Version: 1.10.8-0+deb11u3
On Sat, 28 Sep 2024 at 14:24:41 +0100, Simon McVittie wrote:
https://github.com/flatpak/flatpak/security/advisories/GHSA-7hgv-f2j8-xw87
This is fixed in stable, testing and unstable but I'm opening a bug to
represent this in (E)LTS. I am not intending to work on this vulnerability
in (E)LTS myself.
Fixes for this appear to have been backported by Adrian Bunk:
flatpak (1.10.8-0+deb11u3) bullseye-security; urgency=medium
.
* Non-maintainer upload by the LTS Team.
* CVE-2024-42472: Access to files outside sandbox
Thanks!
LTS team members are welcome to push those changes and their tags to the
debian/bullseye branches in <https://salsa.debian.org/debian/flatpak> and
<https://salsa.debian.org/debian/bubblewrap> if that would be helpful.
There are several options for how it could be addressed:
...
2. Backport the --bind-fd feature to an older bubblewrap, give Flatpak a
suitable versioned dependency on it, and release both packages in a
single DLA
This seems to be the route that Adrian chose.
smcv
