MGASA-2023-0115

See a problem?
Please try reporting it to the source first.

Source

https://advisories.mageia.org/MGASA-2023-0115.html

Import Source

https://advisories.mageia.org/MGASA-2023-0115.json

JSON Data

https://api.osv.dev/v1/vulns/MGASA-2023-0115

Related

Published

2023-03-24T05:55:49Z

Modified

2023-03-24T04:44:44Z

Summary

Updated flatpak packages fix security vulnerability

Details

If a malicious Flatpak app is run on a Linux virtual console such as /dev/tty1, it can copy text from the virtual console and paste it back into the virtual console's input buffer, from which the command might be run by the user's shell after the Flatpak app has exited. This is similar to CVE-2017-5226, but using the TIOCLINUX ioctl command instead of TIOCSTI. (CVE-2023-28100) Flatpak app with elevated permissions mayhide those permissions from users of the 'flatpak(1)' command-line interface by setting other permissions to crafted values that contain non-printable control characters such as 'ESC'. (CVE-2023-28101)

References

Credits

- Mageia - COORDINATOR
- - https://wiki.mageia.org/en/Packages_Security_Team

Affected packages

Mageia:8 / flatpak

Package

Name: flatpak
Purl: pkg:rpm/mageia/flatpak?distro=mageia-8

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.12.8-1.mga8

Ecosystem specific

{
    "section": "core"
}