Mageia 8: 2023-0115 Moderate: Flatpak Command Injection Threat
mageia
March 24, 2023
If a malicious Flatpak app is run on a Linux virtual console such as /dev/tty1, it can copy text from the virtual console and paste it back into the virtual console's input buffer,...
Summary
If a malicious Flatpak app is run on a Linux virtual console such as
/dev/tty1, it can copy text from the virtual console and paste it back
into the virtual console's input buffer, from which the command might
be run by the user's shell after the Flatpak app has exited. This is
similar to CVE-2017-5226, but using the TIOCLINUX ioctl command instead
of TIOCSTI. (CVE-2023-28100)
Flatpak app with elevated permissions mayhide those permissions from
users of the 'flatpak(1)' command-line interface by setting other
permissions to crafted values that contain non-printable control
characters such as 'ESC'. (CVE-2023-28101)
References
- https://bugs.mageia.org/show_bug.cgi?id=31688
- https://github.com/flatpak/flatpak/releases/tag/1.12.8
- https://www.openwall.com/lists/oss-security/2023/03/17/1
- https://www.openwall.com/lists/oss-security/2023/03/17/2
- https://www.cve.org/CVERecord?id=CVE-2023-28100
- https://www.cve.org/CVERecord?id=CVE-2023-28101
Resolution
SRPMS
- 8/core/flatpak-1.12.8-1.mga8
PREVIOUS
NEXT
Publication date: 24 Mar 2023
URL: https://advisories.mageia.org/MGASA-2023-0115.html
Type: security
CVE: CVE-2023-28100,
CVE-2023-28101
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!