Package: flatpak-builder
Version: 1.4.5-1
Severity: important
Tags: upstream
Forwarded:
https://github.com/flatpak/flatpak-builder/security/advisories/GHSA-6gm9-3g7m-3965
X-Debbugs-Cc: Debian Security Team <[email protected]>
If flatpak-builder is used to build a Flatpak app from a malicious
manifest or source code, a path traversal vulnerability in versions
1.4.5+ can be used to copy sensitive/secret files from the host system
into the app.
Luckily trixie and older are not believed to have the vulnerable
feature (trixie has flatpak-builder 1.4.4).
A mitigation is that if you only build Flatpak apps that you trust (the
most likely use case) there is no problem, so I've reported this as
non-RC (but please escalate to RC if the security team disagrees).
This is mainly a problem for centralized services like Flathub that want
to build untrusted or only-semi-trusted Flatpak apps from source.
smcv
_______________________________________________
Pkg-utopia-maintainers mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-utopia-maintainers
