flatpak-1.0.9-10.el7
エラータID: AXSA:2021-1462:04
リリース日:
2021/02/12 Friday - 06:26
題名:
flatpak-1.0.9-10.el7
影響のあるチャネル:
Asianux Server 7 for x86_64
Severity:
High
Description:
- Flatpak の flatpak-portal サービスには、サンドボックス内のアプリケーションが任意の
コードをホストのシステムで実行することの可能な、サンドボックスエスケープとしても
知られる脆弱性ががあります。(CVE-2021-21261)
解決策:
パッケージをアップデートしてください。
CVE:
CVE-2021-21261
Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. A bug was discovered in the `flatpak-portal` service that can allow sandboxed applications to execute arbitrary code on the host system (a sandbox escape). This sandbox-escape bug is present in versions from 0.11.4 and before fixed versions 1.8.5 and 1.10.0. The Flatpak portal D-Bus service (`flatpak-portal`, also known by its D-Bus service name `org.freedesktop.portal.Flatpak`) allows apps in a Flatpak sandbox to launch their own subprocesses in a new sandbox instance, either with the same security settings as the caller or with more restrictive security settings. For example, this is used in Flatpak-packaged web browsers such as Chromium to launch subprocesses that will process untrusted web content, and give those subprocesses a more restrictive sandbox than the browser itself. In vulnerable versions, the Flatpak portal service passes caller-specified environment variables to non-sandboxed processes on the host system, and in particular to the `flatpak run` command that is used to launch the new sandbox instance. A malicious or compromised Flatpak app could set environment variables that are trusted by the `flatpak run` command, and use them to execute arbitrary code that is not in a sandbox. As a workaround, this vulnerability can be mitigated by preventing the `flatpak-portal` service from starting, but that mitigation will prevent many Flatpak apps from working correctly. This is fixed in versions 1.8.5 and 1.10.0.
Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. A bug was discovered in the `flatpak-portal` service that can allow sandboxed applications to execute arbitrary code on the host system (a sandbox escape). This sandbox-escape bug is present in versions from 0.11.4 and before fixed versions 1.8.5 and 1.10.0. The Flatpak portal D-Bus service (`flatpak-portal`, also known by its D-Bus service name `org.freedesktop.portal.Flatpak`) allows apps in a Flatpak sandbox to launch their own subprocesses in a new sandbox instance, either with the same security settings as the caller or with more restrictive security settings. For example, this is used in Flatpak-packaged web browsers such as Chromium to launch subprocesses that will process untrusted web content, and give those subprocesses a more restrictive sandbox than the browser itself. In vulnerable versions, the Flatpak portal service passes caller-specified environment variables to non-sandboxed processes on the host system, and in particular to the `flatpak run` command that is used to launch the new sandbox instance. A malicious or compromised Flatpak app could set environment variables that are trusted by the `flatpak run` command, and use them to execute arbitrary code that is not in a sandbox. As a workaround, this vulnerability can be mitigated by preventing the `flatpak-portal` service from starting, but that mitigation will prevent many Flatpak apps from working correctly. This is fixed in versions 1.8.5 and 1.10.0.
追加情報:
N/A
ダウンロード:
SRPMS
- flatpak-1.0.9-10.el7.src.rpm
MD5: ece8848994483fae8b7efcf63f51e51f
SHA-256: b18dcfef38345410e742f8ee71978180a71fce1e837949483f64807608e19590
Size: 3.34 MB
Asianux Server 7 for x86_64
- flatpak-1.0.9-10.el7.x86_64.rpm
MD5: b97a3e0f087a5da5409300660fc8fca6
SHA-256: b4504428f92fedbd0d9d44b23c8533781ee93f956ba06f4038fa3401c004db9c
Size: 956.66 kB - flatpak-builder-1.0.0-10.el7.x86_64.rpm
MD5: a9ec93db73a440c9b344cd1a4dfcae12
SHA-256: b09429e2e20ecba7f59d86a8944a26586c35f22a1bf75abb19d2368f7b75d56a
Size: 179.50 kB - flatpak-devel-1.0.9-10.el7.x86_64.rpm
MD5: e3f78efc70184219c33344e760aafedb
SHA-256: 8455ffb2ace46d33880ddc966227a01b94e8a1f34ac768bcf8b36ab0112555f4
Size: 59.62 kB - flatpak-libs-1.0.9-10.el7.x86_64.rpm
MD5: 13be5dfca40ef44db45bcb4a8eab9e12
SHA-256: 3609dd6ea04eb18b4c78f9fbe9373a7d7e9af652dd5b85f65e9c50f647ceba74
Size: 595.02 kB