[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] CVE-2021-21261: Flatpak sandbox escape via spawn portal (aka GHSA-4ppf-fxf6-vxg2)
From: Simon McVittie <smcv () debian ! org>
Date: 2021-01-21 19:13:13
Message-ID: YAnSSXu4Kpq6Avco () espresso ! pseudorandom ! co ! uk
[Download RAW message or body]
Affected versions: flatpak >= 0.11.4
Fixed versions: flatpak >= 1.10.0, and 1.8.x >= 1.8.5
Flatpak is a system for building, distributing, and running sandboxed
desktop applications on Linux.
I discovered a bug in the flatpak-portal service that can allow sandboxed
applications to execute arbitrary code on the host system (a sandbox
escape). This is fixed in 1.10.0 and 1.8.5.
The initial fixed versions introduced a regression for users of
'flatpak build' on systems where a setuid version of bubblewrap (bwrap)
is required. Version 1.10.1 additionally resolves the regression. The
regression fix has been backported to the flatpak-1.8.x branch but is
not currently in any 1.8.x release.
More details:
https://github.com/flatpak/flatpak/security/advisories/GHSA-4ppf-fxf6-vxg2
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic