Corrective updates to the self-contained Flatpak 1.14.4, 1.12.8, 1.10.8 and 1.15.4 toolkit are available that fix two vulnerabilities:
- CVE-2023-28100 - Ability to copy and paste text into the virtual console input buffer through manipulation of the TIOCLINUX ioctl when installing an attacker-prepared flatpak package. For example, the vulnerability could be used to organize the launch of arbitrary commands in the console after the installation process of a third-party package is completed. The problem appears only in the classic virtual console (/dev/tty1, /dev/tty2, etc.) and does not affect sessions in xterm, gnome-terminal, Konsole and other graphical terminals. The vulnerability is not specific to flatpak and can be used to attack other applications, for example, previously similar vulnerabilities that allowed character substitution through the TIOCSTI ioctl interface were found in /bin/sandbox and snap.
- CVE-2023-28101 - Ability to use escape sequences in the list of permissions in the package metadata to hide the information displayed in the terminal about the requested extended permissions during the installation or upgrade of the package through the command line interface. An attacker could use this vulnerability to mislead users about the permissions used in the package. Graphical interfaces for installing Flatpak packages, such as GNOME Software and KDE Plasma Discover, are not affected.
Source: opennet.ru