In addition to the release today of [1]Flatpak 1.16.4 for shipping new security fixes including a sandbox escape and the ability to delete host files , XDG-Desktop-Portal 1.20.4 is also now available with another security fix of its own to prevent sandboxed apps from being able to trash arbitrary host files.

XDG Desktop Portal is the portal front-end service to Flatpak and desktop containment frameworks. Unfortunately, it too neeeded a new point release to address an outstanding security issue.

The security issue fixed is to prevent trashing of arbitrary host files by sandboxed apps making use of XDG Desktop Portal. Due to the way that XDG Desktop Portal handles trashing files, up to now it made use of GLib's g_file_trash that relies on paths to do trashing. Nefarious applications could race against that and add a symlink somewhere in the path to redirect GLib's g_file_trash to in turn trash arbitrary file(s) on the host system.

With the new XDG-Desktop-Portal 1.20.4 release, now it's relying on file descriptor based operations and more securely trashing intended files without the possibility of a symlink race redirect to the host system.

That's the only noted change with the XDG-Desktop-Portal 1.20.4 release now available via [2]GitHub .



[1] https://www.phoronix.com/news/Flatpak-1.16.4-Released

[2] https://github.com/flatpak/xdg-desktop-portal/releases/tag/1.20.4