Announce: Flatpak 1.12.4 (security update regression fix)
Simon McVittie
smcv at collabora.com
Tue Jan 18 20:50:17 UTC 2022
Available here:
https://github.com/flatpak/flatpak/releases/tag/1.12.4
$ sha256sum -b flatpak-1.12.4.tar.xz
792e6265f7f6d71b2a087028472a048287bed2587e43d2eec2c31d360c16211c *flatpak-1.12.4.tar.xz
This is a regression fix update, reverting non-backwards-compatible
behaviour changes in the solution previously chosen for CVE-2022-21682.
Flatpak 1.12.3 and 1.10.6 changed the behaviour of --nofilesystem=host
and --nofilesystem=home in a way that was not backwards-compatible in
all cases. For example, some Flatpak users previously used a global
flatpak override --nofilesystem=home or
flatpak override --nofilesystem=host, but expected that individual apps
would still be able to have finer-grained filesystem access granted by the
app manifest, such as Zoom's --filesystem=~/Documents/Zoom:create. With
the changes in 1.12.3, this no longer had the intended result, because
--nofilesystem=home was special-cased to disallow inheriting the
finer-grained --filesystem.
Flatpak 1.12.4 and 1.10.7 return to the previous behaviour of
--nofilesystem=host and --nofilesystem=home. Instead, CVE-2022-21682
will be resolved by a new 1.2.2 release of flatpak-builder, which will
use a new option --nofilesystem=host:reset introduced in Flatpak 1.12.4
and 1.10.7. In addition to behaving like --nofilesystem=host, the new
option prevents filesystem permissions from being inherited from the
app manifest.
Other changes:
* Clarify documentation of --nofilesystem
* Improve unit test coverage around --filesystem and --nofilesystem
* Restore compatibility with older appstream-glib versions, fixing a
regression in 1.12.3
--
Simon McVittie, Collabora Ltd.
on behalf of the Flatpak maintainers
More information about the Flatpak
mailing list