Updated flatpak packages fix security vulnerability
Publication date: 24 Mar 2023Modification date: 24 Mar 2023
Type: security
Affected Mageia releases : 8
CVE: CVE-2023-28100 , CVE-2023-28101
Description
If a malicious Flatpak app is run on a Linux virtual console such as
/dev/tty1, it can copy text from the virtual console and paste it back
into the virtual console's input buffer, from which the command might
be run by the user's shell after the Flatpak app has exited. This is
similar to CVE-2017-5226, but using the TIOCLINUX ioctl command instead
of TIOCSTI. (CVE-2023-28100)
Flatpak app with elevated permissions mayhide those permissions from
users of the 'flatpak(1)' command-line interface by setting other
permissions to crafted values that contain non-printable control
characters such as 'ESC'. (CVE-2023-28101)
References
- https://bugs.mageia.org/show_bug.cgi?id=31688
- https://github.com/flatpak/flatpak/releases/tag/1.12.8
- https://www.openwall.com/lists/oss-security/2023/03/17/1
- https://www.openwall.com/lists/oss-security/2023/03/17/2
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28100
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28101
SRPMS
8/core
- flatpak-1.12.8-1.mga8