GLSA
Advocate
Joined: 12 May 2004
Posts: 2663
|
 Posted: Mon Jan 25, 2021 3:26 am Post subject: [ GLSA 202101-21 ] Flatpak |
 |
|
Gentoo Linux Security Advisory
Title: Flatpak: Sandbox escape (GLSA 202101-21)
Severity: normal
Exploitable: remote
Date: 2021-01-25
Bug(s): #765457
ID: 202101-21
Synopsis
A vulnerability was discovered in Flatpak which could allow a
remote attacker to execute arbitrary code.
Background
Flatpak is a Linux application sandboxing and distribution framework.
Affected Packages
Package: sys-apps/flatpak
Vulnerable: < 1.10.0
Unaffected: >= 1.10.0
Architectures: All supported architectures
Description
A bug was discovered in the flatpak-portal service that can allow
sandboxed applications to execute arbitrary code on the host system (a
sandbox escape).
Impact
A remote attacker could entice a user to open a specially crafted
Flatpak app possibly resulting in execution of arbitrary code with the
privileges of the process or a Denial of Service condition.
Workaround
As a workaround, this vulnerability can be mitigated by preventing the
flatpak-portal service from starting, but that mitigation will prevent
many Flatpak apps from working correctly. It is highly recommended to
upgrade.
Resolution
All Flatpak users should upgrade to the latest version: | Code: | # emerge --sync
# emerge --ask --oneshot --verbose ">=sys-apps/flatpak-1.10.0"
|
References
CVE-2021-21261 |
|
News & Announcements
