Bug ID 1202639
Summary VUL-1: flatpak: Arbitrary file deletion by flatpak-system-helper when used with pre-2018 libostree
Classification openSUSE
Product openSUSE Distribution
Version Leap 15.4
Hardware Other
OS Other
Status NEW
Severity Normal
Priority P5 - None
Component Security
Assignee os.gnome.maintainers@gmail.com
Reporter Andreas.Stieger@gmx.de
QA Contact qa-bugs@suse.de
Found By ---
Blocker --- 

It was discovered that when using flatpak on multi-user systems with a very old
version of libostree, a malicious local user could potentially cause the
flatpak-system-helper service to delete arbitrary files by requesting deletion
of a crafted ref (branch) name.

Affects versions < 0.10.2, Patched versions >= 0.10.2

Only very old versions are affected, and Flatpak maintainers were unable to
reproduce this in practice, so this is mostly theoretical.

Versions of libostree >= 2017.13 have better validation for ref names which
prevents this. All versions of flatpak since 0.10.2 have a mandatory dependency
on libostree >= 2017.13, so this issue can only affect very old unsupported
versions, or versions that have been significantly modified to reduce their
libostree dependency.

References:
https://github.com/flatpak/flatpak/security/advisories/GHSA-45jq-5658-v38x
https://github.com/ostreedev/ostree/pull/1286
https://github.com/flatpak/flatpak/pull/5048

You are receiving this mail because: