AXSA:2022-3593:03

Release date: 
Friday, July 22, 2022 - 04:55
Subject: 
flatpak-1.8.7-1.el8
Affected Channels: 
Asianux Server 8 for x86_64
Severity: 
Moderate
Description: 

Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux.

Security Fix(es):

* flatpak: Permissions granted to applications can be hidden from the user at install time (CVE-2021-43860)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2021-43860
Flatpak is a Linux application sandboxing and distribution framework. Prior to versions 1.12.3 and 1.10.6, Flatpak doesn't properly validate that the permissions displayed to the user for an app at install time match the actual permissions granted to the app at runtime, in the case that there's a null byte in the metadata file of an app. Therefore apps can grant themselves permissions without the consent of the user. Flatpak shows permissions to the user during install by reading them from the "xa.metadata" key in the commit metadata. This cannot contain a null terminator, because it is an untrusted GVariant. Flatpak compares these permissions to the *actual* metadata, from the "metadata" file to ensure it wasn't lied to. However, the actual metadata contents are loaded in several places where they are read as simple C-style strings. That means that, if the metadata file includes a null terminator, only the content of the file from *before* the terminator gets compared to xa.metadata. Thus, any permissions that appear in the metadata file after a null terminator are applied at runtime but not shown to the user. So maliciously crafted apps can give themselves hidden permissions. Users who have Flatpaks installed from untrusted sources are at risk in case the Flatpak has a maliciously crafted metadata file, either initially or in an update. This issue is patched in versions 1.12.3 and 1.10.6. As a workaround, users can manually check the permissions of installed apps by checking the metadata file or the xa.metadata key on the commit metadata.

Solution: 

Update packages.

Additional Info: 

N/A

Download: 

SRPMS
  1. flatpak-1.8.7-1.el8.src.rpm
    MD5: a30c842b7ea381ac243444d32a4dc3f1
    SHA-256: 86642317d62101345930506aad56d9ae02bb20c8f68c4b62673259def94762c5
    Size: 1.39 MB

Asianux Server 8 for x86_64
  1. flatpak-1.8.7-1.el8.x86_64.rpm
    MD5: 4c27fbdeb25e05555aa51a6511ada51e
    SHA-256: 67424f15b723ec318724aa60da4aba3f0037094923f511057ad912fe3ad4222b
    Size: 1.60 MB
  2. flatpak-libs-1.8.7-1.el8.x86_64.rpm
    MD5: 71112ea962a7cf19761e7f1a3c4b0305
    SHA-256: 63c8f55e8d50565cb51641150084aee1d74a86d481c3d8d083917fdc87ae0ff4
    Size: 441.27 kB
  3. flatpak-selinux-1.8.7-1.el8.noarch.rpm
    MD5: 9a6d5590b244b9af4e888f27691f4819
    SHA-256: 5ced4b9e131213e324492e06843e78f23fb950dc7fca6021353b2bfdcf843b8d
    Size: 26.22 kB
  4. flatpak-session-helper-1.8.7-1.el8.x86_64.rpm
    MD5: affc0063e06834d52618f06e64f9a1d0
    SHA-256: 95a3125c881afcfdf183dd824d30f0a72c892c8a81fb98717e54b2113d32f356
    Size: 74.26 kB
  5. flatpak-libs-1.8.7-1.el8.i686.rpm
    MD5: 76381b0f56646279c5da7c3a428f4fd3
    SHA-256: c29f792b1ca9eb7287d31bc112af4cc81a0091891e99989eb3c9ec2b7b498f57
    Size: 460.43 kB
Copyright 2007-2022 Cybertrust Japan Co., Ltd. All rights reserved.