Showing 1 - 3 of 3

CVE-2022-21682

Status Candidate

Overview

Flatpak is a Linux application sandboxing and distribution framework. A path traversal vulnerability affects versions of Flatpak prior to 1.12.3 and 1.10.6. flatpak-builder applies `finish-args` last in the build. At this point the build directory will have the full access that is specified in the manifest, so running `flatpak build` against it will gain those permissions. Normally this will not be done, so this is not problem. However, if `--mirror-screenshots-url` is specified, then flatpak-builder will launch `flatpak build --nofilesystem=host appstream-utils mirror-screenshots` after finalization, which can lead to issues even with the `--nofilesystem=host` protection. In normal use, the only issue is that these empty directories can be created wherever the user has write permissions. However, a malicious application could replace the `appstream-util` binary and potentially do something more hostile. This has been resolved in Flatpak 1.12.3 and 1.10.6 by changing the behaviour of `--nofilesystem=home` and `--nofilesystem=host`.

Related Files

Gentoo Linux Security Advisory 202312-12: Posted Dec 26, 2023; Authored by Gentoo | Site security.gentoo.org; Gentoo Linux Security Advisory 202312-12 - Several vulnerabilities have been found in Flatpack, the worst of which lead to privilege escalation and sandbox escape. Versions greater than or equal to 1.14.4 are affected.; tags | advisory, vulnerability; systems | linux, gentoo; advisories | CVE-2021-21381, CVE-2021-41133, CVE-2021-43860, CVE-2022-21682, CVE-2023-28100, CVE-2023-28101; SHA-256 | 3018a3aaac2e8e504bce240edb2f33466f227c0b15ee1ce0adb6bbddcdceb2ca; Download | Favorite | View

Red Hat Security Advisory 2022-7458-01: Posted Nov 8, 2022; Authored by Red Hat | Site access.redhat.com; Red Hat Security Advisory 2022-7458-01 - Flatpak-builder is a tool for building flatpaks from sources.; tags | advisory; systems | linux, redhat; advisories | CVE-2022-21682; SHA-256 | 5be4f5c9b26f014ff8aec5920b6f412dfa096daa6b529d5f98cab135eb161c8f; Download | Favorite | View

Debian Security Advisory 5049-1: Posted Jan 28, 2022; Authored by Debian | Site debian.org; Debian Linux Security Advisory 5049-1 - Several vulnerabilities were discovered in Flatpak, an application deployment framework for desktop apps.; tags | advisory, vulnerability; systems | linux, debian; advisories | CVE-2021-43860, CVE-2022-21682; SHA-256 | 92ec776b2618348db8f0707414a1552a17ec2b3bdae5344ada8ee04019205861; Download | Favorite | View

Page 1 of 1 Back 1 Next

Top Authors In Last 30 Days

Red Hat 227 files
Ubuntu 94 files
Gentoo 29 files
Debian 21 files
tmrswrr 9 files
Sina Kheirkhah 7 files
bRpsd 4 files
Amit Roy 4 files
nu11secur1ty 3 files
Jann Horn 3 files

File Archives

Systems

AIX (429)
Apple (2,090)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,075)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,529)
HPUX (880)
iOS (376)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (50,299)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (489)
RedHat (16,236)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,642)
UNIX (9,424)
UnixWare (187)
Windows (6,665)
Other

CVE-2022-21682

Overview

Related Files

File Archive:

July 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems