[Pkg-utopia-maintainers] Bug#995935: flatpak: GHSA-67h7-w3jq-vh4q: sandbox escape via recent VFS syscalls

Simon McVittie smcv at debian.org
Fri Oct 8 12:50:18 BST 2021


Package: flatpak
Version: 0.5.0-1
Severity: important
Tags: security
Justification: user security hole
X-Debbugs-Cc: Debian Security Team <team at security.debian.org>

https://github.com/flatpak/flatpak/security/advisories/GHSA-67h7-w3jq-vh4q

Flatpak 1.12.0 and 1.10.4 fix a security vulnerability in the portal
support. Some recently added syscalls were not blocked by the seccomp
rules which allowed the application to create sub-sandboxes which can
confuse the sandboxing verification mechanisms of the portal. This has
been addressed by extending the seccomp rules.

Mitigation: this does not affect the standard D-Bus session or system
buses, or the AT-SPI accessibility bus, due to the way Flatpak mediates
access to those sockets with a proxy. It can affect other AF_UNIX-based
protocols, potentially including X11, Wayland, PulseAudio and Pipewire.

Mitigation: this only affects users of relatively recent kernels.

This was unexpectedly unembargoed on my day off work, so I'm preparing
updated packages ASAP but it will take me a little while...

Will the security team want to issue a DSA for this?

    smcv



More information about the Pkg-utopia-maintainers mailing list