Flatpak: Sandbox Escape — GLSA 202411-02

A vulnerability has been discovered in Flatpak, which can lead to a sandbox escape.

Affected packages

sys-apps/flatpak on all architectures
Affected versions < 1.4.10
Unaffected versions >= 1.4.10

Background

Flatpak is a Linux application sandboxing and distribution framework.

Description

A vulnerability has been discovered in Flatpak. Please review the CVE identifier referenced below for details.

Impact

A malicious or compromised Flatpak app using persistent directories could read and write files in locations it would not normally have access to.

Workaround

There is no known workaround at this time.

Resolution

All Flatpak users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=sys-apps/flatpak-1.4.10"
 

References

Release date
November 06, 2024

Latest revision
November 06, 2024: 1

Severity
high

Exploitable
remote

Bugzilla entries