Public bug reported: https://nvd.nist.gov/vuln/detail/CVE-2023-28101 https://nvd.nist.gov/vuln/detail/CVE-2023-28100
https://github.com/flatpak/flatpak/releases/tag/1.12.8 https://github.com/flatpak/flatpak/releases/tag/1.14.4 ** Affects: flatpak Importance: Undecided Status: New ** Affects: flatpak (Ubuntu) Importance: Undecided Status: New ** Tags: flatpak jammy kinetic ** Also affects: flatpak Importance: Undecided Status: New ** Summary changed: - 1.12.7 is behind 1.12.8 for months. Some fixes are security backports from 1.14.4 + 1.12.7 and 1.14.0 need updating. Some fixes are security backports from 1.14.4 ** Description changed: https://nvd.nist.gov/vuln/detail/CVE-2023-28101 + https://nvd.nist.gov/vuln/detail/CVE-2023-28100 https://github.com/flatpak/flatpak/releases/tag/1.12.8 - - 1.12.8 - Security fixes backported from 1.14.4: - Escape special characters when displaying permissions and metadata, preventing malicious apps from manipulating the appearance of the permissions list using crafted metadata (CVE-2023-28101). - - If a Flatpak app is run on a Linux virtual console (tty1, tty2, etc.), - don't allow copy/paste via the TIOCLINUX ioctl (CVE-2023-28100). Note - that this is specific to virtual consoles: Flatpak is not vulnerable to - this if run from a graphical terminal emulator such as xterm, gnome- - terminal or Konsole. - - Other bug fixes backported from 1.14.x: - Update the SELinux module to explicitly permit the system helper have read access to /etc/passwd and systemd-userdbd, read and lock access to /var/lib/flatpak, and watch files inside $libexecdir (#4852, #4855, #4892; Red Hat #2071217, #2071215, #2070741, #2053634, #2070350) - - If an app update is blocked by parental controls policies, clean up the temporary deploy directory (#5146) - Fix Autotools build with versions of gpgme that no longer provide gpgme-config(1) (#5173) - Remove some unreachable code (Coverity: CID 1514265) - Add missing handling for some D-Bus errors + https://github.com/flatpak/flatpak/releases/tag/1.14.4 ** Tags added: jammy kinetic ** Summary changed: - 1.12.7 and 1.14.0 need updating. Some fixes are security backports from 1.14.4 + 1.12.7 -> .8 and 1.14.0 -> .4 need updating. Some fixes are security backports from 1.14.4 for .8. -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to flatpak in Ubuntu. https://bugs.launchpad.net/bugs/2023447 Title: 1.12.7 -> .8 and 1.14.0 -> .4 need updating. Some fixes are security backports from 1.14.4 for .8. Status in Flatpak: New Status in flatpak package in Ubuntu: New Bug description: https://nvd.nist.gov/vuln/detail/CVE-2023-28101 https://nvd.nist.gov/vuln/detail/CVE-2023-28100 https://github.com/flatpak/flatpak/releases/tag/1.12.8 https://github.com/flatpak/flatpak/releases/tag/1.14.4 To manage notifications about this bug go to: https://bugs.launchpad.net/flatpak/+bug/2023447/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
