On Tue, Jul 7, 2026 at 8:36 AM Sebastian Wick <[email protected]> wrote:
>
> Hello everyone,
>
> tl;dr: Fedora currently ships at least one package (wine), which when
> installed, provides malicious Flatpak applications a trivial way to
> escape the sandbox. We should audit all packages for similar issues,
> patch them downstream, and report the issue upstream.
>
> Flatpak applications can use the OpenURI Portal to open files in other
> applications. Which application is launched is determined by the XDG
> desktop-entry-spec. It also is clear on the security implications of
> having handlers which execute arbitrary code (man 1 xdg-mime):
>
>     Security Note: Never set a handler that will blindly execute code
>     or commands from the file being handled. Such behaviour will sooner
>     than later lead to unintended code execution i.e. through a curious
>     user trying to inspect a freshly downloaded file but running it by
>     accident.
>
>     Keeping opening and executing separate actions helps with people
>     protecting themselves from malware, the default handler is an
>     opener, not a runner.
>
> If there is a handler which executes arbitrary code, a sandboxed
> application can create a file to be executed, and use OpenURI to
> execute it. This is a complete sandbox escape.
>
> We at GNOME take those very seriously, and have fixed vulnerabilities
> in applications which accidentally do run arbitrary code:
> https://blogs.gnome.org/mcatanzaro/2026/05/11/flatpak-sandbox-escape-via-yelp/
>
> However, there are other projects out there where those obvious
> vulnerabilities are disputed. Wine for example has not taken any
> action and repeatedly denied any responsibility for it:
> https://bugs.winehq.org/show_bug.cgi?id=59767
>
> They argue that this can't be an issue on their side because this
> behavior was introduced in 2004. The behavior was never a good idea
> (see man 1 xdg-mime above). The handler that wine ships also bypasses
> the executable bit. If you download an ELF or sh file in your browser
> and open it, it will not run. If you download an exe, it will.
>
> Fedora has a responsibility to keep their users secure. We have to
> patch the desktop file in wine to remove the MIME handler.
>

I don't entirely agree with this assessment. Fixing the handler so
that it doesn't execute it if it's not marked executable would largely
mitigate this problem too. But yes, I also agree with the Wine folks
that users expect double-clicking to work, so that behavior needs to
remain in effect.




-- 
真実はいつも一つ!/ Always, there's only one truth!
-- 
_______________________________________________
devel mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/[email protected]
Do not reply to spam, report it: 
https://forge.fedoraproject.org/infra/tickets/issues/new

Reply via email to