摘要:
flatpak security update
安全等级: Medium
公告ID: KylinSec-SA-2024-1524
发布日期: 2024年4月12日
关联CVE: CVE-2023-28100 CVE-2023-28101
flatpak is a system for building, distributing and running sandboxed desktop applications on Linux. See https://wiki.gnome.org/Projects/SandboxedApps for more information.
Security Fix(es):
Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. Versions prior to 1.10.8, 1.12.8, 1.14.4, and 1.15.4 contain a vulnerability similar to CVE-2017-5226, but using the `TIOCLINUX` ioctl command instead of `TIOCSTI`. If a Flatpak app is run on a Linux virtual console such as `/dev/tty1`, it can copy text from the virtual console and paste it into the command buffer, from which the command might be run after the Flatpak app has exited. Ordinary graphical terminal emulators like xterm, gnome-terminal and Konsole are unaffected. This vulnerability is specific to the Linux virtual consoles `/dev/tty1`, `/dev/tty2` and so on. A patch is available in versions 1.10.8, 1.12.8, 1.14.4, and 1.15.4. As a workaround, don't run Flatpak on a Linux virtual console. Flatpak is primarily designed to be used in a Wayland or X11 graphical environment.(CVE-2023-28100)
Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. In versions prior to 1.10.8, 1.12.8, 1.14.4, and 1.15.4, if an attacker publishes a Flatpak app with elevated permissions, they can hide those permissions from users of the `flatpak(1)` command-line interface by setting other permissions to crafted values that contain non-printable control characters such as `ESC`. A fix is available in versions 1.10.8, 1.12.8, 1.14.4, and 1.15.4. As a workaround, use a GUI like GNOME Software rather than the command-line interface, or only install apps whose maintainers you trust.(CVE-2023-28101)
| cve名称 | 产品 | 组件 | 是否受影响 |
|---|---|---|---|
| CVE-2023-28100 | KY3.5.2 | flatpak | Fixed |
| CVE-2023-28101 | KY3.5.2 | flatpak | Fixed |
| 软件名称 | 架构 | 版本号 |
|---|---|---|
| flatpak-help | noarch | 1.10.2-8.ky3_5.kb1 |
| flatpak-devel | x86_64 | 1.10.2-8.ky3_5.kb1 |
| flatpak | x86_64 | 1.10.2-8.ky3_5.kb1 |
| flatpak | aarch64 | 1.10.2-8.ky3_5.kb1 |
| flatpak-devel | aarch64 | 1.10.2-8.ky3_5.kb1 |
方法一:下载安装包进行升级安装
1、通过下载链接下载需要升级的升级包保存,如 xxx.rpm
2、通过rpm命令升级,如 rpm -Uvh xxx.rpm
方法二:通过软件源进行升级安装
1、保持能够连接上互联网
2、通过yum命令升级指定的包,如 yum install 包名
