Bug 13491

Summary: [CVE 21] flatpak 1.14.0 CVEs found
Product: [ROSA-based products] ROSA Fresh Reporter: Yury <y.tumanov>
Component: System (kernel, glibc, systemd, bash, PAM...)Assignee: ROSA Linux Bugs <bugs>
Status: VERIFIED FIXED QA Contact: ROSA Linux Bugs <bugs>
Severity: normal    
Priority: Normal CC: a.proklov, e.kosachev, i.gaptrakhmanov, pastordidi, s.matveev, v.potapov, y.tumanov
Version: AllFlags: v.potapov: qa_verified+
y.tumanov: secteam_verified+
a.proklov: published+
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: CVE-2023-28100, CVE-2023-28101,
Whiteboard:
Platform: 2021.1 ROSA Vulnerability identifier:
RPM Package: ISO-related:
Bad POT generating: Upstream:

Description Yury 2023-08-23 23:44:41 MSK 
Please patch CVEs for package flatpak version 1.14.0
  
INFO (CVEs are): flatpak 1.14.0
 cves found
CVE-2023-28100
Desc: Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. Versions prior to 1.10.8, 1.12.8, 1.14.4, and 1.15.4 contain a vulnerability similar to CVE-2017-5226, but using the `TIOCLINUX` ioctl command instead of `TIOCSTI`. If a Flatpak app is run on a Linux virtual console such as `/dev/tty1`, it can copy text from the virtual console and paste it into the command buffer, from which the command might be run after the Flatpak app has exited. Ordinary graphical terminal emulators like xterm, gnome-terminal and Konsole are unaffected. This vulnerability is specific to the Linux virtual consoles `/dev/tty1`, `/dev/tty2` and so on. A patch is available in versions 1.10.8, 1.12.8, 1.14.4, and 1.15.4. As a workaround, don't run Flatpak on a Linux virtual console. Flatpak is primarily designed to be used in a Wayland or X11 graphical environment.
Link: https://nvd.nist.gov/vuln/detail/CVE-2023-28100
Severity: MEDIUM
CVE-2023-28101
Desc: Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. In versions prior to 1.10.8, 1.12.8, 1.14.4, and 1.15.4, if an attacker publishes a Flatpak app with elevated permissions, they can hide those permissions from users of the `flatpak(1)` command-line interface by setting other permissions to crafted values that contain non-printable control characters such as `ESC`. A fix is available in versions 1.10.8, 1.12.8, 1.14.4, and 1.15.4. As a workaround, use a GUI like GNOME Software rather than the command-line interface, or only install apps whose maintainers you trust.
Link: https://nvd.nist.gov/vuln/detail/CVE-2023-28101
Severity: MEDIUM
Comment 1 ilfat 2023-09-14 09:56:47 MSK 
********** QA ADVISORY **********

CVEs closed by project update:

Updated from 1.14.0 to 1.14.4


https://abf.rosalinux.ru/build_lists/4683776 aarch64
https://abf.rosalinux.ru/build_lists/4683775 x86_64
https://abf.rosalinux.ru/build_lists/4683774 i686
https://abf.rosalinux.ru/build_lists/4683778 e2kv4
https://abf.rosalinux.ru/build_lists/4683777 riscv64
Comment 2 Dmitry Postnikov 2023-09-14 12:27:23 MSK 
***************************
The update sent to testings
Comment 3 Vladimir Potapov 2023-09-19 06:38:23 MSK 
flatpak-1.14.4-1
https://abf.rosalinux.ru/build_lists/4683776 aarch64
https://abf.rosalinux.ru/build_lists/4683775 x86_64
https://abf.rosalinux.ru/build_lists/4683774 i686
https://abf.rosalinux.ru/build_lists/4683778 e2kv4
https://abf.rosalinux.ru/build_lists/4683777 riscv64
***************************** Advisory **********************
CVEs closed by project update:

Updated from 1.14.0 to 1.14.4
*************************************************************
QA Verified
Comment 4 Yury 2023-10-19 15:04:05 MSK 
secteam_verified