UbuntuUpdates.org

Package "libflatpak0"

Name: libflatpak0

Description:

Application deployment framework for desktop apps (library)

Latest version: 1.6.5-0ubuntu0.5
Release: focal (20.04)
Level: security
Repository: universe
Head package: flatpak
Homepage: https://flatpak.org/

Links


Download "libflatpak0"


Other versions of "libflatpak0" in Focal

Repository Area Version
base universe 1.6.3-1
updates universe 1.6.5-0ubuntu0.5

Changelog

Version: 1.6.5-0ubuntu0.5 2024-09-30 18:06:50 UTC

  flatpak (1.6.5-0ubuntu0.5) focal-security; urgency=medium

  * SECURITY UPDATE: Access outside sandbox
    - debian/patches/CVE-2024-42472-1.patch: don't follow symlinks when
      mounting persisted directories in common/flatpak-context.c.
    - debian/patches/CVE-2024-42472-2.patch: add test coverage for --persist
      in test/test-run.sh.
    - debian/patches/CVE-2024-42472-3.patch: add --bind-fd and --ro-bind-fd to
      bubblerap.c.
    - debian/control: makes flatpak depend on bubblerap with --bind-fd feature
      backported to avoid race condition (LP: #2077087)
    - CVE-2024-42472

 -- Leonidas Da Silva Barbosa <email address hidden> Tue, 24 Sep 2024 20:03:34 -0300

Source diff to previous version
2077087 CVE-2024-42472: Access to files outside sandbox for apps using persistent= (--persist)
CVE-2024-42472 Flatpak is a Linux application sandboxing and distribution framework. Prior to versions 1.14.0 and 1.15.10, a malicious or compromised Flatpak app us

Version: 1.6.5-0ubuntu0.4 2021-12-14 12:06:47 UTC

  flatpak (1.6.5-0ubuntu0.4) focal-security; urgency=medium

  * SECURITY UPDATE: Sandbox bypass via recent VFS-manipulating syscalls
    (LP: #1946578)
    - debian/paches/CVE-2021-41133-1.patch
    - debian/paches/CVE-2021-41133-2.patch
    - debian/paches/CVE-2021-41133-3.patch
    - debian/paches/CVE-2021-41133-4.patch
    - debian/paches/CVE-2021-41133-5.patch
    - debian/paches/CVE-2021-41133-6.patch
    - debian/paches/CVE-2021-41133-7.patch
    - debian/paches/CVE-2021-41133-8.patch
    - debian/paches/CVE-2021-41133-9.patch
    - debian/paches/CVE-2021-41133-10.patch
    - CVE-2021-41133

 -- Andrew Hayzen <email address hidden> Wed, 13 Oct 2021 00:36:35 +0100

Source diff to previous version
1946578 Update for CVE-2021-41133
CVE-2021-41133 Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. In versions prior to 1.10.4 and 1.12.0, Flatpak

Version: 1.6.5-0ubuntu0.3 2021-05-12 04:06:22 UTC

  flatpak (1.6.5-0ubuntu0.3) focal-security; urgency=medium

  * SECURITY UPDATE: Flatpak sandbox escape via crafted .desktop file
    (LP: #1918482)
   - debian/patches/CVE-2021-21381-1.patch: Disallow @@ and @@u usage in
     desktop files.
   - debian/patches/CVE-2021-21381-2.patch: dir: Reserve the whole @@
     prefix.
   - debian/patches/CVE-2021-21381-3.patch: dir: Refuse to export
     .desktop files with suspicious uses.
   - CVE-2021-21381

 -- Andrew Hayzen <email address hidden> Fri, 05 Mar 2021 22:21:25 +0000

Source diff to previous version
1918482 Update for CVE-2021-21381
CVE-2021-21381 Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. In Flatpack since version 0.9.4 and before versi

Version: 1.6.5-0ubuntu0.2 2021-02-02 16:06:25 UTC

  flatpak (1.6.5-0ubuntu0.2) focal-security; urgency=medium

  * SECURITY UPDATE: Flatpak sandbox escape via spawn portal (LP: #1911473)
    - debian/patches/CVE-2021-21261-1.patch: tests: Add minimal version
      of "ok" helper.
    - debian/patches/CVE-2021-21261-2.patch: common: Add a backport of
      G_DBUS_METHOD_INVOCATION_HANDLED.
    - debian/patches/CVE-2021-21261-3.patch: run: Convert all environment
      variables into bwrap arguments.
    - debian/patches/CVE-2021-21261-4.patch: tests: Expand coverage for
      environment variable overrides.
    - debian/patches/CVE-2021-21261-5.patch: context: Add --env-fd option.
    - debian/patches/CVE-2021-21261-6.patch: portal: Convert --env in
      extra-args into --env-fd.
    - debian/patches/CVE-2021-21261-7.patch: tests: Exercise --env-fd.
    - debian/patches/CVE-2021-21261-8.patch: portal: Do not use
      caller-supplied variables in environment.
    - debian/patches/CVE-2021-21261-9.patch: tests: Assert that --env= does
      not go in `flatpak run` or bwrap environ.
    - CVE-2021-21261

 -- Andrew Hayzen <email address hidden> Wed, 13 Jan 2021 21:09:15 +0000

1911473 Update for ghsa-4ppf-fxf6-vxg2
CVE-2021-21261 Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. A bug was discovered in the `flatpak-portal` ser



About   -   Send Feedback to @ubuntu_updates