Bug 31688

Summary: flatpak new security issues CVE-2023-28100 and CVE-2023-28101
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: davidwhodgins, fri, geiger.david68210, sysadmin-bugs
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: flatpak-1.14.0-1.mga9.src.rpm CVE:
Status comment:

Description David Walser 2023-03-16 17:21:40 CET 
flatpak 1.14.4 has been released today (March 16), fixing security issues:
https://github.com/flatpak/flatpak/releases/tag/1.14.4

Mageia 8 may also be affected.
David Walser 2023-03-16 17:21:57 CET

Status comment: (none) => Fixed upstream in 1.14.4
Whiteboard: (none) => MGA8TOO

Comment 1 David GEIGER 2023-03-16 17:44:26 CET 
Done for Cauldron!

CC: (none) => geiger.david68210

Comment 2 David Walser 2023-03-16 18:08:25 CET 
(Awaiting freeze move, to be clear)
Comment 3 Lewis Smith 2023-03-16 20:32:25 CET 
Whether DavidG or NicolasL does the M8 bit - up to you.
Assigning this to neoclust for M8 anyway. He has done previous flatpak version updates, and is registered maintainer for flatpack (not the same thing!).

Assignee: bugsquad => mageia

Comment 4 David GEIGER 2023-03-17 02:49:00 CET 
Done for mga8 updating to 1.12.8.
Comment 5 David Walser 2023-03-17 02:53:51 CET 
Cauldron still pending freeze move.

Mageia 8 update:
flatpak-1.12.8-1.mga8
flatpak-tests-1.12.8-1.mga8
libflatpak0-1.12.8-1.mga8
libflatpak-gir1.0-1.12.8-1.mga8
libflatpak-devel-1.12.8-1.mga8

from flatpak-1.12.8-1.mga8.src.rpm


References:
https://github.com/flatpak/flatpak/releases/tag/1.12.8
Comment 6 Morgan Leijström 2023-03-17 15:59:49 CET 
mga8-64 OK,
on Plasma, nvidia-currrent, Intel i7, kernel 5.15.88-desktop-1.mga8

Updated installed packages to
- flatpak-1.12.8-1.mga8.x86_64
- lib64flatpak-gir1.0-1.12.8-1.mga8.x86_64
- lib64flatpak0-1.12.8-1.mga8.x86_64

Tests ok:  before and after system reboot
o $ flatpak update (updates flatpak apps)
o Firefox with internet video
o Signal (phone-desktop integration)
o Spotify
o Simple launching of: Blender, KiCAD, Fritzing (an old flatpak)

CC: (none) => fri

Morgan Leijström 2023-03-21 17:40:35 CET

Assignee: mageia => qa-bugs

Comment 8 Morgan Leijström 2023-03-21 17:43:20 CET 
Cauldron freeze move is performed

Mga8-64 is working for me, validating

Advisory needed

Version: Cauldron => 8
CC: (none) => sysadmin-bugs
Keywords: (none) => validated_update
Whiteboard: MGA8TOO => MGA8-64-OK

David Walser 2023-03-21 19:30:43 CET

Status comment: Fixed upstream in 1.14.4 => (none)

Dave Hodgins 2023-03-24 00:41:05 CET

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 9 Mageia Robot 2023-03-24 06:57:47 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0115.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED