Flatpak xdg-desktop-portal Symlink Attack Vulnerability Allowing Arbitrary File Trashing
Vulnerability
A vulnerability in Flatpak's xdg-desktop-portal prior to 1.20.4 and 1.21.x prior to 1.21.1 allows any Flatpak application to trash files in the host system. This issue arises from a symlink attack that exploits a time-of-check/time-of-use (TOCTOU) vulnerability in the Trash portal. The portal uses g_file_trash on paths that can be manipulated by the application, leading to the unintentional deletion of arbitrary host files.
Impact
Exploitation of this vulnerability allows for the unauthorized deletion of files on the host system.
Reproduction
To reproduce this vulnerability, a Flatpak application can be crafted to request the Trash portal to delete a file it owns. The application can then replace that file with a symlink, taking advantage of the timing difference between the file ownership check and the actual deletion process. This causes the portal to delete the target of the symlink on the host system, effectively trashing an arbitrary file.
Remediation
Users can update to Flatpak xdg-desktop-portal version 1.20.4 or 1.21.1 to address this vulnerability.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.