CVE-2024-32462: A malicious or compromised Flatpak app could execute arbitrary code outside its sandbox in conjunction with xdg-desktop-portal. The above is fixed in 1.14.6 and 1.12.9.
xdg-desktop-portal version 1.18.4 will mitigate this vulnerability by only allowing Flatpak apps to create .desktop files for commands that do not start with -. This is not packaged yet, however.
(In reply to Christopher Fore from comment #1) > xdg-desktop-portal version 1.18.4 will mitigate this vulnerability by only > allowing Flatpak apps to create .desktop files for commands that do not > start with -. This is not packaged yet, however. Worth filing a bug for it or at least CCing its maintainers then ;)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3e5a89cfc048384ddf35268840fea1ebc3e6ee91 commit 3e5a89cfc048384ddf35268840fea1ebc3e6ee91 Author: Christopher Fore <csfore@posteo.net> AuthorDate: 2024-04-20 18:52:49 +0000 Commit: Zac Medico <zmedico@gentoo.org> CommitDate: 2024-04-21 07:46:20 +0000 sys-apps/flatpak: add 1.12.9, 1.14.6, security bump - Tests skipped (restricted) - Fixed trivial QA warnings - Changed order of HOMEPAGE, SRC_URI, and DESCRIPTION Bug: https://bugs.gentoo.org/930202 Signed-off-by: Christopher Fore <csfore@posteo.net> Closes: https://github.com/gentoo/gentoo/pull/36334 Signed-off-by: Zac Medico <zmedico@gentoo.org> sys-apps/flatpak/Manifest | 2 + sys-apps/flatpak/flatpak-1.12.9.ebuild | 108 +++++++++++++++++++++++++++++ sys-apps/flatpak/flatpak-1.14.6.ebuild | 120 +++++++++++++++++++++++++++++++++ 3 files changed, 230 insertions(+)