SB2021031112 - Multiple vulnerabilities in flatpak
Published: March 11, 2021 Updated: March 14, 2021
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 2 secuirty vulnerabilities.
1) Memory leak (CVE-ID: N/A)
The vulnerability allows a remote attacker to perform DoS attack on the target system.
The vulnerability exists due memory leak. A remote attacker can force the application to leak memory and perform denial of service attack.
2) Improper Neutralization of Special Elements in Output Used by a Downstream Component (CVE-ID: CVE-2021-21381)
The vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to improper input validation within the "file forwarding" feature. By putting the special tokens `@@` and/or `@@u` in the Exec field of a Flatpak app's .desktop file, a malicious app publisher can trick flatpak into behaving as though the user had chosen to open a target file with their Flatpak app, which automatically makes that file available to the Flatpak app.
Remediation
Install update from vendor's website.
References
- https://github.com/flatpak/flatpak/releases/tag/1.10.2
- https://github.com/flatpak/flatpak/commit/8279c5818425b6812523e3805bbe242fb6a5d961
- https://github.com/flatpak/flatpak/commit/a7401e638bf0c03102039e216ab1081922f140ae
- https://github.com/flatpak/flatpak/commit/eb7946bb6248923d8c90fe9b84425fef97ae580d
- https://github.com/flatpak/flatpak/pull/4156
- https://github.com/flatpak/flatpak/security/advisories/GHSA-xgh4-387p-hqpp
- https://www.debian.org/security/2021/dsa-4868