Available patching toolkit update for self-contained packages Flatpak 1.10.2 , which fixes the vulnerability ( CVE-2021-21381 ), allowing the author of the application package to bypass the set mode sandbox isolation and access files on the main system. The problem has been manifested since release 0.9.4.
The vulnerability is caused by a bug in the implementation of the “file forwarding” function, which makes it possible, through manipulation with the .desktop file, to access resources in the external file system, which are prohibited contact the running application. When adding files with tags “@@” and “@@ u” in the Exec field, flatpak will consider that the specified target files were explicitly specified by the user and will automatically forward access to these files to the sandbox. The vulnerability could be exploited by the authors of malicious packages to organize access to external files, despite the appearance of being launched in isolation mode.