CVE-2024-42472: A malicious or compromised Flatpak app using persistent directories could read and write files in locations it would not normally have access to, which is an attack on integrity and confidentiality. The above is fixed in 1.14.10.
Added dependency on bug 937948: (In reply to Zac Medico from bug 937948 comment #0) > Hi, we'll need a sys-apps/bubblewrap-0.10.0 bump for this --bind-fd support: > > https://github.com/containers/bubblewrap/commit/a253257cd298892da43e15201d83f9a02c9b58b5 > > The --bind-fd option is used in the CVE fixing commit related to bug 937936: > > https://github.com/flatpak/flatpak/commit/6bd603f6836e9b38b9b937d3b78f3fbf36e7ff75
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=39510939e6701a67a143f804dd2ff5b9a51101a8 commit 39510939e6701a67a143f804dd2ff5b9a51101a8 Author: Zac Medico <zmedico@gentoo.org> AuthorDate: 2024-08-15 04:07:06 +0000 Commit: Arthur Zamarin <arthurzam@gentoo.org> CommitDate: 2024-08-17 18:59:00 +0000 sys-apps/flatpak: add 1.14.10 Bug: https://bugs.gentoo.org/937936 Signed-off-by: Zac Medico <zmedico@gentoo.org> Closes: https://github.com/gentoo/gentoo/pull/38156 Signed-off-by: Arthur Zamarin <arthurzam@gentoo.org> sys-apps/flatpak/Manifest | 1 + sys-apps/flatpak/flatpak-1.14.10.ebuild | 121 ++++++++++++++++++++++++++++++++ 2 files changed, 122 insertions(+)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f69bf4c9ae6c5e915d78e312e5b40c5012203877 commit f69bf4c9ae6c5e915d78e312e5b40c5012203877 Author: Zac Medico <zmedico@gentoo.org> AuthorDate: 2024-10-24 20:04:37 +0000 Commit: Zac Medico <zmedico@gentoo.org> CommitDate: 2024-10-24 20:04:42 +0000 sys-apps/flatpak: drop 1.12.8, 1.14.4-r3, 1.14.6, 1.14.8 Bug: https://bugs.gentoo.org/937936 Signed-off-by: Zac Medico <zmedico@gentoo.org> sys-apps/flatpak/Manifest | 4 - sys-apps/flatpak/flatpak-1.12.8.ebuild | 108 -------------------------- sys-apps/flatpak/flatpak-1.14.4-r3.ebuild | 116 ---------------------------- sys-apps/flatpak/flatpak-1.14.6.ebuild | 121 ------------------------------ sys-apps/flatpak/flatpak-1.14.8.ebuild | 121 ------------------------------ 5 files changed, 470 deletions(-)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=c2d87d20ebf32ee75401522f38080776bda1cbdb commit c2d87d20ebf32ee75401522f38080776bda1cbdb Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2024-11-06 12:12:48 +0000 Commit: Hans de Graaff <graaff@gentoo.org> CommitDate: 2024-11-06 12:13:03 +0000 [ GLSA 202411-02 ] Flatpak: Sandbox Escape Bug: https://bugs.gentoo.org/937936 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: Hans de Graaff <graaff@gentoo.org> glsa-202411-02.xml | 43 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 43 insertions(+)
