Package: flatpak Version: 0.6.0-1 Severity: important Tags: security Many Flatpak apps ship with sandboxing metadata that gives them filtered access to the D-Bus session and/or system bus. Gabriel Campana of the Google security team discovered that a malicious app could bypass the intended filtering by crafting an authentication message that will be processed as end-of-authentication by the dbus-daemon, but not recognised as end-of-authentication by flatpak-dbus-proxy.
This has been fixed upstream in versions 0.10.3 and 0.8.9, which I'm going to package now. The Debian security team has not generally treated Flatpak sandboxing bypasses as security vulnerabilities, on the basis that the sandboxed app provides its own security policy, so no privilege boundary is crossed (in the absence of a curated "app store" where changes to security policy are audited, or a software-downloading UI that highlights security policy changes, neither of which is widely deployed right now). I assume this is still the case, but I'm cc'ing the security team for their information (please let me know if you would like me to prepare a security update). smcv _______________________________________________ Secure-testing-team mailing list Secure-testing-team@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-team