Summary: | <sys-apps/flatpak-{1.8.5,1.10.0}: Sandbox escape (CVE-2021-21261) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Jannik Glückert <jannik.glueckert> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | major | CC: | gnome, zmedico |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://github.com/flatpak/flatpak/security/advisories/GHSA-4ppf-fxf6-vxg2 | ||
See Also: | https://bugs.gentoo.org/show_bug.cgi?id=764203 | ||
Whiteboard: | B1 [glsa+ cve] | ||
Package list: | Runtime testing required: | --- |
Description
Jannik Glückert
2021-01-14 18:19:19 UTC
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=814b0fb1496a759d92fbea88c37480ebb93abfd2 commit 814b0fb1496a759d92fbea88c37480ebb93abfd2 Author: Zac Medico <zmedico@gentoo.org> AuthorDate: 2021-01-16 04:37:26 +0000 Commit: Zac Medico <zmedico@gentoo.org> CommitDate: 2021-01-16 04:44:37 +0000 sys-apps/flatpak: Bump to version 1.10.0 Bug: https://bugs.gentoo.org/765457 Package-Manager: Portage-3.0.13, Repoman-3.0.2 Signed-off-by: Zac Medico <zmedico@gentoo.org> sys-apps/flatpak/Manifest | 1 + sys-apps/flatpak/flatpak-1.10.0.ebuild | 101 +++++++++++++++++++++++++++++++++ 2 files changed, 102 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=055cbd9675ce449e7621a1d82a50fff097450c2c commit 055cbd9675ce449e7621a1d82a50fff097450c2c Author: Zac Medico <zmedico@gentoo.org> AuthorDate: 2021-01-16 04:34:36 +0000 Commit: Zac Medico <zmedico@gentoo.org> CommitDate: 2021-01-16 04:44:36 +0000 sys-apps/flatpak: Bump to version 1.8.5 Bug: https://bugs.gentoo.org/765457 Package-Manager: Portage-3.0.13, Repoman-3.0.2 Signed-off-by: Zac Medico <zmedico@gentoo.org> sys-apps/flatpak/Manifest | 1 + sys-apps/flatpak/flatpak-1.8.5.ebuild | 101 ++++++++++++++++++++++++++++++++++ 2 files changed, 102 insertions(+) Please cleanup. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=730592e83540a61141f46c34e76a313ad6f2ee34 commit 730592e83540a61141f46c34e76a313ad6f2ee34 Author: Zac Medico <zmedico@gentoo.org> AuthorDate: 2021-01-16 20:48:46 +0000 Commit: Zac Medico <zmedico@gentoo.org> CommitDate: 2021-01-16 20:53:15 +0000 sys-apps/flatpak: Remove vulnerable version 1.8.2 Note that flatpak-1.9.2 remains even though it is vulnerable, because it has stable keywords. We'll have to stabilize either flatpak-1.10.0 or flatpak-1.8.5. Bug: https://bugs.gentoo.org/765457 Package-Manager: Portage-3.0.13, Repoman-3.0.2 Signed-off-by: Zac Medico <zmedico@gentoo.org> sys-apps/flatpak/Manifest | 1 - sys-apps/flatpak/flatpak-1.8.2.ebuild | 101 ---------------------------------- 2 files changed, 102 deletions(-) arm64 done Whoops, missed that there were stable arches, sorry! x86 done all arches done The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d665f32741098e4fc8d7f7a6c04f473e24b9cf9e commit d665f32741098e4fc8d7f7a6c04f473e24b9cf9e Author: Zac Medico <zmedico@gentoo.org> AuthorDate: 2021-01-18 01:13:09 +0000 Commit: Zac Medico <zmedico@gentoo.org> CommitDate: 2021-01-18 01:13:21 +0000 sys-apps/flatpak: Remove vulnerable version 1.9.2 Bug: https://bugs.gentoo.org/765457 Package-Manager: Portage-3.0.13, Repoman-3.0.2 Signed-off-by: Zac Medico <zmedico@gentoo.org> sys-apps/flatpak/Manifest | 1 - sys-apps/flatpak/flatpak-1.9.2.ebuild | 101 ---------------------------------- 2 files changed, 102 deletions(-) The tree is clean now. The only remaining versions are 1.8.5 and 1.10.0. This issue was resolved and addressed in GLSA 202101-21 at https://security.gentoo.org/glsa/202101-21 by GLSA coordinator Aaron Bauman (b-man). |