Package: flatpak
Version: 0.8.5-2
Severity: important
Tags: security
In Flatpak versions prior to 0.9.9 (mainline) and 0.8.8 (0.8.x), the
flatpak-dbus-proxy that is optionally used to filter D-Bus traffic did not
forbid match rules with eavesdrop="true", as used by dbus-monitor versions
prior to 1.9.10. Such match rules could be used by a sandboxed app to
spy on non-sandboxed apps' D-Bus session bus method calls (a local
confidentiality breach).
Apps that are configured to have unrestricted D-Bus access
([Context] sockets=session-bus;, see flatpak-metadata(5)) can do this even
in later versions, but this is not considered to be a bug: unrestricted
D-Bus access is just as unrestricted as you might expect it to be.
Mitigations:
* The apps that could exploit this are not entirely untrusted (the user
has chosen to install and run them, and in particular has given them
access to the attack surface of the Linux kernel)
* In practical sandboxed apps, the ability to spy on X11 (which
everything is going to need to have until Wayland is ubiquitous)
is more sensitive than the ability to spy on D-Bus
* We can't spy on the system bus like this, because of the security
boundary between users
My guess is that the security team is not interested in issuing a DSA
for this vulnerability and would prefer me to issue a stable update
(I'm going to ask the SRMs whether they'll accept 0.8.8 into stable,
and if not, propose a 0.8.7-2~deb9u2 version). Is my guess correct?
Thanks,
smcv
