Alerts This Week
Warning Icon 1 692
Alerts This Week
Warning Icon 1 692

Mageia 8: 2022-0131 Critical: Flatpak Permissions And Path Issues

mageia
Calendar Grey April 9, 2022
Dist Mageia Esm H88
Mageia 2022-0131 flatpak upgrade addresses severe permission vulnerabilities and path navigation problems, bolstering system security.
Flatpak doesn't properly validate that the permissions displayed to the user for an app at install time match the actual permissions granted to the app at runtime, in the case that...

Summary

Flatpak doesn't properly validate that the permissions displayed to the user for an app at install time match the actual permissions granted to the app at runtime, in the case that there's a null byte in the metadata file of an app. (CVE-2021-43860) Path traversal vulnerability (CVE-2022-21682) Various other fixes and enhancements included in update to version 1.12.7.

References

- https://bugs.mageia.org/show_bug.cgi?id=29885

- https://github.com/flatpak/flatpak/security/advisories/GHSA-qpjc-vq3c-572j

- https://github.com/flatpak/flatpak/security/advisories/GHSA-8ch7-5j3h-g4fx

- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/APFTBYGJJVJPFVHRXUW5PII5XOAFI4KH/

- https://github.com/flatpak/flatpak/releases/tag/1.10.7

- https://github.com/flatpak/flatpak/releases/tag/1.12.4

- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/G4SGDDYLN2BFKCHIDCXL2QTDVHPMZZM4/

- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/IXKBERLJRYV7KXKGXOLI6IOXVBQNN4DP/

- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/UELF5NVMHRQ45DEBIRQGIVCV4PADFC37/

- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/F46WFOXXRE63UMMTLQB2FOJT4KLI5AR7/

- https://github.com/flatpak/flatpak/releases/tag/1.12.5

- https://github.com/flatpak/flatpak/releases/tag/1.12.6

-

- https://github.com/flatpak/flatpak/releases/tag/1.12.7

- https://www.cve.org/CVERecord?id=CVE-2021-43860

- https://www.cve.org/CVERecord?id=CVE-2022-21682

Topics%20covered

Topics Covered

security advisory critical issue software update path traversal permissions flaw Mageia Flatpak

Resolution

SRPMS

- 8/core/flatpak-1.12.7-1.mga8

- 8/core/discover-5.20.4-3.3.mga8

- 8/core/gnome-software-3.38.0-2.1.mga8

- 8/core/xdg-desktop-portal-kde-5.20.4-2.1.mga8

Severity
critical
Lowest
Low
Medium
High
Critical

Publication date: 09 Apr 2022
URL: https://advisories.mageia.org/MGASA-2022-0131.html
Type: security
CVE: CVE-2021-43860, CVE-2022-21682

Topics%20covered

Topics Covered

security advisory critical issue software update path traversal permissions flaw Mageia Flatpak

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Related News

Your message here