mirror/flatpak
1
0
Fork 0
mirror of https://github.com/flatpak/flatpak.git synced 2026-05-16 12:50:01 -04:00
Code Issues Packages Projects Releases Wiki Activity

system-helper: Validate ref arg in RemoveLocalRef method

Browse Source 
This patch could be important in case the ref arg was maliciously
crafted to try to convince flatpak-system-helper to delete an arbitrary
file on the filesystem. However, in practice (a) recent versions of
libostree will not accept such a ref name which has e.g. "../" in it
thanks to https://github.com/ostreedev/ostree/pull/1286, and (b) even on
ancient versions of Flatpak that use a version of libostree without the
aforementioned patch, the exploit does not appear to be successful, at
least on Debian 9.

See https://github.com/flatpak/flatpak/security/advisories/GHSA-45jq-5658-v38x
This commit is contained in:
Phaedrus Leeds
2022-07-23 20:10:24 -05:00
parent dc82a19dc5
commit 3a05714e2b
1 changed files with 8 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
system-helper/flatpak-system-helper.c
View File

@@ -1275,6 +1275,7 @@ handle_remove_local_ref (FlatpakSystemHelper *object,
{
g_autoptr(FlatpakDir) system = NULL;
g_autoptr(GError) error = NULL;
g_autoptr(FlatpakDecomposed) ref = NULL;
g_debug ("RemoveLocalRef %u %s %s %s", arg_flags, arg_remote, arg_ref, arg_installation);
@@ -1299,6 +1300,13 @@ handle_remove_local_ref (FlatpakSystemHelper *object,
return G_DBUS_METHOD_INVOCATION_HANDLED;
}
ref = flatpak_decomposed_new_from_ref (arg_ref, &error);
if (ref == NULL)
{
g_dbus_method_invocation_return_gerror (invocation, error);
return G_DBUS_METHOD_INVOCATION_HANDLED;
}
if (!flatpak_dir_ensure_repo (system, NULL, &error))
{
g_dbus_method_invocation_return_gerror (invocation, error);