UbuntuUpdates.org

Package "flatpak"

Name: flatpak

Description:

Application deployment framework for desktop apps
Latest version: 1.0.9-0ubuntu0.4
Release: bionic (18.04)
Level: security
Repository: universe
Homepage: http://flatpak.org/

Links

All versions of this package
Bug fixes

List of files in package
Repository home page

Download "flatpak"

32-bit deb package
64-bit deb package
APT INSTALL

Other versions of "flatpak" in Bionic

Repository Area Version
base universe 0.11.3-3
updates universe 1.0.9-0ubuntu0.4

Packages in group

Deleted packages are displayed in grey.


Changelog

Version: 1.0.9-0ubuntu0.4 2021-12-14 12:06:44 UTC

  flatpak (1.0.9-0ubuntu0.4) bionic-security; urgency=medium

  * SECURITY UPDATE: Sandbox bypass via recent VFS-manipulating syscalls
    (LP: #1946578)
    - debian/paches/CVE-2021-41133-1.patch
    - debian/paches/CVE-2021-41133-2.patch
    - debian/paches/CVE-2021-41133-3.patch
    - debian/paches/CVE-2021-41133-4.patch
    - debian/paches/CVE-2021-41133-5.patch
    - debian/paches/CVE-2021-41133-6.patch
    - debian/paches/CVE-2021-41133-7.patch
    - debian/paches/CVE-2021-41133-8.patch
    - debian/paches/CVE-2021-41133-9.patch
    - debian/paches/CVE-2021-41133-10.patch
    - CVE-2021-41133

 -- Andrew Hayzen <email address hidden> Wed, 13 Oct 2021 00:36:35 +0100
Source diff to previous version
1946578 Update for CVE-2021-41133
CVE-2021-41133 Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. In versions prior to 1.10.4 and 1.12.0, Flatpak

Version: 1.0.9-0ubuntu0.3 2021-05-12 04:06:21 UTC

  flatpak (1.0.9-0ubuntu0.3) bionic-security; urgency=medium

  * SECURITY UPDATE: Flatpak sandbox escape via crafted .desktop file
    (LP: #1918482)
   - debian/patches/CVE-2021-21381-1.patch: Disallow @@ and @@u usage in
     desktop files.
   - debian/patches/CVE-2021-21381-2.patch: dir: Reserve the whole @@
     prefix.
   - debian/patches/CVE-2021-21381-3.patch: dir: Refuse to export
     .desktop files with suspicious uses.
   - CVE-2021-21381

 -- Andrew Hayzen <email address hidden> Wed, 10 Mar 2021 20:51:04 +0000
Source diff to previous version
1918482 Update for CVE-2021-21381
CVE-2021-21381 Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. In Flatpack since version 0.9.4 and before versi

Version: 1.0.9-0ubuntu0.2 2021-02-02 16:06:20 UTC

  flatpak (1.0.9-0ubuntu0.2) bionic-security; urgency=medium

  * SECURITY UPDATE: Flatpak sandbox escape via spawn portal (LP: #1911473)
    - debian/patches/CVE-2021-21261-1.patch: run: Convert all environment
      variables into bwrap arguments.
    - debian/patches/CVE-2021-21261-2.patch: common: Move
      flatpak_buffer_to_sealed_memfd_or_tmpfile to its own file.
    - debian/patches/CVE-2021-21261-3.patch: context: Add --env-fd option.
    - debian/patches/CVE-2021-21261-4.patch: portal: Convert --env in
      extra-args into --env-fd.
    - debian/patches/CVE-2021-21261-5.patch: portal: Do not use caller-supplied
      variables in environment.
    - CVE-2021-21261

 -- Paulo Flabiano Smorigo <email address hidden> Tue, 19 Jan 2021 14:21:40 +0000
Source diff to previous version
1911473 Update for ghsa-4ppf-fxf6-vxg2
CVE-2021-21261 Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. A bug was discovered in the `flatpak-portal` ser

Version: 1.0.8-0ubuntu0.18.04.1 2019-05-09 19:06:47 UTC

  flatpak (1.0.8-0ubuntu0.18.04.1) bionic-security; urgency=medium

  * Update to 1.0.8 (LP: #1821811)
  * New upstream release
    - SECURITY UPDATE: seccomp: Reject all ioctls that the kernel will
      interpret as TIOCSTI, including those where the high 32 bits in
      a 64-bit word are nonzero.
    - CVE-2019-10063

 -- Andrew Hayzen <email address hidden> Wed, 27 Mar 2019 21:21:48 +0000
Source diff to previous version
1821811 New upstream microrelease flatpak 1.0.8
CVE-2019-10063 Flatpak before 1.0.8, 1.1.x and 1.2.x before 1.2.4, and 1.3.x before 1.3.1 allows a sandbox bypass. Flatpak versions since 0.8.1 address CVE-2017-522

Version: 1.0.7-0ubuntu0.18.04.1 2019-02-14 18:06:35 UTC

  flatpak (1.0.7-0ubuntu0.18.04.1) bionic-security; urgency=medium

  * Update to 1.0.7 (LP: #1815528)
  * New upstream release
    - SECURITY UPDATE: do not let the apply_extra script for a system
      installation modify the host-side executable via /proc/self/exe,
      similar to CVE-2019-5736 in runc
    - CVE-2019-8308

 -- Andrew Hayzen <email address hidden> Wed, 13 Feb 2019 21:24:42 +0000
1815528 New upstream microrelease flatpak 1.0.7
CVE-2019-5736 runc container breakout
CVE-2019-8308 Flatpak before 1.0.7, and 1.1.x and 1.2.x before 1.2.3, exposes /proc in the apply_extra script sandbox, which allows attackers to modify a host-side


About   -   Send Feedback to @ubuntu_updates