Vulnerability CVE-2023-28101: Information
Description
Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. In versions prior to 1.10.8, 1.12.8, 1.14.4, and 1.15.4, if an attacker publishes a Flatpak app with elevated permissions, they can hide those permissions from users of the `flatpak(1)` command-line interface by setting other permissions to crafted values that contain non-printable control characters such as `ESC`. A fix is available in versions 1.10.8, 1.12.8, 1.14.4, and 1.15.4. As a workaround, use a GUI like GNOME Software rather than the command-line interface, or only install apps whose maintainers you trust.
Severity: MEDIUM (4.3) Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Fixed packages
Package name | Branch | Fixed in version | Version from repository | Errata ID | Task # | State |
|---|---|---|---|---|---|---|
| flatpak | sisyphus | 1.14.4-alt1 | 1.14.8-alt1 | ALT-PU-2023-1477-1 | 317056 | Fixed |
| flatpak | sisyphus_e2k | 1.14.4-alt1 | 1.14.8-alt1 | ALT-PU-2023-3012-1 | - | Fixed |
| flatpak | sisyphus_riscv64 | 1.14.4-alt1 | 1.14.8-alt1 | ALT-PU-2023-2905-1 | - | Fixed |
| flatpak | p10 | 1.14.4-alt1 | 1.14.6-alt1 | ALT-PU-2023-1512-1 | 317059 | Fixed |
| flatpak | p10_e2k | 1.14.4-alt1 | 1.14.6-alt1 | ALT-PU-2023-3097-1 | - | Fixed |
| flatpak | c10f1 | 1.14.4-alt1 | 1.14.4-alt1 | ALT-PU-2023-1512-1 | 317059 | Fixed |