{"schema_version":"1.7.2","id":"OESA-2021-1149","modified":"2021-05-06T11:02:49Z","published":"2021-05-06T11:02:49Z","upstream":["CVE-2019-8308","CVE-2021-21381"],"summary":"flatpak security update","details":"flatpak is a system for building, distributing and running sandboxed desktop applications on Linux. See https://wiki.gnome.org/Projects/SandboxedApps for more information.\r\n\r\nSecurity Fix(es):\r\n\r\nFlatpak before 1.0.7, and 1.1.x and 1.2.x before 1.2.3, exposes /proc in the apply_extra script sandbox, which allows attackers to modify a host-side executable file.(CVE-2019-8308)\r\n\r\nFlatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. In Flatpack since version 0.9.4 and before version 1.10.2 has a vulnerability in the \u0026quot;file forwarding\u0026quot; feature which can be used by an attacker to gain access to files that would not ordinarily be allowed by the app\u0026apos;s permissions. By putting the special tokens `@@` and/or `@@u` in the Exec field of a Flatpak app\u0026apos;s .desktop file, a malicious app publisher can trick flatpak into behaving as though the user had chosen to open a target file with their Flatpak app, which automatically makes that file available to the Flatpak app. This is fixed in version 1.10.2. A minimal solution is the first commit \u0026quot;`Disallow @@ and @@U usage in desktop files`\u0026quot;. The follow-up commits \u0026quot;`dir: Reserve the whole @@ prefix`\u0026quot; and \u0026quot;`dir: Refuse to export .desktop files with suspicious uses of @@ tokens`\u0026quot; are recommended, but not strictly required. As a workaround, avoid installing Flatpak apps from untrusted sources, or check the contents of the exported `.desktop` files in `exports/share/applications/*.desktop` (typically `~/.local/share/flatpak/exports/share/applications/*.desktop` and `/var/lib/flatpak/exports/share/applications/*.desktop`) to make sure that literal filenames do not follow `@@` or `@@u`.(CVE-2021-21381)","affected":[{"package":{"ecosystem":"openEuler:20.03-LTS-SP1","name":"flatpak","purl":"pkg:rpm/openEuler/flatpak\u0026distro=openEuler-20.03-LTS-SP1"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.0.3-5.oe1"}]}],"ecosystem_specific":{"aarch64":["flatpak-debuginfo-1.0.3-5.oe1.aarch64.rpm","flatpak-debugsource-1.0.3-5.oe1.aarch64.rpm","flatpak-devel-1.0.3-5.oe1.aarch64.rpm","flatpak-1.0.3-5.oe1.aarch64.rpm"],"noarch":["flatpak-help-1.0.3-5.oe1.noarch.rpm"],"src":["flatpak-1.0.3-5.oe1.src.rpm"],"x86_64":["flatpak-devel-1.0.3-5.oe1.x86_64.rpm","flatpak-debuginfo-1.0.3-5.oe1.x86_64.rpm","flatpak-debugsource-1.0.3-5.oe1.x86_64.rpm","flatpak-1.0.3-5.oe1.x86_64.rpm"]}}],"references":[{"type":"ADVISORY","url":"https://openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2021-1149"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2019-8308"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-21381"}],"database_specific":{"severity":"High"}}