Security
Security
A vulnerability was discovered in Flatpak which could allow a remote attacker to execute arbitrary code.
| Package | sys-apps/flatpak on all architectures |
|---|---|
| Affected versions | < 1.10.0 |
| Unaffected versions | >= 1.10.0 |
Flatpak is a Linux application sandboxing and distribution framework.
A bug was discovered in the flatpak-portal service that can allow sandboxed applications to execute arbitrary code on the host system (a sandbox escape).
A remote attacker could entice a user to open a specially crafted Flatpak app possibly resulting in execution of arbitrary code with the privileges of the process or a Denial of Service condition.
As a workaround, this vulnerability can be mitigated by preventing the flatpak-portal service from starting, but that mitigation will prevent many Flatpak apps from working correctly. It is highly recommended to upgrade.
All Flatpak users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=sys-apps/flatpak-1.10.0"
Release date
January 25, 2021
Latest revision
January 25, 2021: 1
Severity
normal
Exploitable
remote
Bugzilla entries