GNOME's Help Viewer Updated Due To Flatpak Sandbox Escape Vulnerability
GNOME's help viewer, Yelp, last year was impacted by a serious security issue for arbitrary file reads. There's a new vulnerability affecting the GNOME help viewer that led to the Yelp 49.1 release to address a possible Flatpak sandbox escape vector.
Thanks to funding provided by Germany's Sovereign Tech Agency with its Sovereign Tech Resilience program, Codean Labs was performing a security audit of Flatpak and various GNOME projects. In turn a significant Flatpak sandbox escape was discovered, related to last year's CVE.
GNOME developer Michael Catanzaro explained of this issue that is now fixed in Yelp 49.1:
The issue was originally reported three months ago by Codean Labs due to Flatpak applications being able to exfilitrate host files over Yelp's Content Security Policy (CSP) being too permissive.
Yelp 49.1 is now available with this fix.
Thanks to funding provided by Germany's Sovereign Tech Agency with its Sovereign Tech Resilience program, Codean Labs was performing a security audit of Flatpak and various GNOME projects. In turn a significant Flatpak sandbox escape was discovered, related to last year's CVE.
GNOME developer Michael Catanzaro explained of this issue that is now fixed in Yelp 49.1:
"In this case, a sandboxed application may launch Yelp to open a malicious help file. The help file can then exfiltrate arbitrary files from your host OS to a web server by using a CSS stylesheet embedded in an SVG. Suffice to say the attack is pretty clever, and certainly more impactful than the typical boring memory safety bugs I more commonly see."
The issue was originally reported three months ago by Codean Labs due to Flatpak applications being able to exfilitrate host files over Yelp's Content Security Policy (CSP) being too permissive.
Yelp 49.1 is now available with this fix.