mirror of
https://github.com/flatpak/flatpak.git
synced 2026-05-16 20:56:52 -04:00
3a05714e2b
This patch could be important in case the ref arg was maliciously crafted to try to convince flatpak-system-helper to delete an arbitrary file on the filesystem. However, in practice (a) recent versions of libostree will not accept such a ref name which has e.g. "../" in it thanks to https://github.com/ostreedev/ostree/pull/1286, and (b) even on ancient versions of Flatpak that use a version of libostree without the aforementioned patch, the exploit does not appear to be successful, at least on Debian 9. See https://github.com/flatpak/flatpak/security/advisories/GHSA-45jq-5658-v38x