Bug 31688 - flatpak new security issues CVE-2023-28100 and CVE-2023-28101
Summary: flatpak new security issues CVE-2023-28100 and CVE-2023-28101
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2023-03-16 17:21 CET by David Walser
Modified: 2023-03-24 06:57 CET (History)
4 users (show)

See Also:
Source RPM: flatpak-1.14.0-1.mga9.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2023-03-16 17:21:40 CET
flatpak 1.14.4 has been released today (March 16), fixing security issues:
https://github.com/flatpak/flatpak/releases/tag/1.14.4

Mageia 8 may also be affected.
David Walser 2023-03-16 17:21:57 CET

Status comment: (none) => Fixed upstream in 1.14.4
Whiteboard: (none) => MGA8TOO

Comment 1 David GEIGER 2023-03-16 17:44:26 CET
Done for Cauldron!

CC: (none) => geiger.david68210

Comment 2 David Walser 2023-03-16 18:08:25 CET
(Awaiting freeze move, to be clear)
Comment 3 Lewis Smith 2023-03-16 20:32:25 CET
Whether DavidG or NicolasL does the M8 bit - up to you.
Assigning this to neoclust for M8 anyway. He has done previous flatpak version updates, and is registered maintainer for flatpack (not the same thing!).

Assignee: bugsquad => mageia

Comment 4 David GEIGER 2023-03-17 02:49:00 CET
Done for mga8 updating to 1.12.8.
Comment 5 David Walser 2023-03-17 02:53:51 CET
Cauldron still pending freeze move.

Mageia 8 update:
flatpak-1.12.8-1.mga8
flatpak-tests-1.12.8-1.mga8
libflatpak0-1.12.8-1.mga8
libflatpak-gir1.0-1.12.8-1.mga8
libflatpak-devel-1.12.8-1.mga8

from flatpak-1.12.8-1.mga8.src.rpm


References:
https://github.com/flatpak/flatpak/releases/tag/1.12.8
Comment 6 Morgan Leijström 2023-03-17 15:59:49 CET
mga8-64 OK,
on Plasma, nvidia-currrent, Intel i7, kernel 5.15.88-desktop-1.mga8

Updated installed packages to
- flatpak-1.12.8-1.mga8.x86_64
- lib64flatpak-gir1.0-1.12.8-1.mga8.x86_64
- lib64flatpak0-1.12.8-1.mga8.x86_64

Tests ok:  before and after system reboot
o $ flatpak update (updates flatpak apps)
o Firefox with internet video
o Signal (phone-desktop integration)
o Spotify
o Simple launching of: Blender, KiCAD, Fritzing (an old flatpak)

CC: (none) => fri

Morgan Leijström 2023-03-21 17:40:35 CET

Assignee: mageia => qa-bugs

Comment 8 Morgan Leijström 2023-03-21 17:43:20 CET
Cauldron freeze move is performed

Mga8-64 is working for me, validating

Advisory needed

Version: Cauldron => 8
CC: (none) => sysadmin-bugs
Keywords: (none) => validated_update
Whiteboard: MGA8TOO => MGA8-64-OK

David Walser 2023-03-21 19:30:43 CET

Status comment: Fixed upstream in 1.14.4 => (none)

Dave Hodgins 2023-03-24 00:41:05 CET

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 9 Mageia Robot 2023-03-24 06:57:47 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0115.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.