{ "schema_version": "1.7.0", "id": "MGASA-2022-0131", "published": "2022-04-09T21:20:39Z", "modified": "2022-04-09T20:35:42Z", "summary": "Updated flatpak packages fix security vulnerability", "details": "Flatpak doesn't properly validate that the permissions displayed to the\nuser for an app at install time match the actual permissions granted to\nthe app at runtime, in the case that there's a null byte in the metadata\nfile of an app. (CVE-2021-43860)\nPath traversal vulnerability (CVE-2022-21682)\nVarious other fixes and enhancements included in update to version 1.12.7.\n", "upstream": [ "CVE-2021-43860", "CVE-2022-21682" ], "references": [ { "type": "ADVISORY", "url": "https://advisories.mageia.org/MGASA-2022-0131.html" }, { "type": "REPORT", "url": "https://bugs.mageia.org/show_bug.cgi?id=29885" }, { "type": "ADVISORY", "url": "https://github.com/flatpak/flatpak/security/advisories/GHSA-qpjc-vq3c-572j" }, { "type": "ADVISORY", "url": "https://github.com/flatpak/flatpak/security/advisories/GHSA-8ch7-5j3h-g4fx" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/APFTBYGJJVJPFVHRXUW5PII5XOAFI4KH/" }, { "type": "WEB", "url": "https://github.com/flatpak/flatpak/releases/tag/1.10.7" }, { "type": "WEB", "url": "https://github.com/flatpak/flatpak/releases/tag/1.12.4" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/G4SGDDYLN2BFKCHIDCXL2QTDVHPMZZM4/" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/IXKBERLJRYV7KXKGXOLI6IOXVBQNN4DP/" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/UELF5NVMHRQ45DEBIRQGIVCV4PADFC37/" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/F46WFOXXRE63UMMTLQB2FOJT4KLI5AR7/" }, { "type": "WEB", "url": "https://github.com/flatpak/flatpak/releases/tag/1.12.5" }, { "type": "WEB", "url": "https://github.com/flatpak/flatpak/releases/tag/1.12.6" }, { "type": "WEB", "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/T4OG73MX3JPZBHYMUXUULPTVL7ZOOTZ5/" }, { "type": "WEB", "url": "https://github.com/flatpak/flatpak/releases/tag/1.12.7" } ], "affected": [ { "package": { "ecosystem": "Mageia:8", "name": "flatpak", "purl": "pkg:rpm/mageia/flatpak?arch=source&distro=mageia-8" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "1.12.7-1.mga8" } ] } ], "ecosystem_specific": { "section": "core" } }, { "package": { "ecosystem": "Mageia:8", "name": "discover", "purl": "pkg:rpm/mageia/discover?arch=source&distro=mageia-8" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "5.20.4-3.3.mga8" } ] } ], "ecosystem_specific": { "section": "core" } }, { "package": { "ecosystem": "Mageia:8", "name": "gnome-software", "purl": "pkg:rpm/mageia/gnome-software?arch=source&distro=mageia-8" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "3.38.0-2.1.mga8" } ] } ], "ecosystem_specific": { "section": "core" } }, { "package": { "ecosystem": "Mageia:8", "name": "xdg-desktop-portal-kde", "purl": "pkg:rpm/mageia/xdg-desktop-portal-kde?arch=source&distro=mageia-8" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "5.20.4-2.1.mga8" } ] } ], "ecosystem_specific": { "section": "core" } } ], "credits": [ { "name": "Mageia", "type": "COORDINATOR", "contact": [ "https://wiki.mageia.org/en/Packages_Security_Team" ] } ] }