Ana samun sabuntawar sabuntawa ga kayan aikin kayan aiki don ƙirƙirar fakitin Flatpak 1.14.4, 1.12.8, 1.10.8 da 1.15.4, waɗanda ke gyara lahani biyu:
- CVE-2023-28100 - ikon kwafi da musanya rubutu a cikin shigar da kayan aikin wasan bidiyo ta hanyar amfani da TIOCLINUX ioctl lokacin shigar da fakitin flatpak wanda maharin ya shirya. Misali, ana iya amfani da raunin don ƙaddamar da umarni na sabani a cikin na'ura wasan bidiyo bayan an kammala aikin shigarwa na fakitin ɓangare na uku. Matsalar tana bayyana ne kawai a cikin na'ura mai ba da hanya tsakanin hanyoyin sadarwa (/dev/tty1, /dev/tty2, da sauransu) kuma baya shafar zaman a xterm, gnome-terminal, Konsole da sauran tashoshi masu hoto. Lalacewar ba ta keɓance ga flatpak ba kuma ana iya amfani da ita don kai hari ga wasu aikace-aikace, alal misali, a baya makamancin rashin lahani waɗanda suka ba da izinin musanya halin ta hanyar TIOCSTI ioctl interface an sami su a /bin/sandbox da karye.
- CVE-2023-28101 - Yana yiwuwa a yi amfani da jerin tserewa a cikin jerin izini a cikin fakitin metadata don ɓoye bayanan fitarwa na tasha game da ƙarin izini da aka buƙata yayin shigarwa ko sabunta fakiti ta hanyar layin umarni. Maharan na iya yin amfani da wannan raunin don ɓatar da masu amfani game da takaddun shaidar da aka yi amfani da su a cikin kunshin. GUIs don shigar da fakitin Flatpak, kamar GNOME Software da KDE Plasma Discover, wannan batu bai shafe su ba.
source: budenet.ru