Permalink
Show file tree
Hide file tree
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Browse files
Browse the repository at this point in the history
Fix metadata file contents after null terminators being ignored
In particular, if a null terminator is placed inside the metadata file, Flatpak will only compare the text *before* it to the value of xa.metadata, but the full file will be parsed when permissions are set at runtime. This means that any app can include a null terminator in its permissions metadata, and Flatpak will only show the user the permissions *preceding* the terminator during install, but the permissions *after* the terminator are applied at runtime. Fixes GHSA-qpjc-vq3c-572j / CVE-2021-43860 Signed-off-by: Ryan Gonzalez <ryan.gonzalez@collabora.com>
- Loading branch information
1 parent
2380309
commit ba818f5
Showing
3 changed files
with
36 additions
and
17 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters