<html>
<head>
<base href="https://bugzilla.rosalinux.ru/">
</head>
<body><table border="1" cellspacing="0" cellpadding="8">
<tr>
<th>Platform</th>
<td>2021.1
</td>
</tr>
<tr>
<th>Bug ID</th>
<td><a class="bz_bug_link
bz_status_CONFIRMED "
title="CONFIRMED - [CVE 21] flatpak 1.14.0 CVEs found"
href="https://bugzilla.rosalinux.ru/show_bug.cgi?id=13491">13491</a>
</td>
</tr>
<tr>
<th>Summary</th>
<td>[CVE 21] flatpak 1.14.0 CVEs found
</td>
</tr>
<tr>
<th>Classification</th>
<td>ROSA-based products
</td>
</tr>
<tr>
<th>Product</th>
<td>ROSA Fresh
</td>
</tr>
<tr>
<th>Version</th>
<td>All
</td>
</tr>
<tr>
<th>Hardware</th>
<td>All
</td>
</tr>
<tr>
<th>URL</th>
<td>CVE-2023-28100, CVE-2023-28101,
</td>
</tr>
<tr>
<th>OS</th>
<td>Linux
</td>
</tr>
<tr>
<th>Status</th>
<td>CONFIRMED
</td>
</tr>
<tr>
<th>Severity</th>
<td>normal
</td>
</tr>
<tr>
<th>Priority</th>
<td>Normal
</td>
</tr>
<tr>
<th>Component</th>
<td>System (kernel, glibc, systemd, bash, PAM...)
</td>
</tr>
<tr>
<th>Assignee</th>
<td>bugs@lists.rosalinux.ru
</td>
</tr>
<tr>
<th>Reporter</th>
<td>y.tumanov@rosalinux.ru
</td>
</tr>
<tr>
<th>QA Contact</th>
<td>bugs@lists.rosalinux.ru
</td>
</tr>
<tr>
<th>CC</th>
<td>e.kosachev@rosalinux.ru, s.matveev@rosalinux.ru, y.tumanov@rosalinux.ru
</td>
</tr>
<tr>
<th>Target Milestone</th>
<td>---
</td>
</tr>
<tr>
<th>Flags</th>
<td>secteam_verified?
</td>
</tr></table>
<p>
<div>
<pre>Please patch CVEs for package flatpak version 1.14.0
INFO (CVEs are): flatpak 1.14.0
cves found
CVE-2023-28100
Desc: Flatpak is a system for building, distributing, and running sandboxed
desktop applications on Linux. Versions prior to 1.10.8, 1.12.8, 1.14.4, and
1.15.4 contain a vulnerability similar to CVE-2017-5226, but using the
`TIOCLINUX` ioctl command instead of `TIOCSTI`. If a Flatpak app is run on a
Linux virtual console such as `/dev/tty1`, it can copy text from the virtual
console and paste it into the command buffer, from which the command might be
run after the Flatpak app has exited. Ordinary graphical terminal emulators
like xterm, gnome-terminal and Konsole are unaffected. This vulnerability is
specific to the Linux virtual consoles `/dev/tty1`, `/dev/tty2` and so on. A
patch is available in versions 1.10.8, 1.12.8, 1.14.4, and 1.15.4. As a
workaround, don't run Flatpak on a Linux virtual console. Flatpak is primarily
designed to be used in a Wayland or X11 graphical environment.
Link: <a href="https://nvd.nist.gov/vuln/detail/CVE-2023-28100">https://nvd.nist.gov/vuln/detail/CVE-2023-28100</a>
Severity: MEDIUM
CVE-2023-28101
Desc: Flatpak is a system for building, distributing, and running sandboxed
desktop applications on Linux. In versions prior to 1.10.8, 1.12.8, 1.14.4, and
1.15.4, if an attacker publishes a Flatpak app with elevated permissions, they
can hide those permissions from users of the `flatpak(1)` command-line
interface by setting other permissions to crafted values that contain
non-printable control characters such as `ESC`. A fix is available in versions
1.10.8, 1.12.8, 1.14.4, and 1.15.4. As a workaround, use a GUI like GNOME
Software rather than the command-line interface, or only install apps whose
maintainers you trust.
Link: <a href="https://nvd.nist.gov/vuln/detail/CVE-2023-28101">https://nvd.nist.gov/vuln/detail/CVE-2023-28101</a>
Severity: MEDIUM</pre>
</div>
</p>
<hr>
<span>You are receiving this mail because:</span>
<ul>
<li>You are the QA Contact for the bug.</li>
<li>You are the assignee for the bug.</li>
</ul>
</body>
</html>