[Bugs] [Bug 13491] New: [CVE 21] flatpak 1.14.0 CVEs found

bugzilla bugzilla на rosalinux.ru
Ср Авг 23 22:44:41 MSK 2023 

https://bugzilla.rosalinux.ru/show_bug.cgi?id=13491

          Platform: 2021.1
            Bug ID: 13491
           Summary: [CVE 21] flatpak 1.14.0  CVEs found
    Classification: ROSA-based products
           Product: ROSA Fresh
           Version: All
          Hardware: All
               URL: CVE-2023-28100, CVE-2023-28101,
                OS: Linux
            Status: CONFIRMED
          Severity: normal
          Priority: Normal
         Component: System (kernel, glibc, systemd, bash, PAM...)
          Assignee: bugs на lists.rosalinux.ru
          Reporter: y.tumanov на rosalinux.ru
        QA Contact: bugs на lists.rosalinux.ru
                CC: e.kosachev на rosalinux.ru, s.matveev на rosalinux.ru,
                    y.tumanov на rosalinux.ru
  Target Milestone: ---
             Flags: secteam_verified?

Please patch CVEs for package flatpak version 1.14.0

INFO (CVEs are): flatpak 1.14.0
 cves found
CVE-2023-28100
Desc: Flatpak is a system for building, distributing, and running sandboxed
desktop applications on Linux. Versions prior to 1.10.8, 1.12.8, 1.14.4, and
1.15.4 contain a vulnerability similar to CVE-2017-5226, but using the
`TIOCLINUX` ioctl command instead of `TIOCSTI`. If a Flatpak app is run on a
Linux virtual console such as `/dev/tty1`, it can copy text from the virtual
console and paste it into the command buffer, from which the command might be
run after the Flatpak app has exited. Ordinary graphical terminal emulators
like xterm, gnome-terminal and Konsole are unaffected. This vulnerability is
specific to the Linux virtual consoles `/dev/tty1`, `/dev/tty2` and so on. A
patch is available in versions 1.10.8, 1.12.8, 1.14.4, and 1.15.4. As a
workaround, don't run Flatpak on a Linux virtual console. Flatpak is primarily
designed to be used in a Wayland or X11 graphical environment.
Link: https://nvd.nist.gov/vuln/detail/CVE-2023-28100
Severity: MEDIUM
CVE-2023-28101
Desc: Flatpak is a system for building, distributing, and running sandboxed
desktop applications on Linux. In versions prior to 1.10.8, 1.12.8, 1.14.4, and
1.15.4, if an attacker publishes a Flatpak app with elevated permissions, they
can hide those permissions from users of the `flatpak(1)` command-line
interface by setting other permissions to crafted values that contain
non-printable control characters such as `ESC`. A fix is available in versions
1.10.8, 1.12.8, 1.14.4, and 1.15.4. As a workaround, use a GUI like GNOME
Software rather than the command-line interface, or only install apps whose
maintainers you trust.
Link: https://nvd.nist.gov/vuln/detail/CVE-2023-28101
Severity: MEDIUM

-- 
You are receiving this mail because:
You are the QA Contact for the bug.
You are the assignee for the bug.
----------- следущая часть -----------
Вложение в формате HTML было извлечено…
URL: <http://lists.rosalinux.ru/pipermail/bugs/attachments/20230823/6aa46e92/attachment.html>

Подробная информация о списке рассылки Bugs