flatpak-1.0.9-13.el7
エラータID: AXSA:2024-8386:04
Flatpak is a system for building, distributing, and running sandboxed desktop
applications on Linux.
Security Fix(es):
* flatpak: sandbox escape via RequestBackground portal (CVE-2024-32462)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer the CVE page(s)
listed in the References section.
CVE-2024-32462
Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. in versions before 1.10.9, 1.12.9, 1.14.6, and 1.15.8, a malicious or compromised Flatpak app could execute arbitrary code outside its sandbox. Normally, the `--command` argument of `flatpak run` expects to be given a command to run in the specified Flatpak app, optionally along with some arguments. However it is possible to instead pass `bwrap` arguments to `--command=`, such as `--bind`. It's possible to pass an arbitrary `commandline` to the portal interface `org.freedesktop.portal.Background.RequestBackground` from within a Flatpak app. When this is converted into a `--command` and arguments, it achieves the same effect of passing arguments directly to `bwrap`, and thus can be used for a sandbox escape. The solution is to pass the `--` argument to `bwrap`, which makes it stop processing options. This has been supported since bubblewrap 0.3.0. All supported versions of Flatpak require at least that version of bubblewrap. xdg-desktop-portal version 1.18.4 will mitigate this vulnerability by only allowing Flatpak apps to create .desktop files for commands that do not start with --. The vulnerability is patched in 1.15.8, 1.10.9, 1.12.9, and 1.14.6.
Update packages.
Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. in versions before 1.10.9, 1.12.9, 1.14.6, and 1.15.8, a malicious or compromised Flatpak app could execute arbitrary code outside its sandbox. Normally, the `--command` argument of `flatpak run` expects to be given a command to run in the specified Flatpak app, optionally along with some arguments. However it is possible to instead pass `bwrap` arguments to `--command=`, such as `--bind`. It's possible to pass an arbitrary `commandline` to the portal interface `org.freedesktop.portal.Background.RequestBackground` from within a Flatpak app. When this is converted into a `--command` and arguments, it achieves the same effect of passing arguments directly to `bwrap`, and thus can be used for a sandbox escape. The solution is to pass the `--` argument to `bwrap`, which makes it stop processing options. This has been supported since bubblewrap 0.3.0. All supported versions of Flatpak require at least that version of bubblewrap. xdg-desktop-portal version 1.18.4 will mitigate this vulnerability by only allowing Flatpak apps to create .desktop files for commands that do not start with --. The vulnerability is patched in 1.15.8, 1.10.9, 1.12.9, and 1.14.6.
N/A
SRPMS
- flatpak-1.0.9-13.el7.src.rpm
MD5: a19e767018d27442e1f13ea9892d135c
SHA-256: 85471c3969d307ca762a46945bfcd88a4120b9762e504cd4f36edee12a922820
Size: 3.35 MB
Asianux Server 7 for x86_64
- flatpak-1.0.9-13.el7.x86_64.rpm
MD5: 4ea4089dbe0bc1a1d13b4ce3f5cbc3f6
SHA-256: 4ebc6cb4b868c2fe56ceacb9dec841fc3299bb677d1c26869fd5053650ba0ea0
Size: 957.75 kB - flatpak-builder-1.0.0-13.el7.x86_64.rpm
MD5: 9bdaea8038c6f7a81f3aa46620192c1f
SHA-256: 5bffb97a6cdde61b17cef434c4080adffdf50a9463fd4dcbf04702be93acd128
Size: 179.71 kB - flatpak-devel-1.0.9-13.el7.x86_64.rpm
MD5: 2293f05f1cd34e4569a7cf381cd13b06
SHA-256: 2dc0aa917463cb76897e7bf60344756767f9ea0123a842dd31f20f7403eb6a84
Size: 59.86 kB - flatpak-libs-1.0.9-13.el7.x86_64.rpm
MD5: d9def1d15e83ce191ba3ddaf6fe20de5
SHA-256: 09278e8bc879b759b6bc60e376a6bf714f890ac8e1a175a419056413def1bcb0
Size: 595.93 kB
日本語