CVE-2022-21682 – flatpak-builder can access files outside the build directory.

https://notcve.org/view.php?id=CVE-2022-21682

13 Jan 2022 — Flatpak is a Linux application sandboxing and distribution framework. A path traversal vulnerability affects versions of Flatpak prior to 1.12.3 and 1.10.6. flatpak-builder applies `finish-args` last in the build. At this point the build directory will have the full access that is specified in the manifest, so running `flatpak build` against it will gain those permissions. Normally this will not be done, so this is not problem. However, if `--mirror-screenshots-url` is specified, then flatpak-builder will l... • https://github.com/flatpak/flatpak/commit/445bddeee657fdc8d2a0a1f0de12975400d4fc1a • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •