An update for flatpak is now available for openEuler-22.03-LTS-SP2 Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2024-1426 Final 1.0 1.0 2024-04-12 Initial 2024-04-12 2024-04-12 openEuler SA Tool V1.0 2024-04-12 flatpak security update An update for flatpak is now available for openEuler-22.03-LTS-SP2. flatpak is a system for building, distributing and running sandboxed desktop applications on Linux. See https://wiki.gnome.org/Projects/SandboxedApps for more information. Security Fix(es): Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. Versions prior to 1.10.8, 1.12.8, 1.14.4, and 1.15.4 contain a vulnerability similar to CVE-2017-5226, but using the `TIOCLINUX` ioctl command instead of `TIOCSTI`. If a Flatpak app is run on a Linux virtual console such as `/dev/tty1`, it can copy text from the virtual console and paste it into the command buffer, from which the command might be run after the Flatpak app has exited. Ordinary graphical terminal emulators like xterm, gnome-terminal and Konsole are unaffected. This vulnerability is specific to the Linux virtual consoles `/dev/tty1`, `/dev/tty2` and so on. A patch is available in versions 1.10.8, 1.12.8, 1.14.4, and 1.15.4. As a workaround, don't run Flatpak on a Linux virtual console. Flatpak is primarily designed to be used in a Wayland or X11 graphical environment.(CVE-2023-28100) Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. In versions prior to 1.10.8, 1.12.8, 1.14.4, and 1.15.4, if an attacker publishes a Flatpak app with elevated permissions, they can hide those permissions from users of the `flatpak(1)` command-line interface by setting other permissions to crafted values that contain non-printable control characters such as `ESC`. A fix is available in versions 1.10.8, 1.12.8, 1.14.4, and 1.15.4. As a workaround, use a GUI like GNOME Software rather than the command-line interface, or only install apps whose maintainers you trust.(CVE-2023-28101) An update for flatpak is now available for openEuler-22.03-LTS-SP2. openEuler Security has rated this update as having a security impact of medium. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. Medium flatpak https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2024-1426 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2023-28100 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2023-28101 https://nvd.nist.gov/vuln/detail/CVE-2023-28100 https://nvd.nist.gov/vuln/detail/CVE-2023-28101 openEuler-22.03-LTS-SP2 flatpak-1.10.2-7.oe2203sp2.aarch64.rpm flatpak-debuginfo-1.10.2-7.oe2203sp2.aarch64.rpm flatpak-debugsource-1.10.2-7.oe2203sp2.aarch64.rpm flatpak-devel-1.10.2-7.oe2203sp2.aarch64.rpm flatpak-help-1.10.2-7.oe2203sp2.noarch.rpm flatpak-1.10.2-7.oe2203sp2.src.rpm flatpak-devel-1.10.2-7.oe2203sp2.x86_64.rpm flatpak-debugsource-1.10.2-7.oe2203sp2.x86_64.rpm flatpak-debuginfo-1.10.2-7.oe2203sp2.x86_64.rpm flatpak-1.10.2-7.oe2203sp2.x86_64.rpm Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. Versions prior to 1.10.8, 1.12.8, 1.14.4, and 1.15.4 contain a vulnerability similar to CVE-2017-5226, but using the `TIOCLINUX` ioctl command instead of `TIOCSTI`. If a Flatpak app is run on a Linux virtual console such as `/dev/tty1`, it can copy text from the virtual console and paste it into the command buffer, from which the command might be run after the Flatpak app has exited. Ordinary graphical terminal emulators like xterm, gnome-terminal and Konsole are unaffected. This vulnerability is specific to the Linux virtual consoles `/dev/tty1`, `/dev/tty2` and so on. A patch is available in versions 1.10.8, 1.12.8, 1.14.4, and 1.15.4. As a workaround, don't run Flatpak on a Linux virtual console. Flatpak is primarily designed to be used in a Wayland or X11 graphical environment. 2024-04-12 CVE-2023-28100 openEuler-22.03-LTS-SP2 Medium 6.5 AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H flatpak security update 2024-04-12 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2024-1426 Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. In versions prior to 1.10.8, 1.12.8, 1.14.4, and 1.15.4, if an attacker publishes a Flatpak app with elevated permissions, they can hide those permissions from users of the `flatpak(1)` command-line interface by setting other permissions to crafted values that contain non-printable control characters such as `ESC`. A fix is available in versions 1.10.8, 1.12.8, 1.14.4, and 1.15.4. As a workaround, use a GUI like GNOME Software rather than the command-line interface, or only install apps whose maintainers you trust. 2024-04-12 CVE-2023-28101 openEuler-22.03-LTS-SP2 Medium 4.3 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N flatpak security update 2024-04-12 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2024-1426