ArchLinux: 201902-20: flatpak: privilege escalation

    Date18 Feb 2019
    CategoryArchLinux
    1372
    Posted ByLinuxSecurity Advisories
    The package flatpak before version 1.2.3-1 is vulnerable to privilege escalation.
    Arch Linux Security Advisory ASA-201902-20
    ==========================================
    
    Severity: High
    Date    : 2019-02-17
    CVE-ID  : CVE-2019-5736
    Package : flatpak
    Type    : privilege escalation
    Remote  : Yes
    Link    : https://security.archlinux.org/AVG-880
    
    Summary
    =======
    
    The package flatpak before version 1.2.3-1 is vulnerable to privilege
    escalation.
    
    Resolution
    ==========
    
    Upgrade to 1.2.3-1.
    
    # pacman -Syu "flatpak>=1.2.3-1"
    
    The problem has been fixed upstream in version 1.2.3.
    
    Workaround
    ==========
    
    None.
    
    Description
    ===========
    
    A vulnerability discovered in runc through 1.0-rc6, as used in Docker
    before 18.09.2 and other products, allows attackers to overwrite the
    host runc binary (and consequently obtain host root access) by
    leveraging the ability to execute a command as root within one of these
    types of containers: (1) a new container with an attacker-controlled
    image, or (2) an existing container, to which the attacker previously
    had write access, that can be attached with docker exec. This occurs
    because of file-descriptor mishandling, related to /proc/self/exe.
    
    Impact
    ======
    
    A malicious container can escalate privileges to gain access as root on
    the host system and execute arbitrary code.
    
    References
    ==========
    
    https://github.com/lxc/lxc/commit/6400238d08cdf1ca20d49bafb85f4e224348bf9d
    https://github.com/opencontainers/runc/commit/0a8e4117e7f715d5fbeef398405813ce8e88558b
    https://www.openwall.com/lists/oss-security/2019/02/11/2
    https://security.archlinux.org/CVE-2019-5736
    
    You are not authorised to post comments.

    LinuxSecurity Poll

    In your opinion, what is the biggest advantage associated with choosing open-source software/products?

    Message!

    Poll results are hidden from public viewing.

    You are not authorized to vote on this poll.

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 4 answer(s).
    /component/communitypolls/?task=poll.vote
    8
    radio
    bottom200

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.