flatpak-1.12.8-1.el9
エラータID: AXSA:2023-6670:03
リリース日:
2023/12/07 Thursday - 09:16
題名:
flatpak-1.12.8-1.el9
影響のあるチャネル:
MIRACLE LINUX 9 for x86_64
Severity:
Moderate
Description:
以下項目について対処しました。
[Security Fix]
- Flatpak には、bubblewrap サンドボックスを通してプログラム
を実行するとき、nonpriv セッションが TIOCLINUX ioctlを使用
してターミナルの入力バッファに文字を入れ込むことにより
親セッションへ脱出できる問題があるため、ローカルの攻撃者
により、サンドボックスからの脱出を可能とする脆弱性が存在
します。(CVE-2023-28100)
- Flatpak には、不正に設定された権限を flatpak(1) コマンドの
表示から隠せてしまう問題があるため、Flatpak の操作が可能な
リモートの攻撃者により、ESC などの表示できない制御文字を
含むように細工された権限の設定を介して、不正な権限の設定
を可能とする脆弱性が存在します。(CVE-2023-28101)
解決策:
パッケージをアップデートしてください。
CVE:
CVE-2023-28100
Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. Versions prior to 1.10.8, 1.12.8, 1.14.4, and 1.15.4 contain a vulnerability similar to CVE-2017-5226, but using the `TIOCLINUX` ioctl command instead of `TIOCSTI`. If a Flatpak app is run on a Linux virtual console such as `/dev/tty1`, it can copy text from the virtual console and paste it into the command buffer, from which the command might be run after the Flatpak app has exited. Ordinary graphical terminal emulators like xterm, gnome-terminal and Konsole are unaffected. This vulnerability is specific to the Linux virtual consoles `/dev/tty1`, `/dev/tty2` and so on. A patch is available in versions 1.10.8, 1.12.8, 1.14.4, and 1.15.4. As a workaround, don't run Flatpak on a Linux virtual console. Flatpak is primarily designed to be used in a Wayland or X11 graphical environment.
Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. Versions prior to 1.10.8, 1.12.8, 1.14.4, and 1.15.4 contain a vulnerability similar to CVE-2017-5226, but using the `TIOCLINUX` ioctl command instead of `TIOCSTI`. If a Flatpak app is run on a Linux virtual console such as `/dev/tty1`, it can copy text from the virtual console and paste it into the command buffer, from which the command might be run after the Flatpak app has exited. Ordinary graphical terminal emulators like xterm, gnome-terminal and Konsole are unaffected. This vulnerability is specific to the Linux virtual consoles `/dev/tty1`, `/dev/tty2` and so on. A patch is available in versions 1.10.8, 1.12.8, 1.14.4, and 1.15.4. As a workaround, don't run Flatpak on a Linux virtual console. Flatpak is primarily designed to be used in a Wayland or X11 graphical environment.
CVE-2023-28101
Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. In versions prior to 1.10.8, 1.12.8, 1.14.4, and 1.15.4, if an attacker publishes a Flatpak app with elevated permissions, they can hide those permissions from users of the `flatpak(1)` command-line interface by setting other permissions to crafted values that contain non-printable control characters such as `ESC`. A fix is available in versions 1.10.8, 1.12.8, 1.14.4, and 1.15.4. As a workaround, use a GUI like GNOME Software rather than the command-line interface, or only install apps whose maintainers you trust.
Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. In versions prior to 1.10.8, 1.12.8, 1.14.4, and 1.15.4, if an attacker publishes a Flatpak app with elevated permissions, they can hide those permissions from users of the `flatpak(1)` command-line interface by setting other permissions to crafted values that contain non-printable control characters such as `ESC`. A fix is available in versions 1.10.8, 1.12.8, 1.14.4, and 1.15.4. As a workaround, use a GUI like GNOME Software rather than the command-line interface, or only install apps whose maintainers you trust.
追加情報:
N/A
ダウンロード:
SRPMS
- flatpak-1.12.8-1.el9.src.rpm
MD5: 43ae6ae62355e2f1582c2eff38f10872
SHA-256: dbde05755f9c5358ca9f702845d104113bd7ccadd9400e89a385e3e46d9b0a1f
Size: 1.51 MB
Asianux Server 9 for x86_64
- flatpak-1.12.8-1.el9.i686.rpm
MD5: 1b79676e7db68dda55a98cdf33da84af
SHA-256: 5a93f12c837df58aae728c6a3c81a1d2ff1107c2b1fd47108fde8dbc1f9e2ac4
Size: 1.74 MB - flatpak-1.12.8-1.el9.x86_64.rpm
MD5: 0dedd92c6b261f19de7f755d41a26f3a
SHA-256: 4b85e9d3682aed6c8a1b92632579ed1128cd952117d9f4f7b592d9796c2c2873
Size: 1.69 MB - flatpak-devel-1.12.8-1.el9.i686.rpm
MD5: 904dc963f63c86628931ff31c95adf0b
SHA-256: 01365c1365b8142b50afeac6590eb81ca7b2339ae87b48f2dc74f1f3091c7a26
Size: 105.69 kB - flatpak-devel-1.12.8-1.el9.x86_64.rpm
MD5: e4d13d5f814bfd082607275868104d33
SHA-256: c74757eb484b687f871340f4474302a77a9519c503c77f132a889b3b6beebfd3
Size: 105.65 kB - flatpak-libs-1.12.8-1.el9.i686.rpm
MD5: f4687adf1bf535b7bb8966cf8da184e7
SHA-256: bd51478ff471757b47c51f69da21450c5772869a5def102e312816b06d6549c8
Size: 518.57 kB - flatpak-libs-1.12.8-1.el9.x86_64.rpm
MD5: 5601cf2ed0511b6b2ec04b4f00bd03a4
SHA-256: 5a6793481b6221d11e9361dcf55f0e73f38145f74ba6ffd4fb60ae5828f251ee
Size: 494.63 kB - flatpak-selinux-1.12.8-1.el9.noarch.rpm
MD5: e99d6558956b7dc53de1480526d75afe
SHA-256: c1e908f58d3d01e7bd45db7f675128f73bd0b016338d35756d3c1ce20ba3a46b
Size: 20.22 kB - flatpak-session-helper-1.12.8-1.el9.i686.rpm
MD5: 5b5538dcb955d6c9a971fa9b51acadcf
SHA-256: a66bfef5c663e4c10f30cc09c713689a2f0a58ce4fda3e5c4e2cfaf0ab6561f2
Size: 74.36 kB - flatpak-session-helper-1.12.8-1.el9.x86_64.rpm
MD5: 2134034b4aecd7f77519f4d8aa1475c9
SHA-256: e3666d0580cde07a38b21afc594db827ec69f130e3bc734f3779dd9c230f3fc6
Size: 72.64 kB