Impact
On multi-user systems with a very old version of libostree, a malicious local user could potentially cause the flatpak-system-helper service to delete arbitrary files by requesting deletion of a crafted ref (branch) name.
Only very old versions are affected, and Flatpak maintainers were unable to reproduce this in practice, so this is mostly theoretical.
Patches
Versions of libostree >= 2017.13 have better validation for ref names which prevents this. All versions of flatpak since 0.10.2 have a mandatory dependency on libostree >= 2017.13, so this issue can only affect very old unsupported versions, or versions that have been significantly modified to reduce their libostree dependency.
For completeness, #5048 (not yet merged) adds similar validation at the Flatpak level.
Workarounds
None known. Note that none of the affected versions of flatpak are supported or updated by the Flatpak developers, and all have unrelated security vulnerabilities that are more serious than this one.
References
For more information
https://github.com/flatpak/flatpak/blob/HEAD/SECURITY.md
mwleeds Analyst
Impact
On multi-user systems with a very old version of libostree, a malicious local user could potentially cause the flatpak-system-helper service to delete arbitrary files by requesting deletion of a crafted ref (branch) name.
Only very old versions are affected, and Flatpak maintainers were unable to reproduce this in practice, so this is mostly theoretical.
Patches
Versions of libostree >= 2017.13 have better validation for ref names which prevents this. All versions of flatpak since 0.10.2 have a mandatory dependency on libostree >= 2017.13, so this issue can only affect very old unsupported versions, or versions that have been significantly modified to reduce their libostree dependency.
For completeness, #5048 (not yet merged) adds similar validation at the Flatpak level.
Workarounds
None known. Note that none of the affected versions of flatpak are supported or updated by the Flatpak developers, and all have unrelated security vulnerabilities that are more serious than this one.
References
For more information
https://github.com/flatpak/flatpak/blob/HEAD/SECURITY.md