Flatpak Update Eliminates Two Vulnerabilities

New Flatpak updates, version 1.14.4, 1.12.8, 1.10.8 and 1.15.4 are now available for correcting tools in creating self-sufficient packages. These updates come following the discovery of two vulnerabilities: CVE-2023-28100 and CVE-2023-28101.

CVE-2023-28100 is a vulnerability that allows malicious attackers to copy and substitute text in the buffer input of the virtual console. This is done through manipulations with the iOctl Tioclinux when installing the Flatpak package prepared by the attacker. This vulnerability permits the execution of arbitrary commands in the console after the process of installation is completed. The vulnerability is only found in the classic virtual console (/DEV/TTY1, /DEV/TTY2, etc.) and does not affect sessions in XTERM, GNOME-TERMINAL, KONSOLE and other graphic terminals. It’s important to note that this vulnerability isn’t specific to Flatpak and can be used to attack other applications.

CVE-2023-28101 allows attackers to use Escape seinms in the list powers in the metadata package to hide the information displayed into the terminal about the extended powers requested during the installation or update of the package through the command line interface. Attackers can take advantage of this vulnerability to mislead users about the powers used in the package. Graphic interfaces for installing Flatpak packages, such as Gnome Software and KDE Plasma Discover, are not subject to the problem.

It’s crucial that users update their Flatpak package tools to the newest versions in order to avoid these security vulnerabilities. Users should download the new versions of Flatpak 1.14.4, 1.12.8, 1.10.8, and 1.15.4 which are available for download now. For more information on these updates, please visit the official Flatpak website.

/Reports, release notes, official announcements.