[Pkg-utopia-maintainers] Bug#984859: flatpak: sandbox escape via special tokens in .desktop file (flatpak#4146)

[Simon McVittie]

Package: flatpak
Version: 0.9.4-1
Severity: grave
Tags: patch upstream security
Justification: user security hole
Forwarded: https://github.com/flatpak/flatpak/issues/4146
X-Debbugs-Cc: Debian Security Team <team at security.debian.org>
Control: close -1 1.10.1-4

flatpak since 0.9.4 has a bug in the "file forwarding" feature, which can
be used by an attacker to gain access to files that would not ordinarily
be allowed by the app's permissions.

By putting the special tokens @@ and/or @@u in the Exec field of a
Flatpak app's .desktop file, a malicious app publisher can trick flatpak
into behaving as though the user had chosen to open a target file with
their Flatpak app, which automatically makes that file available to the
Flatpak app.

There is no CVE ID available for this yet, so I'm tracking it using the
upstream issue reference flatpak#4146. I've already fixed this in unstable
and contacted the security team.

Mitigations: Flatpak apps need to be at least partially trusted, because
they are executing arbitrary code in a sandbox that is unlikely to be
fully robust against a determined attacker; the permissions are chosen by
the publisher (although end users can override them), so granting yourself
access to the desired file is a lot easier than making use of this
vulnerability and will likely have the same result for most users; and
sites like Flathub that publish apps on behalf of third-party developers
are in a position to detect and prevent this attack if they want to.

stretch does not appear to be vulnerable: the feature that had the bug
was not yet present in 0.8.x.

    smcv