Control: retitle -1 CVE-2021-21381: flatpak: sandbox escape via special tokens
in .desktop file (flatpak#4146)
On Tue, 09 Mar 2021 at 10:11:09 +0000, Simon McVittie wrote:
> flatpak since 0.9.4 has a bug in the "file forwarding" feature, which can
> be used by an attacker to gain access to files that would not ordinarily
> be allowed by the app's permissions.
...
> There is no CVE ID available for this yet, so I'm tracking it using the
> upstream issue reference flatpak#4146.
GitHub has issued CVE-2021-21381.
(Full set of identifiers: CVE-2021-21381, flatpak#4146, Debian bug
#984859 and GHSA-xgh4-387p-hqpp are all the same thing.)
smcv
