Security update fixes symlink race condition that could let sandboxed apps trash arbitrary host files
The XDG-Desktop-Portal project has released version 1.20.4 to address a serious security vulnerability that could have allowed malicious sandboxed applications to delete arbitrary files on the host system. This update comes alongside today's Flatpak 1.16.4 release, which also shipped important security fixes including a sandbox escape vulnerability.
The Vulnerability
The security issue stemmed from how XDG Desktop Portal handled file deletion operations. The portal service relied on GLib's g_file_trash function, which uses file paths to perform trashing operations. This design created a window for exploitation through a symlink race condition.
Here's how the attack worked: A malicious application could race against the trashing operation and insert a symbolic link somewhere in the file path. When g_file_trash followed this symlink, it would end up deleting files at an unintended location on the host system rather than the intended target. This meant sandboxed apps could potentially trash any file they could reference through a crafted path.
The Fix
Version 1.20.4 addresses this vulnerability by changing the underlying implementation to use file descriptor-based operations instead of path-based ones. File descriptors provide a more secure way to reference files because they're tied to the actual file object rather than its location in the filesystem hierarchy.
This change eliminates the symlink race condition entirely. Since file descriptors don't depend on paths, there's no opportunity for an attacker to redirect the operation to a different file through symlink manipulation.
Impact and Distribution
The vulnerability affected all applications using XDG Desktop Portal for file operations, which includes most Flatpak applications on Linux systems. The fix is particularly important for users who rely on sandboxing for security, as it closes a significant hole in the containment model.
XDG-Desktop-Portal 1.20.4 is available immediately through GitHub and will be distributed through standard package management channels. Users are strongly encouraged to update their systems to protect against this vulnerability.
Context in the Linux Security Landscape
This release highlights the ongoing challenges in securing application sandboxing on Linux. While technologies like Flatpak and XDG Desktop Portal provide important security boundaries, implementation details can sometimes introduce unexpected vulnerabilities.
The symlink race condition is a classic class of vulnerability in Unix-like systems, and this fix demonstrates how even modern security frameworks must remain vigilant against these well-understood attack patterns.
For system administrators and security-conscious users, this update reinforces the importance of keeping all components of the sandboxing stack current, not just the application runtime itself.
Comments
Please log in or register to join the discussion