Summary: | <sys-apps/flatpak-{1.10.6, 1.12.3}: multiple vulnerabilities | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | John Helmert III <ajak> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | zmedico |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://github.com/flatpak/flatpak/security/advisories/GHSA-qpjc-vq3c-572j | ||
Whiteboard: | B4 [glsa+] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 831266 | ||
Bug Blocks: |
Description
John Helmert III
![]() ![]() ![]() ![]() The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d4b29f0c9489bbeddeff88ec2a8b445b9859fb68 commit d4b29f0c9489bbeddeff88ec2a8b445b9859fb68 Author: Zac Medico <zmedico@gentoo.org> AuthorDate: 2022-01-13 04:16:48 +0000 Commit: Zac Medico <zmedico@gentoo.org> CommitDate: 2022-01-13 04:23:50 +0000 sys-apps/flatpak: Bump to version 1.10.6 Bug: https://bugs.gentoo.org/831087 Package-Manager: Portage-3.0.30, Repoman-3.0.3 Signed-off-by: Zac Medico <zmedico@gentoo.org> sys-apps/flatpak/Manifest | 1 + sys-apps/flatpak/flatpak-1.10.6.ebuild | 102 +++++++++++++++++++++++++++++++++ 2 files changed, 103 insertions(+) https://bugs.gentoo.org/8310#c4 too :) Please stable when ready, thanks! CVE-2022-21682 (https://github.com/flatpak/flatpak/security/advisories/GHSA-8ch7-5j3h-g4fx): Flatpak is a Linux application sandboxing and distribution framework. A path traversal vulnerability affects versions of Flatpak prior to 1.12.3 and 1.10.6. flatpak-builder applies `finish-args` last in the build. At this point the build directory will have the full access that is specified in the manifest, so running `flatpak build` against it will gain those permissions. Normally this will not be done, so this is not problem. However, if `--mirror-screenshots-url` is specified, then flatpak-builder will launch `flatpak build --nofilesystem=host appstream-utils mirror-screenshots` after finalization, which can lead to issues even with the `--nofilesystem=host` protection. In normal use, the only issue is that these empty directories can be created wherever the user has write permissions. However, a malicious application could replace the `appstream-util` binary and potentially do something more hostile. This has been resolved in Flatpak 1.12.3 and 1.10.6 by changing the behaviour of `--nofilesystem=home` and `--nofilesystem=host`. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=774692af49b616797706937b258815617e132c83 commit 774692af49b616797706937b258815617e132c83 Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2023-12-23 09:05:21 +0000 Commit: Hans de Graaff <graaff@gentoo.org> CommitDate: 2023-12-23 09:05:57 +0000 [ GLSA 202312-12 ] Flatpak: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/775365 Bug: https://bugs.gentoo.org/816951 Bug: https://bugs.gentoo.org/831087 Bug: https://bugs.gentoo.org/901507 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: Hans de Graaff <graaff@gentoo.org> glsa-202312-12.xml | 52 ++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 52 insertions(+) |