CVE-2024-32462: A malicious or compromised Flatpak app could execute arbitrary code outside its sandbox in conjunction with xdg-desktop-portal. The above is fixed in 1.14.6 and 1.12.9.
xdg-desktop-portal version 1.18.4 will mitigate this vulnerability by only allowing Flatpak apps to create .desktop files for commands that do not start with -. This is not packaged yet, however.
(In reply to Christopher Fore from comment #1) > xdg-desktop-portal version 1.18.4 will mitigate this vulnerability by only > allowing Flatpak apps to create .desktop files for commands that do not > start with -. This is not packaged yet, however. Worth filing a bug for it or at least CCing its maintainers then ;)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3e5a89cfc048384ddf35268840fea1ebc3e6ee91 commit 3e5a89cfc048384ddf35268840fea1ebc3e6ee91 Author: Christopher Fore <csfore@posteo.net> AuthorDate: 2024-04-20 18:52:49 +0000 Commit: Zac Medico <zmedico@gentoo.org> CommitDate: 2024-04-21 07:46:20 +0000 sys-apps/flatpak: add 1.12.9, 1.14.6, security bump - Tests skipped (restricted) - Fixed trivial QA warnings - Changed order of HOMEPAGE, SRC_URI, and DESCRIPTION Bug: https://bugs.gentoo.org/930202 Signed-off-by: Christopher Fore <csfore@posteo.net> Closes: https://github.com/gentoo/gentoo/pull/36334 Signed-off-by: Zac Medico <zmedico@gentoo.org> sys-apps/flatpak/Manifest | 2 + sys-apps/flatpak/flatpak-1.12.9.ebuild | 108 +++++++++++++++++++++++++++++ sys-apps/flatpak/flatpak-1.14.6.ebuild | 120 +++++++++++++++++++++++++++++++++ 3 files changed, 230 insertions(+)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=b6eb17f02063da39c53f7a1a067d6a58ed7fb9b9 commit b6eb17f02063da39c53f7a1a067d6a58ed7fb9b9 Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2024-06-22 07:02:59 +0000 Commit: Hans de Graaff <graaff@gentoo.org> CommitDate: 2024-06-22 07:04:32 +0000 [ GLSA 202406-02 ] Flatpak: Sandbox Escape Bug: https://bugs.gentoo.org/930202 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: Hans de Graaff <graaff@gentoo.org> glsa-202406-02.xml | 42 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 42 insertions(+)
commit f69bf4c9ae6c5e915d78e312e5b40c5012203877 Author: Zac Medico <zmedico@gentoo.org> Date: Thu Oct 24 13:04:37 2024 -0700 sys-apps/flatpak: drop 1.12.8, 1.14.4-r3, 1.14.6, 1.14.8 Bug: https://bugs.gentoo.org/937936 Signed-off-by: Zac Medico <zmedico@gentoo.org>