``` Security fixes: * Escape special characters when displaying permissions and metadata, preventing malicious apps from manipulating the appearance of the permissions list using crafted metadata (CVE-2023-28101). * If a Flatpak app is run on a Linux virtual console (tty1, tty2, etc.), don't allow copy/paste via the TIOCLINUX ioctl (CVE-2023-28100). Note that this is specific to virtual consoles: Flatpak is not vulnerable to this if run from a graphical terminal emulator such as xterm, gnome-terminal or Konsole. ```
Please bump to 1.10.8/1.12.8/1.14.4.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=fdbb6a78c2d7c6801ddc668091f8140a16c32a0d commit fdbb6a78c2d7c6801ddc668091f8140a16c32a0d Author: Zac Medico <zmedico@gentoo.org> AuthorDate: 2023-03-17 00:11:57 +0000 Commit: Zac Medico <zmedico@gentoo.org> CommitDate: 2023-03-17 00:15:18 +0000 sys-apps/flatpak: add 1.14.4 Bug: https://bugs.gentoo.org/901507 Signed-off-by: Zac Medico <zmedico@gentoo.org> sys-apps/flatpak/Manifest | 1 + sys-apps/flatpak/flatpak-1.14.4.ebuild | 108 +++++++++++++++++++++++++++++++++ 2 files changed, 109 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2cb46de602b1509668484ac6b1bfd7b361438d7d commit 2cb46de602b1509668484ac6b1bfd7b361438d7d Author: Zac Medico <zmedico@gentoo.org> AuthorDate: 2023-03-17 00:06:14 +0000 Commit: Zac Medico <zmedico@gentoo.org> CommitDate: 2023-03-17 00:15:17 +0000 sys-apps/flatpak: add 1.12.8 Bug: https://bugs.gentoo.org/901507 Signed-off-by: Zac Medico <zmedico@gentoo.org> sys-apps/flatpak/Manifest | 1 + sys-apps/flatpak/flatpak-1.12.8.ebuild | 108 +++++++++++++++++++++++++++++++++ 2 files changed, 109 insertions(+)
I would like to note that the maximum damage for TIOCLINUX is privilage escalation, in general. ttyjack (https://github.com/jwilk/ttyjack) is a great tool to see that in action, but I have not tried putting it into a flatpak package for verification, so please verify yourself. If risk is the product of probability times damage, damage may be bigger than some of the related texts read and then risk also is. Just my two cents.
Thanks! Please stabilize ASAP
commit db467947bdd14ac40c44a18e65e29dc124b088f0 Author: Sam James <sam@gentoo.org> Date: Wed May 10 01:26:01 2023 +0100 sys-apps/flatpak: drop 1.12.3-r1, 1.14.1
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=774692af49b616797706937b258815617e132c83 commit 774692af49b616797706937b258815617e132c83 Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2023-12-23 09:05:21 +0000 Commit: Hans de Graaff <graaff@gentoo.org> CommitDate: 2023-12-23 09:05:57 +0000 [ GLSA 202312-12 ] Flatpak: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/775365 Bug: https://bugs.gentoo.org/816951 Bug: https://bugs.gentoo.org/831087 Bug: https://bugs.gentoo.org/901507 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: Hans de Graaff <graaff@gentoo.org> glsa-202312-12.xml | 52 ++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 52 insertions(+)