Techly NewsGet the app

Get the latest tech news

Flatpak – a security nightmare – 2 years later (2020)


Flatpak - a security nightmare

Almost all popular apps on Flathub still come with filesystem=host or filesystem=home permissions, in other words, write access to the user home directory(and more) so all it takes to escape the sandbox is trivial echo download_and_execute_evil >> ~/.bashrc. The most popular applications on Flathub still suffer from this - Gimp, VSCodium, PyCharm, Octave, Inkscape, Audacity, VLC are still not sandboxed. The first unpatched vulnerable dependency I found in the offical runtime is ffmpeg in version 4.2.1 with no security patches backported, CVE-2020-12284.

Get the Android app

Or read this on Hacker News

Read more on:

Photo of years

years

Photo of flatpak

flatpak

Photo of security nightmare

security nightmare

Related news:

News photo

28 Years Later is coming to theaters next summer

News photo

Ten years of neuroscience at Google yields maps of human brain

News photo

100 Years of IBM

« Show HN: Project Random – Random, obscure content from around the web
Astronomers Are on the Hunt for Dyson Spheres »