Showing 1 - 3 of 3

CVE-2022-21682

Status Candidate

Overview

Flatpak is a Linux application sandboxing and distribution framework. A path traversal vulnerability affects versions of Flatpak prior to 1.12.3 and 1.10.6. flatpak-builder applies `finish-args` last in the build. At this point the build directory will have the full access that is specified in the manifest, so running `flatpak build` against it will gain those permissions. Normally this will not be done, so this is not problem. However, if `--mirror-screenshots-url` is specified, then flatpak-builder will launch `flatpak build --nofilesystem=host appstream-utils mirror-screenshots` after finalization, which can lead to issues even with the `--nofilesystem=host` protection. In normal use, the only issue is that these empty directories can be created wherever the user has write permissions. However, a malicious application could replace the `appstream-util` binary and potentially do something more hostile. This has been resolved in Flatpak 1.12.3 and 1.10.6 by changing the behaviour of `--nofilesystem=home` and `--nofilesystem=host`.

Related Files

Gentoo Linux Security Advisory 202312-12: Posted Dec 26, 2023; Authored by Gentoo | Site security.gentoo.org; Gentoo Linux Security Advisory 202312-12 - Several vulnerabilities have been found in Flatpack, the worst of which lead to privilege escalation and sandbox escape. Versions greater than or equal to 1.14.4 are affected.; tags | advisory, vulnerability; systems | linux, gentoo; advisories | CVE-2021-21381, CVE-2021-41133, CVE-2021-43860, CVE-2022-21682, CVE-2023-28100, CVE-2023-28101; SHA-256 | 3018a3aaac2e8e504bce240edb2f33466f227c0b15ee1ce0adb6bbddcdceb2ca; Download | Favorite | View

Red Hat Security Advisory 2022-7458-01: Posted Nov 8, 2022; Authored by Red Hat | Site access.redhat.com; Red Hat Security Advisory 2022-7458-01 - Flatpak-builder is a tool for building flatpaks from sources.; tags | advisory; systems | linux, redhat; advisories | CVE-2022-21682; SHA-256 | 5be4f5c9b26f014ff8aec5920b6f412dfa096daa6b529d5f98cab135eb161c8f; Download | Favorite | View

Debian Security Advisory 5049-1: Posted Jan 28, 2022; Authored by Debian | Site debian.org; Debian Linux Security Advisory 5049-1 - Several vulnerabilities were discovered in Flatpak, an application deployment framework for desktop apps.; tags | advisory, vulnerability; systems | linux, debian; advisories | CVE-2021-43860, CVE-2022-21682; SHA-256 | 92ec776b2618348db8f0707414a1552a17ec2b3bdae5344ada8ee04019205861; Download | Favorite | View

Page 1 of 1 Back 1 Next

Top Authors In Last 30 Days

Red Hat 237 files
indoushka 172 files
Jay Turla 150 files
Ubuntu 78 files
h00die 54 files
juan vazquez 43 files
sinn3r 41 files
H D Moore 31 files
Karn Ganeshen 23 files
Pedro Ribeiro 22 files

File Archives

Systems

AIX (430)
Apple (2,114)
BSD (378)
CentOS (61)
Cisco (1,954)
Debian (7,124)
Fedora (1,693)
FreeBSD (1,247)
Gentoo (4,567)
HPUX (881)
iOS (389)
iPhone (108)
IRIX (220)
Juniper (71)
Linux (51,237)
Mac OS X (696)
Mandriva (3,105)
NetBSD (256)
OpenBSD (490)
RedHat (16,845)
Slackware (941)
Solaris (1,615)
SUSE (1,444)
Ubuntu (9,852)
UNIX (9,456)
UnixWare (188)
Windows (6,772)
Other

CVE-2022-21682

Overview

Related Files

File Archive:

September 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems