Upstream has issued an advisory today (March 10): https://github.com/flatpak/flatpak/security/advisories/GHSA-xgh4-387p-hqpp A CVE has been requested: https://github.com/flatpak/flatpak/issues/4146#issuecomment-795302663 The issue is fixed upstream in 1.10.2: https://github.com/flatpak/flatpak/releases/tag/1.10.2 Mageia 7 and Mageia 8 are also affected.
Whiteboard: (none) => MGA8TOO, MGA7TOOBlocks: (none) => 27126Status comment: (none) => Fixed upstream in 1.10.2
CC: (none) => fri
fixed in cauldron/mga8 src: - mageia 8: - flatpak-1.10.2-1.mga8 Mageia 7 is in progress
CC: (none) => mageia
You can handle Mageia 7 in the other bug if you'd like.
Whiteboard: MGA8TOO, MGA7TOO => MGA7TOOVersion: Cauldron => 8
Assigning to you Nicolas as you are already doing it!
Source RPM: flatpak-1.10.1-1.mga8.src.rpm => flatpak-1.10.1-1.mga8.src.rpm, flatpak-1.4.1-1.mga7.src.rpmAssignee: bugsquad => mageia
Assignee: mageia => qa-bugs
Mageia 7 in Bug 27126.
Whiteboard: MGA7TOO => (none)Status comment: Fixed upstream in 1.10.2 => (none)Source RPM: flatpak-1.10.1-1.mga8.src.rpm, flatpak-1.4.1-1.mga7.src.rpm => flatpak-1.10.1-1.mga8.src.rpm
CVE-2021-21381 has been assigned: https://github.com/flatpak/flatpak/issues/4146#issuecomment-796918073 Advisory: ======================== Updated flatpak packages fix security vulnerability: A potential attack where a flatpak application could use custom formatted .desktop files to gain access to files on the host system (CVE-2021-21381). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21381 https://github.com/flatpak/flatpak/security/advisories/GHSA-xgh4-387p-hqpp https://github.com/flatpak/flatpak/releases/tag/1.10.2 https://github.com/flatpak/flatpak/issues/4146
Summary: flatpak new security issue fixed upstream in 1.10.2 => flatpak new security issue fixed upstream in 1.10.2 (CVE-2021-21381)
Does gnome-software need to be rebuilt for this one?
ah yes maybe we need to rebuild it and discover.
discover was already built after this one.
I have installed 1.10.2-1 Flatpak on MGA8 XFCE Desktop kernel 5.10.20-desktop-2.mga8 Installed with: flatpak-1.10.2-1.mga8.x86_64.rpm lib64flatpak-devel-1.10.2-1.mga8.x86_64.rpm lib64flatpak-gir1.0-1.10.2-1.mga8.x86_64.rpm lib64flatpak0-1.10.2-1.mga8.x86_64.rpm The installation is done correctly without error messages. Gnome-software is at V3.38.0, I used it to do an upgrade, no problems found
CC: (none) => guillaume.royer
MGA8 x86_64 Plasma Using Howto on https://github.com/flatpak/flatpak/issues/4146#issuecomment-796918073 Reproduced behaviour, to get file normally inaccessible from flatpak app. (/etc/passwd) in this case. Updating. No longer reproduced. MGA8-64-OK Validating. Advisory committed to SVN.
CC: (none) => ouaurelien, sysadmin-bugsKeywords: (none) => advisory, validated_updateCVE: (none) => CVE-2021-21381Whiteboard: (none) => MGA8-64-OK
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0145.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED
RedHat has issued an advisory for this on March 29: https://access.redhat.com/errata/RHSA-2021:1002