| Summary: | <sys-apps/flatpak-1.4.10: Access to files outside sandbox for apps using persistent= (--persist) | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Christopher Fore <csfore> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | major | CC: | zmedico |
| Priority: | Normal | Keywords: | PullRequest |
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | https://github.com/flatpak/flatpak/security/advisories/GHSA-7hgv-f2j8-xw87 | ||
| See Also: | https://github.com/gentoo/gentoo/pull/38156 | ||
| Whiteboard: | A2 [glsa+] | ||
| Package list: | Runtime testing required: | --- | |
| Bug Depends on: | 937948, 941215 | ||
| Bug Blocks: | |||
|
Description
Christopher Fore
2024-08-14 22:14:29 UTC
Added dependency on bug 937948: (In reply to Zac Medico from bug 937948 comment #0) > Hi, we'll need a sys-apps/bubblewrap-0.10.0 bump for this --bind-fd support: > > https://github.com/containers/bubblewrap/commit/a253257cd298892da43e15201d83f9a02c9b58b5 > > The --bind-fd option is used in the CVE fixing commit related to bug 937936: > > https://github.com/flatpak/flatpak/commit/6bd603f6836e9b38b9b937d3b78f3fbf36e7ff75 The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=39510939e6701a67a143f804dd2ff5b9a51101a8 commit 39510939e6701a67a143f804dd2ff5b9a51101a8 Author: Zac Medico <zmedico@gentoo.org> AuthorDate: 2024-08-15 04:07:06 +0000 Commit: Arthur Zamarin <arthurzam@gentoo.org> CommitDate: 2024-08-17 18:59:00 +0000 sys-apps/flatpak: add 1.14.10 Bug: https://bugs.gentoo.org/937936 Signed-off-by: Zac Medico <zmedico@gentoo.org> Closes: https://github.com/gentoo/gentoo/pull/38156 Signed-off-by: Arthur Zamarin <arthurzam@gentoo.org> sys-apps/flatpak/Manifest | 1 + sys-apps/flatpak/flatpak-1.14.10.ebuild | 121 ++++++++++++++++++++++++++++++++ 2 files changed, 122 insertions(+) The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f69bf4c9ae6c5e915d78e312e5b40c5012203877 commit f69bf4c9ae6c5e915d78e312e5b40c5012203877 Author: Zac Medico <zmedico@gentoo.org> AuthorDate: 2024-10-24 20:04:37 +0000 Commit: Zac Medico <zmedico@gentoo.org> CommitDate: 2024-10-24 20:04:42 +0000 sys-apps/flatpak: drop 1.12.8, 1.14.4-r3, 1.14.6, 1.14.8 Bug: https://bugs.gentoo.org/937936 Signed-off-by: Zac Medico <zmedico@gentoo.org> sys-apps/flatpak/Manifest | 4 - sys-apps/flatpak/flatpak-1.12.8.ebuild | 108 -------------------------- sys-apps/flatpak/flatpak-1.14.4-r3.ebuild | 116 ---------------------------- sys-apps/flatpak/flatpak-1.14.6.ebuild | 121 ------------------------------ sys-apps/flatpak/flatpak-1.14.8.ebuild | 121 ------------------------------ 5 files changed, 470 deletions(-) The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=c2d87d20ebf32ee75401522f38080776bda1cbdb commit c2d87d20ebf32ee75401522f38080776bda1cbdb Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2024-11-06 12:12:48 +0000 Commit: Hans de Graaff <graaff@gentoo.org> CommitDate: 2024-11-06 12:13:03 +0000 [ GLSA 202411-02 ] Flatpak: Sandbox Escape Bug: https://bugs.gentoo.org/937936 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: Hans de Graaff <graaff@gentoo.org> glsa-202411-02.xml | 43 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 43 insertions(+) |
