CVE-2022-21682: 
NixOS vulnerability analysis and mitigation

Flatpak, a Linux application sandboxing and distribution framework, was found to contain a path traversal vulnerability (CVE-2022-21682) affecting versions prior to 1.12.3 and 1.10.6. The vulnerability exists in the flatpak-builder component when it applies finish-args last in the build process, allowing potential access to files outside the build directory (GitHub Advisory).

The vulnerability occurs when flatpak-builder applies finish-args last in the build process. At this point, the build directory has full access specified in the manifest, so running flatpak build against it gains those permissions. The issue specifically manifests when --mirror-screenshots-url is specified, causing flatpak-builder to launch flatpak build --nofilesystem=host appstream-utils mirror-screenshots after finalization. This can lead to security issues even with the --nofilesystem=host protection, as it only overrides access to the full host while still allowing access to specific directories (GitHub Advisory).

The vulnerability allows a malicious application to potentially create empty directories wherever the user has write permissions. More critically, if an attacker can replace the appstream-util binary, they could perform more hostile actions. This could lead to unauthorized file system access and potential privilege escalation (GitHub Advisory, Debian Security).

The vulnerability has been resolved in Flatpak versions 1.12.3 and 1.10.6 by changing the behavior of --nofilesystem=home and --nofilesystem=host. For flatpak-builder, version 1.2.2 includes the fix. Until patched versions can be installed, users are advised to avoid building apps from untrusted sources or to isolate flatpak-builder in a virtual machine or securely-configured container (GitHub Advisory, Fedora Update).