[Pkg-utopia-maintainers] Bug#888842: flatpak: D-Bus filtering can be bypassed by a crafted authentication handshake

Moritz Muehlenhoff jmm at inutil.org
Tue Jan 30 13:07:34 UTC 2018


On Tue, Jan 30, 2018 at 02:31:26PM +0000, Simon McVittie wrote:
> The Debian security team has not generally treated Flatpak sandboxing
> bypasses as security vulnerabilities, on the basis that the sandboxed
> app provides its own security policy, so no privilege boundary is crossed
> (in the absence of a curated "app store" where changes to security policy
> are audited, or a software-downloading UI that highlights security policy
> changes, neither of which is widely deployed right now). I assume this
> is still the case,

Ack that's still the case.

Cheers,
        Moritz



More information about the Pkg-utopia-maintainers mailing list