CVE-2024-42472: A malicious or compromised Flatpak app using persistent directories could read and write files in locations it would not normally have access to, which is an attack on integrity and confidentiality. The above is fixed in 1.14.10.
Added dependency on bug 937948: (In reply to Zac Medico from bug 937948 comment #0) > Hi, we'll need a sys-apps/bubblewrap-0.10.0 bump for this --bind-fd support: > > https://github.com/containers/bubblewrap/commit/a253257cd298892da43e15201d83f9a02c9b58b5 > > The --bind-fd option is used in the CVE fixing commit related to bug 937936: > > https://github.com/flatpak/flatpak/commit/6bd603f6836e9b38b9b937d3b78f3fbf36e7ff75
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=39510939e6701a67a143f804dd2ff5b9a51101a8 commit 39510939e6701a67a143f804dd2ff5b9a51101a8 Author: Zac Medico <zmedico@gentoo.org> AuthorDate: 2024-08-15 04:07:06 +0000 Commit: Arthur Zamarin <arthurzam@gentoo.org> CommitDate: 2024-08-17 18:59:00 +0000 sys-apps/flatpak: add 1.14.10 Bug: https://bugs.gentoo.org/937936 Signed-off-by: Zac Medico <zmedico@gentoo.org> Closes: https://github.com/gentoo/gentoo/pull/38156 Signed-off-by: Arthur Zamarin <arthurzam@gentoo.org> sys-apps/flatpak/Manifest | 1 + sys-apps/flatpak/flatpak-1.14.10.ebuild | 121 ++++++++++++++++++++++++++++++++ 2 files changed, 122 insertions(+)