Upstream link: https://github.com/flatpak/flatpak/security/advisories/GHSA-4ppf-fxf6-vxg2 The Flatpak portal D-Bus service (flatpak-portal, also known by its D-Bus service name org.freedesktop.portal.Flatpak) allows apps in a Flatpak sandbox to launch their own subprocesses in a new sandbox instance, either with the same security settings as the caller or with more restrictive security settings. In vulnerable versions, the Flatpak portal service passes caller-specified environment variables to non-sandboxed processes on the host system, and in particular to the flatpak run command that is used to launch the new sandbox instance. A malicious or compromised Flatpak app could set environment variables that are trusted by the flatpak run command, and use them to execute arbitrary code that is not in a sandbox. This is fixed in the new releases 1.8.5 and 1.10.0
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=814b0fb1496a759d92fbea88c37480ebb93abfd2 commit 814b0fb1496a759d92fbea88c37480ebb93abfd2 Author: Zac Medico <zmedico@gentoo.org> AuthorDate: 2021-01-16 04:37:26 +0000 Commit: Zac Medico <zmedico@gentoo.org> CommitDate: 2021-01-16 04:44:37 +0000 sys-apps/flatpak: Bump to version 1.10.0 Bug: https://bugs.gentoo.org/765457 Package-Manager: Portage-3.0.13, Repoman-3.0.2 Signed-off-by: Zac Medico <zmedico@gentoo.org> sys-apps/flatpak/Manifest | 1 + sys-apps/flatpak/flatpak-1.10.0.ebuild | 101 +++++++++++++++++++++++++++++++++ 2 files changed, 102 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=055cbd9675ce449e7621a1d82a50fff097450c2c commit 055cbd9675ce449e7621a1d82a50fff097450c2c Author: Zac Medico <zmedico@gentoo.org> AuthorDate: 2021-01-16 04:34:36 +0000 Commit: Zac Medico <zmedico@gentoo.org> CommitDate: 2021-01-16 04:44:36 +0000 sys-apps/flatpak: Bump to version 1.8.5 Bug: https://bugs.gentoo.org/765457 Package-Manager: Portage-3.0.13, Repoman-3.0.2 Signed-off-by: Zac Medico <zmedico@gentoo.org> sys-apps/flatpak/Manifest | 1 + sys-apps/flatpak/flatpak-1.8.5.ebuild | 101 ++++++++++++++++++++++++++++++++++ 2 files changed, 102 insertions(+)
Please cleanup.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=730592e83540a61141f46c34e76a313ad6f2ee34 commit 730592e83540a61141f46c34e76a313ad6f2ee34 Author: Zac Medico <zmedico@gentoo.org> AuthorDate: 2021-01-16 20:48:46 +0000 Commit: Zac Medico <zmedico@gentoo.org> CommitDate: 2021-01-16 20:53:15 +0000 sys-apps/flatpak: Remove vulnerable version 1.8.2 Note that flatpak-1.9.2 remains even though it is vulnerable, because it has stable keywords. We'll have to stabilize either flatpak-1.10.0 or flatpak-1.8.5. Bug: https://bugs.gentoo.org/765457 Package-Manager: Portage-3.0.13, Repoman-3.0.2 Signed-off-by: Zac Medico <zmedico@gentoo.org> sys-apps/flatpak/Manifest | 1 - sys-apps/flatpak/flatpak-1.8.2.ebuild | 101 ---------------------------------- 2 files changed, 102 deletions(-)
arm64 done
Whoops, missed that there were stable arches, sorry!
x86 done all arches done
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d665f32741098e4fc8d7f7a6c04f473e24b9cf9e commit d665f32741098e4fc8d7f7a6c04f473e24b9cf9e Author: Zac Medico <zmedico@gentoo.org> AuthorDate: 2021-01-18 01:13:09 +0000 Commit: Zac Medico <zmedico@gentoo.org> CommitDate: 2021-01-18 01:13:21 +0000 sys-apps/flatpak: Remove vulnerable version 1.9.2 Bug: https://bugs.gentoo.org/765457 Package-Manager: Portage-3.0.13, Repoman-3.0.2 Signed-off-by: Zac Medico <zmedico@gentoo.org> sys-apps/flatpak/Manifest | 1 - sys-apps/flatpak/flatpak-1.9.2.ebuild | 101 ---------------------------------- 2 files changed, 102 deletions(-)
The tree is clean now. The only remaining versions are 1.8.5 and 1.10.0.
This issue was resolved and addressed in GLSA 202101-21 at https://security.gentoo.org/glsa/202101-21 by GLSA coordinator Aaron Bauman (b-man).
