Key Information Summary CVE ID: CVE-2024-42472 Related Repository: flatpak/flatpak Commit Information: - Commit Hash: 3caeb16 - Commit Date: August 13, 2024 - Committers: alexlarsson and smcv Fix Details: - Issue Description: When mounting persistent directories, symbolic links should not be followed, as these directories are located under application control and the external filesystem cannot be trusted. - Fix Implemented: Modified by adding a new function , which creates directories without following symbolic links and checks for malicious or compromised applications. - Relevant Code Changes: Impact Explanation: - This fix partially addresses CVE-2024-42472, preventing exploitation when only a single malicious or compromised application is running. - If two instances can run simultaneously, a race condition (time-of-check/time-of-use) remains; this requires changes to bubblewrap, which will be addressed in a separate commit, as bubblewrap dependencies may be harder to provide in long-term supported distributions. Additional Notes: - Path elements containing ".." are disallowed, as they may confuse persistent path handling. - Committers added test cases and warning messages, improving code robustness and security. - Committers also referenced another related vulnerability: GHSA-7hgv-f2j8-xw87.