Alerts This Week
Warning Icon 1 758
Alerts This Week
Warning Icon 1 758

Ubuntu 24.04 LTS: USN-7046-1 moderate: Flatpak bubblewrap file access issue

ubuntu
Calendar Grey September 30, 2024
Dist Ubuntu Esm H88
Ubuntu has released a security advisory focusing on vulnerabilities within Flatpak and Bubblewrap, aimed at strengthening file access security measures. Immediate updates are recommended.
Flatpak could be made to read and write files in locations it would not normally have access to.

Summary

Flatpak could be made to read and write files in locations it

would not normally have access to.

Software Description:

- bubblewrap: utility for unprivileged chroot and namespace manipulation

- flatpak: Application deployment framework for desktop apps

Details:

It was discovered that Flatpak incorrectly handled certain persisted

directories. An attacker could possibly use this issue to read

and write files in locations it would not normally have access to.

A patch was also needed to Bubblewrap in order to avoid race

conditions caused by this fix.

Update Instructions

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 24.04 LTS
  bubblewrap                      0.9.0-1ubuntu0.1
  flatpak                         1.14.6-1ubuntu0.1
  libflatpak0                     1.14.6-1ubuntu0.1

Ubuntu 22.04 LTS
  bubblewrap                      0.6.1-1ubuntu0.1
  flatpak                         1.12.7-1ubuntu0.1
  libflatpak0                     1.12.7-1ubuntu0.1

Ubuntu 20.04 LTS
  bubblewrap                      0.4.0-1ubuntu4.1
  flatpak                         1.6.5-0ubuntu0.5
  libflatpak0                     1.6.5-0ubuntu0.5

In general, a standard system update will make all the necessary changes.

References

https://ubuntu.com/security/notices/USN-7046-1

CVE-2024-42472, https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/2077087

Ubuntu Security Notice USN-7046-1

Package Information

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here