flatpak-builder-1.0.14-2.el8
エラータID: AXSA:2022-4428:01
リリース日:
2022/12/14 Wednesday - 10:16
題名:
flatpak-builder-1.0.14-2.el8
影響のあるチャネル:
Asianux Server 8 for x86_64
Severity:
Moderate
Description:
以下項目について対処しました。
[Security Fix]
- flatpak-builder には、パストラバーサルが可能となる
問題があるため、--mirror-screenshots-url オプションを
介して、ユーザーが書き込み権限を持つ場所への
空ディレクトリの作成を可能とする脆弱性が存在します。
(CVE-2022-21682)
解決策:
パッケージをアップデートしてください。
CVE:
CVE-2022-21682
Flatpak is a Linux application sandboxing and distribution framework. A path traversal vulnerability affects versions of Flatpak prior to 1.12.3 and 1.10.6. flatpak-builder applies `finish-args` last in the build. At this point the build directory will have the full access that is specified in the manifest, so running `flatpak build` against it will gain those permissions. Normally this will not be done, so this is not problem. However, if `--mirror-screenshots-url` is specified, then flatpak-builder will launch `flatpak build --nofilesystem=host appstream-utils mirror-screenshots` after finalization, which can lead to issues even with the `--nofilesystem=host` protection. In normal use, the only issue is that these empty directories can be created wherever the user has write permissions. However, a malicious application could replace the `appstream-util` binary and potentially do something more hostile. This has been resolved in Flatpak 1.12.3 and 1.10.6 by changing the behaviour of `--nofilesystem=home` and `--nofilesystem=host`.
Flatpak is a Linux application sandboxing and distribution framework. A path traversal vulnerability affects versions of Flatpak prior to 1.12.3 and 1.10.6. flatpak-builder applies `finish-args` last in the build. At this point the build directory will have the full access that is specified in the manifest, so running `flatpak build` against it will gain those permissions. Normally this will not be done, so this is not problem. However, if `--mirror-screenshots-url` is specified, then flatpak-builder will launch `flatpak build --nofilesystem=host appstream-utils mirror-screenshots` after finalization, which can lead to issues even with the `--nofilesystem=host` protection. In normal use, the only issue is that these empty directories can be created wherever the user has write permissions. However, a malicious application could replace the `appstream-util` binary and potentially do something more hostile. This has been resolved in Flatpak 1.12.3 and 1.10.6 by changing the behaviour of `--nofilesystem=home` and `--nofilesystem=host`.
追加情報:
N/A
ダウンロード:
SRPMS
- flatpak-builder-1.0.14-2.el8.src.rpm
MD5: efe938e1b0db721fbdee8d2e46181e8e
SHA-256: 15c3e6858ecd35eade269570b4e5381cfb36893c7b5f01f50bdbea36103ce454
Size: 461.62 kB
Asianux Server 8 for x86_64
- flatpak-builder-1.0.14-2.el8.x86_64.rpm
MD5: 9cadff2467e4f1e2d9107045e00ab712
SHA-256: 7585d9fa96f31b960b06f78b88c11662df50da1b1e71ee9fe9ccafaecbc188df
Size: 215.88 kB
English