Bug 33119

Summary: flatpak new security issue CVE-2024-32462
Product: Mageia Reporter: Nicolas Salguero <nicolas.salguero>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, fri, herman.viaene, sysadmin-bugs
Version: 9Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA9-64-OK
Source RPM: flatpak-1.15.6-1.mga10.src.rpm CVE: CVE-2024-32462
Status comment: Fixed upstream in 1.15.8 and 1.14.6

Description Nicolas Salguero 2024-04-22 10:02:34 CEST 
That CVE was announced here:
https://www.openwall.com/lists/oss-security/2024/04/18/5

Mageia 9 is also affected.

The problem is fixed in versions 1.15.8 (Cauldron) and 1.14.6 (Mageia 9).
Nicolas Salguero 2024-04-22 10:03:20 CEST

Source RPM: (none) => flatpak-1.15.6-1.mga10.src.rpm
Whiteboard: (none) => MGA9TOO
CVE: (none) => CVE-2024-32462
Status comment: (none) => Fixed upstream in 1.15.8 and 1.14.6

Comment 1 Lewis Smith 2024-04-22 21:18:17 CEST 
Simple version updates.
Assigning yet another to you DavidG, as you committed the most recent Flatpak versions.

Assignee: bugsquad => geiger.david68210

Comment 2 David GEIGER 2024-06-18 04:08:32 CEST 
Done for both mga9 and Cauldron!

Whiteboard: MGA9TOO => (none)
Version: Cauldron => 9

Comment 3 David GEIGER 2024-06-18 04:11:22 CEST 
Assigning to QA,

Packages in 9/Core/Updates_testing:
======================
flatpak-1.14.6-1.mga9
flatpak-tests-1.14.6-1.mga9
libflatpak-devel-1.14.6-1.mga9
libflatpak-gir1.0-1.14.6-1.mga9
libflatpak0-1.14.6-1.mga9
lib64flatpak-devel-1.14.6-1.mga9
lib64flatpak-gir1.0-1.14.6-1.mga9
lib64flatpak0-1.14.6-1.mga9

From SRPMS:
flatpak-1.14.6-1.mga9.src.rpm

Assignee: geiger.david68210 => qa-bugs

Comment 4 Morgan Leijström 2024-06-18 12:13:48 CEST 
mga9-64, Plasma, X11, nvidia-current

Updated what was installed, to:
- flatpak-1.14.6-1.mga9.x86_64
- lib64flatpak-gir1.0-1.14.6-1.mga9.x86_64
- lib64flatpak0-1.14.6-1.mga9.x86_64

rebooted.

flatpak update: updated some flatpaks OK

Tried some programs: OK, incl flatseal - editor for flatpak app permissions

CC: (none) => fri

katnatek 2024-06-18 19:17:49 CEST

Keywords: (none) => advisory

Comment 5 Herman Viaene 2024-06-19 17:28:15 CEST 
MGA9-64 Plasma Wayland on HP-Pavillion
No installation issues
Google to find some way of testing as flatpak hasn't been on this laptop, and I never used it before Found https://docs.flatpak.org/en/latest/using-flatpak.html

$ flatpak update
Looking for updates…

Nothing to do.
$ flatpak remotes

$ flatpak remote-add --if-not-exists flathub https://flathub.org/repo/flathub.flatpakrepo

$ flatpak remotes
Name    Options
flathub system

$ flatpak search  kate
Name        Description      Application ID      Version      Branch     Remotes
KWrite      Text Editor      org.kde.kwrite      24.05.1      stable     flathub
$ flatpak install flathub  org.kde.kwrite
Looking for matches…
Required runtime for org.kde.kwrite/x86_64/stable (runtime/org.kde.Platform/x86_64/6.6) found in remote flathub
Do you want to install it? [Y/n]: y

org.kde.kwrite permissions:
    ipc        cups                   fallback-x11           wayland                      x11
    dri        file access [1]        dbus access [2]        system dbus access [3]

    [1] host, xdg-config/kdeglobals:ro
    [2] com.canonical.AppMenu.Registrar, org.kde.KGlobalSettings, org.kde.kconfig.notify
    [3] org.freedesktop.UDisks2


        ID                                               Branch                 Op            Remote             Download
 1. [✓] org.freedesktop.Platform.GL.default              23.08                  i             flathub            172.0 MB / 172.2 MB
 2. [✓] org.freedesktop.Platform.GL.default              23.08-extra            i             flathub             19.2 MB / 172.2 MB
 3. [✓] org.freedesktop.Platform.VAAPI.Intel             23.08                  i             flathub             13.3 MB / 13.4 MB
 4. [✓] org.freedesktop.Platform.openh264                2.2.0                  i             flathub              1.2 MB / 944.3 kB
 5. [✓] org.gtk.Gtk3theme.Breeze                         3.22                   i             flathub            249.6 kB / 192.4 kB
 6. [✓] org.kde.Platform.Locale                          6.6                    i             flathub             18.0 kB / 380.9 MB
 7. [✓] org.kde.Platform                                 6.6                    i             flathub            263.8 MB / 331.2 MB
 8. [✓] org.kde.kwrite.Locale                            stable                 i             flathub              7.5 kB / 3.6 MB
 9. [✓] org.kde.kwrite                                   stable                 i             flathub              7.0 MB / 4.6 MB

Installation complete.
$ flatpak run org.kde.kwrite

(flatpak run:40445): GLib-GIO-WARNING **: 17:20:10.982: /usr/share/applications/kde-mimeapps.list contains a [Added Associations] group, but it is not permitted here.  Only the non-desktop-specific mimeapps.list file may add or remove associations.
Detected locale "C" with character encoding "ANSI_X3.4-1968", which is not UTF-8.
Qt depends on a UTF-8 locale, and has switched to "C.UTF-8" instead.
If this causes problems, reconfigure your locale. See the locale(1) manual
for more information.

Runs OK, I can open a txt file and save changes.
Good for me.

Whiteboard: (none) => MGA9-64-OK
CC: (none) => herman.viaene

katnatek 2024-06-19 19:23:22 CEST

CC: (none) => andrewsfarm

Comment 6 Thomas Andrews 2024-06-20 03:18:16 CEST 
On the rare occasions when I use flatpak, it's with Discover. Updated the flatpak packages with no issues. Ran Discover, installed a couple of games from Flathub. No issues, confirming the OK.

Validating.

CC: (none) => sysadmin-bugs
Keywords: (none) => validated_update

Comment 7 Mageia Robot 2024-06-20 04:32:53 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2024-0229.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED