CVE-2021-21261: Flatpak sandbox escape via spawn portal (aka GHSA-4ppf-fxf6-vxg2)

[Simon McVittie <smcv () debian org>]

Affected versions: flatpak >= 0.11.4
Fixed versions: flatpak >= 1.10.0, and 1.8.x >= 1.8.5

Flatpak is a system for building, distributing, and running sandboxed
desktop applications on Linux.

I discovered a bug in the flatpak-portal service that can allow sandboxed
applications to execute arbitrary code on the host system (a sandbox
escape). This is fixed in 1.10.0 and 1.8.5.

The initial fixed versions introduced a regression for users of
'flatpak build' on systems where a setuid version of bubblewrap (bwrap)
is required. Version 1.10.1 additionally resolves the regression. The
regression fix has been backported to the flatpak-1.8.x branch but is
not currently in any 1.8.x release.

More details:
https://github.com/flatpak/flatpak/security/advisories/GHSA-4ppf-fxf6-vxg2