Summary: | <sys-apps/flatpak-{1.14.6,1.12.9}: Sandbox escape via RequestBackground portal | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Christopher Fore <csfore> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | CONFIRMED --- | ||
Severity: | critical | CC: | zmedico |
Priority: | Normal | Keywords: | PullRequest |
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://github.com/flatpak/flatpak/security/advisories/GHSA-phv6-cpc2-2fgj | ||
See Also: |
https://bugs.gentoo.org/show_bug.cgi?id=930261 https://github.com/gentoo/gentoo/pull/36334 |
||
Whiteboard: | A1 [stable?] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 930844 | ||
Bug Blocks: |
Description
Christopher Fore
2024-04-18 17:01:48 UTC
xdg-desktop-portal version 1.18.4 will mitigate this vulnerability by only allowing Flatpak apps to create .desktop files for commands that do not start with -. This is not packaged yet, however. (In reply to Christopher Fore from comment #1) > xdg-desktop-portal version 1.18.4 will mitigate this vulnerability by only > allowing Flatpak apps to create .desktop files for commands that do not > start with -. This is not packaged yet, however. Worth filing a bug for it or at least CCing its maintainers then ;) The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3e5a89cfc048384ddf35268840fea1ebc3e6ee91 commit 3e5a89cfc048384ddf35268840fea1ebc3e6ee91 Author: Christopher Fore <csfore@posteo.net> AuthorDate: 2024-04-20 18:52:49 +0000 Commit: Zac Medico <zmedico@gentoo.org> CommitDate: 2024-04-21 07:46:20 +0000 sys-apps/flatpak: add 1.12.9, 1.14.6, security bump - Tests skipped (restricted) - Fixed trivial QA warnings - Changed order of HOMEPAGE, SRC_URI, and DESCRIPTION Bug: https://bugs.gentoo.org/930202 Signed-off-by: Christopher Fore <csfore@posteo.net> Closes: https://github.com/gentoo/gentoo/pull/36334 Signed-off-by: Zac Medico <zmedico@gentoo.org> sys-apps/flatpak/Manifest | 2 + sys-apps/flatpak/flatpak-1.12.9.ebuild | 108 +++++++++++++++++++++++++++++ sys-apps/flatpak/flatpak-1.14.6.ebuild | 120 +++++++++++++++++++++++++++++++++ 3 files changed, 230 insertions(+) |