SUSE update for flatpak

1) Code Injection

EUVDB-ID: #VU49587

Risk: Low

CVSSv4.0: 7.4 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:U/U:Clear]

CVE-ID: CVE-2021-21261

CWE-ID: CWE-94 - Improper Control of Generation of Code ('Code Injection')

Exploit availability: No

Description

The vulnerability allows a local application to elevate privileges on the system.

The vulnerability exists due to improper input validation when processing environment variables, passed from a sandboxed process to a non-sandboxed process on the host system, and in particular to the `flatpak run` command that is used to launch the new sandbox instance. A malicious or compromised Flatpak app can set environment variables that are trusted by the `flatpak run` command, and use them to execute arbitrary code that is not in a sandbox.

Mitigation

Update the affected package flatpak to the latest version.

Vulnerable software versions

SUSE Linux Enterprise Server for SAP: 15-SP1

SUSE Linux Enterprise High Performance Computing: 15-SP1-LTSS - 15-SP1-ESPOS

SUSE Enterprise Storage: 6

SUSE CaaS Platform: 4.0

SUSE Linux Enterprise Server: 15-SP1-BCL - 15-SP1-LTSS

typelib-1_0-Flatpak-1_0: before 1.2.3-150100.4.5.2

libflatpak0-debuginfo: before 1.2.3-150100.4.5.2

libflatpak0: before 1.2.3-150100.4.5.2

flatpak-zsh-completion: before 1.2.3-150100.4.5.2

flatpak-devel: before 1.2.3-150100.4.5.2

flatpak-debugsource: before 1.2.3-150100.4.5.2

flatpak-debuginfo: before 1.2.3-150100.4.5.2

flatpak: before 1.2.3-150100.4.5.2

CPE2.3

• cpe:2.3:o:suse:suse_linux_enterprise_server_for_sap:15-SP1:*:*:*:*:*:*:*
• cpe:2.3:o:suse:suse_linux_enterprise_high_performance_computing:15-SP1-LTSS:*:*:*:*:*:*:*
• cpe:2.3:o:suse:suse_linux_enterprise_high_performance_computing:15-SP1-ESPOS:*:*:*:*:*:*:*
• cpe:2.3:o:suse:suse_enterprise_storage:6:*:*:*:*:*:*:*
• cpe:2.3:o:suse:suse_caas_platform:4.0:*:*:*:*:*:*:*
• cpe:2.3:o:suse:suse_linux_enterprise_server:15-SP1-BCL:*:*:*:*:*:*:*
• cpe:2.3:o:suse:suse_linux_enterprise_server:15-SP1-LTSS:*:*:*:*:*:*:*
• cpe:2.3:o:suse:typelib-1_0-flatpak-1_0:*:*:*:*:*:suse_linux:*:*
• cpe:2.3:o:suse:libflatpak0-debuginfo:*:*:*:*:*:suse_linux:*:*
• cpe:2.3:o:suse:libflatpak0:*:*:*:*:*:suse_linux:*:*
• cpe:2.3:o:suse:flatpak-zsh-completion:*:*:*:*:*:suse_linux:*:*
• cpe:2.3:o:suse:flatpak-devel:*:*:*:*:*:suse_linux:*:*
• cpe:2.3:o:suse:flatpak-debugsource:*:*:*:*:*:suse_linux:*:*
• cpe:2.3:o:suse:flatpak-debuginfo:*:*:*:*:*:suse_linux:*:*
• cpe:2.3:o:suse:flatpak:*:*:*:*:*:suse_linux:*:*

External links

https://www.suse.com/support/update/announcement/2022/suse-su-20222990-1/

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Improper Neutralization of Special Elements in Output Used by a Downstream Component

EUVDB-ID: #VU51443

Risk: Medium

CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2021-21381

CWE-ID: CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

Exploit availability: No

Description

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to improper input validation within the "file forwarding" feature. By putting the special tokens `@@` and/or `@@u` in the Exec field of a Flatpak app's .desktop file, a malicious app publisher can trick flatpak into behaving as though the user had chosen to open a target file with their Flatpak app, which automatically makes that file available to the Flatpak app.

Mitigation

Update the affected package flatpak to the latest version.

Vulnerable software versions

SUSE Linux Enterprise Server for SAP: 15-SP1

SUSE Linux Enterprise High Performance Computing: 15-SP1-LTSS - 15-SP1-ESPOS

SUSE Enterprise Storage: 6

SUSE CaaS Platform: 4.0

SUSE Linux Enterprise Server: 15-SP1-BCL - 15-SP1-LTSS

typelib-1_0-Flatpak-1_0: before 1.2.3-150100.4.5.2

libflatpak0-debuginfo: before 1.2.3-150100.4.5.2

libflatpak0: before 1.2.3-150100.4.5.2

flatpak-zsh-completion: before 1.2.3-150100.4.5.2

flatpak-devel: before 1.2.3-150100.4.5.2

flatpak-debugsource: before 1.2.3-150100.4.5.2

flatpak-debuginfo: before 1.2.3-150100.4.5.2

flatpak: before 1.2.3-150100.4.5.2

CPE2.3

• cpe:2.3:o:suse:suse_linux_enterprise_server_for_sap:15-SP1:*:*:*:*:*:*:*
• cpe:2.3:o:suse:suse_linux_enterprise_high_performance_computing:15-SP1-LTSS:*:*:*:*:*:*:*
• cpe:2.3:o:suse:suse_linux_enterprise_high_performance_computing:15-SP1-ESPOS:*:*:*:*:*:*:*
• cpe:2.3:o:suse:suse_enterprise_storage:6:*:*:*:*:*:*:*
• cpe:2.3:o:suse:suse_caas_platform:4.0:*:*:*:*:*:*:*
• cpe:2.3:o:suse:suse_linux_enterprise_server:15-SP1-BCL:*:*:*:*:*:*:*
• cpe:2.3:o:suse:suse_linux_enterprise_server:15-SP1-LTSS:*:*:*:*:*:*:*
• cpe:2.3:o:suse:typelib-1_0-flatpak-1_0:*:*:*:*:*:suse_linux:*:*
• cpe:2.3:o:suse:libflatpak0-debuginfo:*:*:*:*:*:suse_linux:*:*
• cpe:2.3:o:suse:libflatpak0:*:*:*:*:*:suse_linux:*:*
• cpe:2.3:o:suse:flatpak-zsh-completion:*:*:*:*:*:suse_linux:*:*
• cpe:2.3:o:suse:flatpak-devel:*:*:*:*:*:suse_linux:*:*
• cpe:2.3:o:suse:flatpak-debugsource:*:*:*:*:*:suse_linux:*:*
• cpe:2.3:o:suse:flatpak-debuginfo:*:*:*:*:*:suse_linux:*:*
• cpe:2.3:o:suse:flatpak:*:*:*:*:*:suse_linux:*:*

External links

https://www.suse.com/support/update/announcement/2022/suse-su-20222990-1/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.