updated packages ASAP but it will take me a little while... Will the security team want to issue a DSA for this? smcv