Upstream has issued an advisory today (March 10):
A CVE has been requested:
The issue is fixed upstream in 1.10.2:
Mageia 7 and Mageia 8 are also affected.
Fixed upstream in 1.10.2
fixed in cauldron/mga8
- mageia 8:
Mageia 7 is in progress
You can handle Mageia 7 in the other bug if you'd like.
MGA8TOO, MGA7TOO =>
Assigning to you Nicolas as you are already doing it!
Mageia 7 in Bug 27126.
Fixed upstream in 1.10.2 =>
flatpak-1.10.1-1.mga8.src.rpm, flatpak-1.4.1-1.mga7.src.rpm =>
CVE-2021-21381 has been assigned:
Updated flatpak packages fix security vulnerability:
A potential attack where a flatpak application could use custom formatted
.desktop files to gain access to files on the host system (CVE-2021-21381).
flatpak new security issue fixed upstream in 1.10.2 =>
flatpak new security issue fixed upstream in 1.10.2 (CVE-2021-21381)
Does gnome-software need to be rebuilt for this one?
ah yes maybe we need to rebuild it and discover.
discover was already built after this one.
I have installed 1.10.2-1 Flatpak on MGA8 XFCE Desktop kernel 5.10.20-desktop-2.mga8
The installation is done correctly without error messages.
Gnome-software is at V3.38.0, I used it to do an upgrade, no problems found
MGA8 x86_64 Plasma
Using Howto on https://github.com/flatpak/flatpak/issues/4146#issuecomment-796918073
Reproduced behaviour, to get file normally inaccessible from flatpak app.
(/etc/passwd) in this case.
No longer reproduced.
Advisory committed to SVN.
An update for this issue has been pushed to the Mageia Updates repository.
RedHat has issued an advisory for this on March 29: