Flatpak: Sandbox Escape — GLSA 202406-02

A vulnerability has been discovered in Flatpak, which can lead to a sandbox escape.

Affected packages

sys-apps/flatpak on all architectures
Affected versions < 1.14.6
Unaffected versions >= 1.14.6

Background

Flatpak is a Linux application sandboxing and distribution framework.

Description

A vulnerability has been discovered in Flatpak. Please review the CVE identifier referenced below for details.

Impact

A malicious or compromised Flatpak app could execute arbitrary code outside its sandbox in conjunction with xdg-desktop-portal.

Workaround

There is no known workaround at this time.

Resolution

All Flatpak users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=sys-apps/flatpak-1.14.6"
 

References

Release date
June 22, 2024

Latest revision
June 22, 2024: 1

Severity
high

Exploitable
local

Bugzilla entries