| Summary: | flatpak new security issue fixed upstream in 1.10.2 (CVE-2021-21381) | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | critical | ||
| Priority: | Normal | CC: | fri, guillaume.royer, mageia, ouaurelien, sysadmin-bugs |
| Version: | 8 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA8-64-OK | ||
| Source RPM: | flatpak-1.10.1-1.mga8.src.rpm | CVE: | CVE-2021-21381 |
| Status comment: | |||
| Bug Depends on: | |||
| Bug Blocks: | 27126 | ||
|
Description
David Walser
2021-03-10 18:13:49 CET
David Walser
2021-03-10 18:14:29 CET
Whiteboard:
(none) =>
MGA8TOO, MGA7TOO
Morgan Leijström
2021-03-10 18:20:28 CET
CC:
(none) =>
fri fixed in cauldron/mga8
src:
- mageia 8:
- flatpak-1.10.2-1.mga8
Mageia 7 is in progressCC:
(none) =>
mageia You can handle Mageia 7 in the other bug if you'd like. Whiteboard:
MGA8TOO, MGA7TOO =>
MGA7TOO Assigning to you Nicolas as you are already doing it! Source RPM:
flatpak-1.10.1-1.mga8.src.rpm =>
flatpak-1.10.1-1.mga8.src.rpm, flatpak-1.4.1-1.mga7.src.rpm
Nicolas Lécureuil
2021-03-11 08:55:10 CET
Assignee:
mageia =>
qa-bugs Mageia 7 in Bug 27126. Whiteboard:
MGA7TOO =>
(none) CVE-2021-21381 has been assigned: https://github.com/flatpak/flatpak/issues/4146#issuecomment-796918073 Advisory: ======================== Updated flatpak packages fix security vulnerability: A potential attack where a flatpak application could use custom formatted .desktop files to gain access to files on the host system (CVE-2021-21381). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21381 https://github.com/flatpak/flatpak/security/advisories/GHSA-xgh4-387p-hqpp https://github.com/flatpak/flatpak/releases/tag/1.10.2 https://github.com/flatpak/flatpak/issues/4146 Summary:
flatpak new security issue fixed upstream in 1.10.2 =>
flatpak new security issue fixed upstream in 1.10.2 (CVE-2021-21381) Does gnome-software need to be rebuilt for this one? ah yes maybe we need to rebuild it and discover. discover was already built after this one. I have installed 1.10.2-1 Flatpak on MGA8 XFCE Desktop kernel 5.10.20-desktop-2.mga8 Installed with: flatpak-1.10.2-1.mga8.x86_64.rpm lib64flatpak-devel-1.10.2-1.mga8.x86_64.rpm lib64flatpak-gir1.0-1.10.2-1.mga8.x86_64.rpm lib64flatpak0-1.10.2-1.mga8.x86_64.rpm The installation is done correctly without error messages. Gnome-software is at V3.38.0, I used it to do an upgrade, no problems found CC:
(none) =>
guillaume.royer MGA8 x86_64 Plasma Using Howto on https://github.com/flatpak/flatpak/issues/4146#issuecomment-796918073 Reproduced behaviour, to get file normally inaccessible from flatpak app. (/etc/passwd) in this case. Updating. No longer reproduced. MGA8-64-OK Validating. Advisory committed to SVN. CC:
(none) =>
ouaurelien, sysadmin-bugs An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0145.html Resolution:
(none) =>
FIXED RedHat has issued an advisory for this on March 29: https://access.redhat.com/errata/RHSA-2021:1002 |