Stay Secure with the Latest Linux Advisories

security advisorymoderatecommand injection

Mageia 8: 2023-0115 Moderate: Flatpak Command Injection Threat

If a malicious Flatpak app is run on a Linux virtual console such as /dev/tty1, it can copy text from the virtual console and paste it back into the virtual console's input buffer, from which the command might be run by the user's shell after the Flatpak app has exited. This is similar to CVE-2017-5226, but using the TIOCLINUX ioctl command instead . MGASA-2023-0115 - Updated flatpak packages fix security vulnerability Publication date: 24 Mar 2023 URL: https://advisories.mageia.org/MGASA-2023-0115.html Type: security Affected Mageia releases: 8 CVE: CVE-2023-28100, CVE-2023-28101 If a malicious Flatpak app is run on a Linux virtual console such as /dev/tty1, it can copy text from the virtual console and paste it back into the virtual console's input buffer, from which the command might be run by the user's shell after the Flatpak app has exited. This is similar to CVE-2017-5226, but using the TIOCLINUX ioctl command instead of TIOCSTI. (CVE-2023-28100) Flatpak app with elevated permissions mayhide those permissions from users of the 'flatpak(1)' command-line interface by setting other permissions to crafted values that contain non-printable control characters such as 'ESC'. (CVE-2023-28101) References: - https://bugs.mageia.org/show_bug.cgi?id=31688 - https://github.com/flatpak/flatpak/releases/tag/1.12.8 - https://www.openwall.com/lists/oss-security/2023/03/17/1 - https://www.openwall.com/lists/oss-security/2023/03/17/2 - https://www.cve.org/CVERecord?id=CVE-2023-28100 - https://www.cve.org/CVERecord?id=CVE-2023-28101 SRPMS: - 8/core/flatpak-1.12.8-1.mga8 . Revised flatpak updates address security flaws that permit text command injection through the virtual terminal. Discover additional details!. Flatpak Security, Mageia Release, Linux Vulnerability, Command Injection, Permissions Exploit. . LinuxSecurity.com Team

Mar 24, 2023 Mageia