[Pkg-utopia-maintainers] Bug#888842: flatpak: D-Bus filtering can be bypassed by a crafted authentication handshake

Simon McVittie smcv at debian.org
Tue Jan 30 14:31:26 UTC 2018


Package: flatpak
Version: 0.6.0-1
Severity: important
Tags: security

Many Flatpak apps ship with sandboxing metadata that gives them filtered
access to the D-Bus session and/or system bus. Gabriel Campana of the
Google security team discovered that a malicious app could bypass the
intended filtering by crafting an authentication message that will be
processed as end-of-authentication by the dbus-daemon, but not recognised
as end-of-authentication by flatpak-dbus-proxy.

This has been fixed upstream in versions 0.10.3 and 0.8.9, which I'm
going to package now.

The Debian security team has not generally treated Flatpak sandboxing
bypasses as security vulnerabilities, on the basis that the sandboxed
app provides its own security policy, so no privilege boundary is crossed
(in the absence of a curated "app store" where changes to security policy
are audited, or a software-downloading UI that highlights security policy
changes, neither of which is widely deployed right now). I assume this
is still the case, but I'm cc'ing the security team for their information
(please let me know if you would like me to prepare a security update).

    smcv



More information about the Pkg-utopia-maintainers mailing list