Aggregator

Sony has filed a lawsuit in California court against Tencent, alleging the Chinese company's upcoming game Light of Motiram constitutes a "slavish clone" of Sony's Horizon series. The complaint details extensive similarities between the games, from post-apocalyptic robot dinosaur settings to red-haired female protagonists. Tencent had approached Sony for licensing deals in 2024, which Sony rejected twice.

Read more of this story at Slashdot.

Police rushed to Whitby Abbey, in North Yorkshire, at 7.16pm on Wednesday after the man and woman's bodies were spotted on the rocks beneath the cliff by a local.

Nearly all of us are familiar with the holiday-half-stone. You embark on your break at a certain weight, and a week later return having had a lovely time, but with a few unwelcome extra kilograms.

A woman has been arrested on suspicion of murder after a three-year-old girl was found dead at a property in Leeds.

Trauma-inducing startup sound finally axed

Great news! Microsoft has finally squashed a Windows 11 Insider bug. No, it still hasn't "Made the Start Menu Great Again." No, you still can't drag the taskbar wherever you like. But yes, it simply kills the bug that played the Windows Vista boot chime on startup.…

Brit chip biz sees demand surge for turnkey compute subsystems, chiplets, and complete SoC designs

Chip designer Arm says it is looking to bring more compute subsystems, chiplets, and even end-to-end solutions to market as customers increasingly expect a more complete starting point for their custom silicon.…

The protests continued this evening

UK-based TikTokker Lucy Davies always enjoyed going out to eat, so instead of letting the medication curtail that, she makes sure the meals she chooses leave her in a calorie deficit.

There were 1,731 foreign-national sex offenders in prison as of June this year - up by 9.9 per cent in 12 months.

Rolls-Royce shareholders are reaping the rewards of the British engineering giant's quite remarkable recovery.

Braintree Village has reported a 14.9% sales rise and 11.6% footfall boost, which has been driven by new stores like Crocs and Belstaff.

A NEW partnership could see wider services offered to Braintree residents.

No parent decided to give their boy the same name as the PM last year. The results could serve as a potentially damning political litmus test of Sir Keir's popularity among new parents.

Mohammed Fahir Amaaz, 20, and Muhammed Amaad, 26, are accused of assaulting PC Zachary Marsden in July last year.

As a stylist, I regularly have women telling me that they struggle knowing how to dress as they get older and their bodies begin to change.

If the expansive spending of Liverpool has been the headline performance of this summer's transfer window, Nottingham Forest have surely been the leading support act.

It comes amid an escalating war of words over the 'starvation' crisis in the strip, with Israel and the US-backed Gaza Humanitarian Foundation (GHF) facing mounting condemnation

The footage, captured by CCTV and played at the start of a three-day National Transportation Safety Board hearing, shows a bright flash lighting up the night sky above the Potomac River.

Russia spying on foreign embassies? Say it ain't so

Russian cyberspies are abusing local internet service providers' networks to target foreign embassies in Moscow and collect intel from diplomats' devices, according to a Microsoft Threat Intelligence warning.…

by George Whittaker Introduction

Flatpak promises a secure runtime for Linux applications through container-like isolation, relying on bubblewrap namespaces, syscall filtering, and portal interfaces. In theory, each app should operate inside a strong sandbox, disconnected from the host system. But in reality, experience shows gaps, tiny cracks through which apps may escape with serious consequences.

The Sandbox Promise… and the Reality

Flatpak applications begin life in a highly-restricted environment: no network by default, no access to host files beyond the runtime and a private data directory, limited syscalls, and restricted access to session or system services. Portals provide a controlled channel for granting specific capabilities (e.g. file dialogs, screenshot, printing) without broad privileges.

Yet, many Flatpak packages declare broad permissions like filesystem=home, filesystem=host, or device=all. That effectively grants full read-write access to the user's home directory or even system devices, defeating the purpose of the sandbox in practice. Users often assume that 'sandboxed' means locked-down, but blanket permissions expose them to risk.

Real-World Breakouts from the Sandbox CVE‑2024‑32462: RequestBackground Portal Abuse

Security researcher Gergo Koteles uncovered a high-severity vulnerability where malicious Flatpak apps could craft a .desktop file via the org.freedesktop.portal.Background.RequestBackground interface. That tricked Flatpak’s --command= parsing into injecting bwrap arguments (e.g. --bind). This allowed arbitrary host commands to execute outside the sandbox boundary. Versions before 1.10.9, 1.12.9, 1.14.6, and 1.15.8 were affected. Patched in the listed versions and mitigated in xdg-desktop-portal 1.18.4 and newer.

CVE‑2024‑42472: Persistent Data Symlink Exploit

A Flatpak flag, --persist (or persistent= in manifest), allows apps writable storage within their data directory. But if a malicious install replaces that directory with a symlink pointing to sensitive host folders (e.g. ~/.ssh), the sandbox mount entry follows it into the real filesystem, giving the app unintended access to files outside its name-spaced area. All versions up to 1.14.8 and 1.15.x ≤ 1.15.9 are vulnerable; patched in 1.14.10 and 1.15.10+.

Policy Complexity and Ecosystem Slip-Ups

A detailed study of hundreds of Flatpak and Snap packages found that nearly 42% of Flatpak apps either override the supposed isolation or misconfigure sandboxing, resulting in overprivilege or potential escape paths. Crafting fine-grained sandbox policy is hard, and mistakes slip through easily.

Go to Full Article