http://bugzilla.opensuse.org/show_bug.cgi?id=1202639 Bug ID: 1202639 Summary: VUL-1: flatpak: Arbitrary file deletion by flatpak-system-helper when used with pre-2018 libostree Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.4 Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: os.gnome.maintainers@gmail.com Reporter: Andreas.Stieger@gmx.de QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- It was discovered that when using flatpak on multi-user systems with a very old version of libostree, a malicious local user could potentially cause the flatpak-system-helper service to delete arbitrary files by requesting deletion of a crafted ref (branch) name. Affects versions < 0.10.2, Patched versions >= 0.10.2 Only very old versions are affected, and Flatpak maintainers were unable to reproduce this in practice, so this is mostly theoretical. Versions of libostree >= 2017.13 have better validation for ref names which prevents this. All versions of flatpak since 0.10.2 have a mandatory dependency on libostree >= 2017.13, so this issue can only affect very old unsupported versions, or versions that have been significantly modified to reduce their libostree dependency. References: https://github.com/flatpak/flatpak/security/advisories/GHSA-45jq-5658-v38x https://github.com/ostreedev/ostree/pull/1286 https://github.com/flatpak/flatpak/pull/5048 -- You are receiving this mail because: You are on the CC list for the bug.