flatpak-1.12.8-1.el9

エラータID: AXSA:2023-6670:03

Release date: 
Thursday, December 7, 2023 - 09:16
Subject: 
flatpak-1.12.8-1.el9
Affected Channels: 
MIRACLE LINUX 9 for x86_64
Severity: 
Moderate
Description: 

Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux.

The following packages have been upgraded to a later upstream version: flatpak (1.12.8).

Security Fix(es):

* flatpak: TIOCLINUX can send commands outside sandbox if running on a virtual console (CVE-2023-28100)
* flatpak: Metadata with ANSI control codes can cause misleading terminal output (CVE-2023-28101)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2023-28100
Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. Versions prior to 1.10.8, 1.12.8, 1.14.4, and 1.15.4 contain a vulnerability similar to CVE-2017-5226, but using the `TIOCLINUX` ioctl command instead of `TIOCSTI`. If a Flatpak app is run on a Linux virtual console such as `/dev/tty1`, it can copy text from the virtual console and paste it into the command buffer, from which the command might be run after the Flatpak app has exited. Ordinary graphical terminal emulators like xterm, gnome-terminal and Konsole are unaffected. This vulnerability is specific to the Linux virtual consoles `/dev/tty1`, `/dev/tty2` and so on. A patch is available in versions 1.10.8, 1.12.8, 1.14.4, and 1.15.4. As a workaround, don't run Flatpak on a Linux virtual console. Flatpak is primarily designed to be used in a Wayland or X11 graphical environment.
CVE-2023-28101
Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. In versions prior to 1.10.8, 1.12.8, 1.14.4, and 1.15.4, if an attacker publishes a Flatpak app with elevated permissions, they can hide those permissions from users of the `flatpak(1)` command-line interface by setting other permissions to crafted values that contain non-printable control characters such as `ESC`. A fix is available in versions 1.10.8, 1.12.8, 1.14.4, and 1.15.4. As a workaround, use a GUI like GNOME Software rather than the command-line interface, or only install apps whose maintainers you trust.

Solution: 

Update packages.

CVEs: 
CVE-2023-28100
Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. Versions prior to 1.10.8, 1.12.8, 1.14.4, and 1.15.4 contain a vulnerability similar to CVE-2017-5226, but using the `TIOCLINUX` ioctl command instead of `TIOCSTI`. If a Flatpak app is run on a Linux virtual console such as `/dev/tty1`, it can copy text from the virtual console and paste it into the command buffer, from which the command might be run after the Flatpak app has exited. Ordinary graphical terminal emulators like xterm, gnome-terminal and Konsole are unaffected. This vulnerability is specific to the Linux virtual consoles `/dev/tty1`, `/dev/tty2` and so on. A patch is available in versions 1.10.8, 1.12.8, 1.14.4, and 1.15.4. As a workaround, don't run Flatpak on a Linux virtual console. Flatpak is primarily designed to be used in a Wayland or X11 graphical environment.
CVE-2023-28101
Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. In versions prior to 1.10.8, 1.12.8, 1.14.4, and 1.15.4, if an attacker publishes a Flatpak app with elevated permissions, they can hide those permissions from users of the `flatpak(1)` command-line interface by setting other permissions to crafted values that contain non-printable control characters such as `ESC`. A fix is available in versions 1.10.8, 1.12.8, 1.14.4, and 1.15.4. As a workaround, use a GUI like GNOME Software rather than the command-line interface, or only install apps whose maintainers you trust.
Additional Info: 

N/A

Download: 

SRPMS
  1. flatpak-1.12.8-1.el9.src.rpm
    MD5: 43ae6ae62355e2f1582c2eff38f10872
    SHA-256: dbde05755f9c5358ca9f702845d104113bd7ccadd9400e89a385e3e46d9b0a1f
    Size: 1.51 MB

Asianux Server 9 for x86_64
  1. flatpak-1.12.8-1.el9.i686.rpm
    MD5: 1b79676e7db68dda55a98cdf33da84af
    SHA-256: 5a93f12c837df58aae728c6a3c81a1d2ff1107c2b1fd47108fde8dbc1f9e2ac4
    Size: 1.74 MB
  2. flatpak-1.12.8-1.el9.x86_64.rpm
    MD5: 0dedd92c6b261f19de7f755d41a26f3a
    SHA-256: 4b85e9d3682aed6c8a1b92632579ed1128cd952117d9f4f7b592d9796c2c2873
    Size: 1.69 MB
  3. flatpak-devel-1.12.8-1.el9.i686.rpm
    MD5: 904dc963f63c86628931ff31c95adf0b
    SHA-256: 01365c1365b8142b50afeac6590eb81ca7b2339ae87b48f2dc74f1f3091c7a26
    Size: 105.69 kB
  4. flatpak-devel-1.12.8-1.el9.x86_64.rpm
    MD5: e4d13d5f814bfd082607275868104d33
    SHA-256: c74757eb484b687f871340f4474302a77a9519c503c77f132a889b3b6beebfd3
    Size: 105.65 kB
  5. flatpak-libs-1.12.8-1.el9.i686.rpm
    MD5: f4687adf1bf535b7bb8966cf8da184e7
    SHA-256: bd51478ff471757b47c51f69da21450c5772869a5def102e312816b06d6549c8
    Size: 518.57 kB
  6. flatpak-libs-1.12.8-1.el9.x86_64.rpm
    MD5: 5601cf2ed0511b6b2ec04b4f00bd03a4
    SHA-256: 5a6793481b6221d11e9361dcf55f0e73f38145f74ba6ffd4fb60ae5828f251ee
    Size: 494.63 kB
  7. flatpak-selinux-1.12.8-1.el9.noarch.rpm
    MD5: e99d6558956b7dc53de1480526d75afe
    SHA-256: c1e908f58d3d01e7bd45db7f675128f73bd0b016338d35756d3c1ce20ba3a46b
    Size: 20.22 kB
  8. flatpak-session-helper-1.12.8-1.el9.i686.rpm
    MD5: 5b5538dcb955d6c9a971fa9b51acadcf
    SHA-256: a66bfef5c663e4c10f30cc09c713689a2f0a58ce4fda3e5c4e2cfaf0ab6561f2
    Size: 74.36 kB
  9. flatpak-session-helper-1.12.8-1.el9.x86_64.rpm
    MD5: 2134034b4aecd7f77519f4d8aa1475c9
    SHA-256: e3666d0580cde07a38b21afc594db827ec69f130e3bc734f3779dd9c230f3fc6
    Size: 72.64 kB