flatpak-1.10.8-1.el8
エラータID: AXSA:2023-7197:04
リリース日:
2023/12/23 Saturday - 00:23
題名:
flatpak-1.10.8-1.el8
影響のあるチャネル:
Asianux Server 8 for x86_64
Severity:
Moderate
Description:
以下項目について対処しました。
[Security Fix]
- Flatpak には、bubblewrap サンドボックスを通してプログラム
を実行するとき、nonpriv セッションが TIOCLINUX ioctlを使用
してターミナルの入力バッファに文字を入れ込むことにより
親セッションへ脱出できる問題があるため、ローカルの攻撃者
により、サンドボックスからの脱出を可能とする脆弱性が存在
します。(CVE-2023-28100)
- Flatpak には、不正に設定された権限を flatpak(1) コマンドの
表示から隠せてしまう問題があるため、Flatpak の操作が可能
なリモートの攻撃者により、ESC などの表示できない制御文字
を含むように細工された権限の設定を介して、不正な権限の
設定を可能とする脆弱性が存在します。(CVE-2023-28101)
解決策:
パッケージをアップデートしてください。
CVE:
CVE-2023-28100
Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. Versions prior to 1.10.8, 1.12.8, 1.14.4, and 1.15.4 contain a vulnerability similar to CVE-2017-5226, but using the `TIOCLINUX` ioctl command instead of `TIOCSTI`. If a Flatpak app is run on a Linux virtual console such as `/dev/tty1`, it can copy text from the virtual console and paste it into the command buffer, from which the command might be run after the Flatpak app has exited. Ordinary graphical terminal emulators like xterm, gnome-terminal and Konsole are unaffected. This vulnerability is specific to the Linux virtual consoles `/dev/tty1`, `/dev/tty2` and so on. A patch is available in versions 1.10.8, 1.12.8, 1.14.4, and 1.15.4. As a workaround, don't run Flatpak on a Linux virtual console. Flatpak is primarily designed to be used in a Wayland or X11 graphical environment.
Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. Versions prior to 1.10.8, 1.12.8, 1.14.4, and 1.15.4 contain a vulnerability similar to CVE-2017-5226, but using the `TIOCLINUX` ioctl command instead of `TIOCSTI`. If a Flatpak app is run on a Linux virtual console such as `/dev/tty1`, it can copy text from the virtual console and paste it into the command buffer, from which the command might be run after the Flatpak app has exited. Ordinary graphical terminal emulators like xterm, gnome-terminal and Konsole are unaffected. This vulnerability is specific to the Linux virtual consoles `/dev/tty1`, `/dev/tty2` and so on. A patch is available in versions 1.10.8, 1.12.8, 1.14.4, and 1.15.4. As a workaround, don't run Flatpak on a Linux virtual console. Flatpak is primarily designed to be used in a Wayland or X11 graphical environment.
CVE-2023-28101
Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. In versions prior to 1.10.8, 1.12.8, 1.14.4, and 1.15.4, if an attacker publishes a Flatpak app with elevated permissions, they can hide those permissions from users of the `flatpak(1)` command-line interface by setting other permissions to crafted values that contain non-printable control characters such as `ESC`. A fix is available in versions 1.10.8, 1.12.8, 1.14.4, and 1.15.4. As a workaround, use a GUI like GNOME Software rather than the command-line interface, or only install apps whose maintainers you trust.
Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. In versions prior to 1.10.8, 1.12.8, 1.14.4, and 1.15.4, if an attacker publishes a Flatpak app with elevated permissions, they can hide those permissions from users of the `flatpak(1)` command-line interface by setting other permissions to crafted values that contain non-printable control characters such as `ESC`. A fix is available in versions 1.10.8, 1.12.8, 1.14.4, and 1.15.4. As a workaround, use a GUI like GNOME Software rather than the command-line interface, or only install apps whose maintainers you trust.
追加情報:
N/A
ダウンロード:
SRPMS
- flatpak-1.10.8-1.el8.src.rpm
MD5: 1c61dcd99ac1afc16324df93987f0328
SHA-256: cd1d7c73950db62a9d9fb013f575fab91d5bcee75b77bc5393af0748a0ec836c
Size: 1.48 MB
Asianux Server 8 for x86_64
- flatpak-1.10.8-1.el8.i686.rpm
MD5: e81ad0b5ed1157c17821bd622f221f18
SHA-256: 255656ccb7e79393f055f0657177e7595c8b89e402620cfeaf03b311da6f20ba
Size: 1.77 MB - flatpak-1.10.8-1.el8.x86_64.rpm
MD5: 744cd17eec39e2618b86295ab8e2d834
SHA-256: a3bda9d2a3e9de07ab2891e54bde7004ed864e9a10c11703c30c60a5cc2b4c80
Size: 1.73 MB - flatpak-devel-1.10.8-1.el8.i686.rpm
MD5: 5574e6dedbf7dacbcdfee750ec203465
SHA-256: 98ed760e977344c2a29af15cee26f380a617eabb3212c148f01ecce5acbb95f6
Size: 115.94 kB - flatpak-devel-1.10.8-1.el8.x86_64.rpm
MD5: bdf207e784e179cd5413faafacc9d34b
SHA-256: 87b7bd76e1e02a6e04c28f277a69a8964ff8b2e9184a4cf3a13e903d219fa190
Size: 115.93 kB - flatpak-libs-1.10.8-1.el8.i686.rpm
MD5: c61a1717656e6240da811aae3c862a3d
SHA-256: 6b9d5f0be913386137dbe09bd686f50fe14d6f45aa0a63360484f2f68a71a5a4
Size: 509.86 kB - flatpak-libs-1.10.8-1.el8.x86_64.rpm
MD5: a81c70a5469cf157cbbfbc15a9d6fe7d
SHA-256: b39b665ed9d58052f2c04000628dd6b14fb7b1d4c5847a9ccee044714eaa7521
Size: 490.59 kB - flatpak-selinux-1.10.8-1.el8.noarch.rpm
MD5: dcf3d302b5044b5d0aa507ade626c6a8
SHA-256: e8b1ba03239d40a676e766938758f67e7b71f6b19f5aeb12ca02d41128b33acc
Size: 26.34 kB - flatpak-session-helper-1.10.8-1.el8.i686.rpm
MD5: 8249f230b657ef35656098bb469eedb6
SHA-256: ee749c72febeb73abd309d59ce4f0094a3178aa2e6794119fb4bedc368be1430
Size: 78.07 kB - flatpak-session-helper-1.10.8-1.el8.x86_64.rpm
MD5: 8e83e8cfa67dd7500fc91f5ae2edce50
SHA-256: 5621599d339452dc8514d4d09e427e64972c4b33334622f2a64097240fd842d0
Size: 76.52 kB