cvrf2cusa/cvrf/2024/cvrf-openEuler-SA-2024-1426.xml

<?xml version="1.0" encoding="UTF-8"?>
<cvrfdoc xmlns="http://www.icasi.org/CVRF/schema/cvrf/1.1" xmlns:cvrf="http://www.icasi.org/CVRF/schema/cvrf/1.1">
	<DocumentTitle xml:lang="en">An update for flatpak is now available for openEuler-22.03-LTS-SP2</DocumentTitle>
	<DocumentType>Security Advisory</DocumentType>
	<DocumentPublisher Type="Vendor">
		<ContactDetails>openeuler-security@openeuler.org</ContactDetails>
		<IssuingAuthority>openEuler security committee</IssuingAuthority>
	</DocumentPublisher>
	<DocumentTracking>
		<Identification>
			<ID>openEuler-SA-2024-1426</ID>
		</Identification>
		<Status>Final</Status>
		<Version>1.0</Version>
		<RevisionHistory>
			<Revision>
				<Number>1.0</Number>
				<Date>2024-04-12</Date>
				<Description>Initial</Description>
			</Revision>
		</RevisionHistory>
		<InitialReleaseDate>2024-04-12</InitialReleaseDate>
		<CurrentReleaseDate>2024-04-12</CurrentReleaseDate>
		<Generator>
			<Engine>openEuler SA Tool V1.0</Engine>
			<Date>2024-04-12</Date>
		</Generator>
	</DocumentTracking>
	<DocumentNotes>
		<Note Title="Synopsis" Type="General" Ordinal="1" xml:lang="en">flatpak security update</Note>
		<Note Title="Summary" Type="General" Ordinal="2" xml:lang="en">An update for flatpak is now available for openEuler-22.03-LTS-SP2.</Note>
		<Note Title="Description" Type="General" Ordinal="3" xml:lang="en">flatpak is a system for building, distributing and running sandboxed desktop applications on Linux. See https://wiki.gnome.org/Projects/SandboxedApps for more information.

Security Fix(es):

Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. Versions prior to 1.10.8, 1.12.8, 1.14.4, and 1.15.4 contain a vulnerability similar to CVE-2017-5226, but using the `TIOCLINUX` ioctl command instead of `TIOCSTI`. If a Flatpak app is run on a Linux virtual console such as `/dev/tty1`, it can copy text from the virtual console and paste it into the command buffer, from which the command might be run after the Flatpak app has exited. Ordinary graphical terminal emulators like xterm, gnome-terminal and Konsole are unaffected. This vulnerability is specific to the Linux virtual consoles `/dev/tty1`, `/dev/tty2` and so on. A patch is available in versions 1.10.8, 1.12.8, 1.14.4, and 1.15.4. As a workaround, don&apos;t run Flatpak on a Linux virtual console. Flatpak is primarily designed to be used in a Wayland or X11 graphical environment.(CVE-2023-28100)

Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. In versions prior to 1.10.8, 1.12.8, 1.14.4, and 1.15.4, if an attacker publishes a Flatpak app with elevated permissions, they can hide those permissions from users of the `flatpak(1)` command-line interface by setting other permissions to crafted values that contain non-printable control characters such as `ESC`. A fix is available in versions 1.10.8, 1.12.8, 1.14.4, and 1.15.4. As a workaround, use a GUI like GNOME Software rather than the command-line interface, or only install apps whose maintainers you trust.(CVE-2023-28101)</Note>
		<Note Title="Topic" Type="General" Ordinal="4" xml:lang="en">An update for flatpak is now available for openEuler-22.03-LTS-SP2.

openEuler Security has rated this update as having a security impact of medium. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.</Note>
		<Note Title="Severity" Type="General" Ordinal="5" xml:lang="en">Medium</Note>
		<Note Title="Affected Component" Type="General" Ordinal="6" xml:lang="en">flatpak</Note>
	</DocumentNotes>
	<DocumentReferences>
		<Reference Type="Self">
			<URL>https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2024-1426</URL>
		</Reference>
		<Reference Type="openEuler CVE">
			<URL>https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2023-28100</URL>
			<URL>https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2023-28101</URL>
		</Reference>
		<Reference Type="Other">
			<URL>https://nvd.nist.gov/vuln/detail/CVE-2023-28100</URL>
			<URL>https://nvd.nist.gov/vuln/detail/CVE-2023-28101</URL>
		</Reference>
	</DocumentReferences>
	<ProductTree xmlns="http://www.icasi.org/CVRF/schema/prod/1.1">
		<Branch Type="Product Name" Name="openEuler">
			<FullProductName ProductID="openEuler-22.03-LTS-SP2" CPE="cpe:/a:openEuler:openEuler:22.03-LTS-SP2">openEuler-22.03-LTS-SP2</FullProductName>
		</Branch>
		<Branch Type="Package Arch" Name="aarch64">
			<FullProductName ProductID="flatpak-1.10.2-7" CPE="cpe:/a:openEuler:openEuler:22.03-LTS-SP2">flatpak-1.10.2-7.oe2203sp2.aarch64.rpm</FullProductName>
			<FullProductName ProductID="flatpak-debuginfo-1.10.2-7" CPE="cpe:/a:openEuler:openEuler:22.03-LTS-SP2">flatpak-debuginfo-1.10.2-7.oe2203sp2.aarch64.rpm</FullProductName>
			<FullProductName ProductID="flatpak-debugsource-1.10.2-7" CPE="cpe:/a:openEuler:openEuler:22.03-LTS-SP2">flatpak-debugsource-1.10.2-7.oe2203sp2.aarch64.rpm</FullProductName>
			<FullProductName ProductID="flatpak-devel-1.10.2-7" CPE="cpe:/a:openEuler:openEuler:22.03-LTS-SP2">flatpak-devel-1.10.2-7.oe2203sp2.aarch64.rpm</FullProductName>
		</Branch>
		<Branch Type="Package Arch" Name="noarch">
			<FullProductName ProductID="flatpak-help-1.10.2-7" CPE="cpe:/a:openEuler:openEuler:22.03-LTS-SP2">flatpak-help-1.10.2-7.oe2203sp2.noarch.rpm</FullProductName>
		</Branch>
		<Branch Type="Package Arch" Name="src">
			<FullProductName ProductID="flatpak-1.10.2-7" CPE="cpe:/a:openEuler:openEuler:22.03-LTS-SP2">flatpak-1.10.2-7.oe2203sp2.src.rpm</FullProductName>
		</Branch>
		<Branch Type="Package Arch" Name="x86_64">
			<FullProductName ProductID="flatpak-devel-1.10.2-7" CPE="cpe:/a:openEuler:openEuler:22.03-LTS-SP2">flatpak-devel-1.10.2-7.oe2203sp2.x86_64.rpm</FullProductName>
			<FullProductName ProductID="flatpak-debugsource-1.10.2-7" CPE="cpe:/a:openEuler:openEuler:22.03-LTS-SP2">flatpak-debugsource-1.10.2-7.oe2203sp2.x86_64.rpm</FullProductName>
			<FullProductName ProductID="flatpak-debuginfo-1.10.2-7" CPE="cpe:/a:openEuler:openEuler:22.03-LTS-SP2">flatpak-debuginfo-1.10.2-7.oe2203sp2.x86_64.rpm</FullProductName>
			<FullProductName ProductID="flatpak-1.10.2-7" CPE="cpe:/a:openEuler:openEuler:22.03-LTS-SP2">flatpak-1.10.2-7.oe2203sp2.x86_64.rpm</FullProductName>
		</Branch>
	</ProductTree>
	<Vulnerability Ordinal="1" xmlns="http://www.icasi.org/CVRF/schema/vuln/1.1">
		<Notes>
			<Note Title="Vulnerability Description" Type="General" Ordinal="1" xml:lang="en">Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. Versions prior to 1.10.8, 1.12.8, 1.14.4, and 1.15.4 contain a vulnerability similar to CVE-2017-5226, but using the `TIOCLINUX` ioctl command instead of `TIOCSTI`. If a Flatpak app is run on a Linux virtual console such as `/dev/tty1`, it can copy text from the virtual console and paste it into the command buffer, from which the command might be run after the Flatpak app has exited. Ordinary graphical terminal emulators like xterm, gnome-terminal and Konsole are unaffected. This vulnerability is specific to the Linux virtual consoles `/dev/tty1`, `/dev/tty2` and so on. A patch is available in versions 1.10.8, 1.12.8, 1.14.4, and 1.15.4. As a workaround, don&apos;t run Flatpak on a Linux virtual console. Flatpak is primarily designed to be used in a Wayland or X11 graphical environment.</Note>
		</Notes>
		<ReleaseDate>2024-04-12</ReleaseDate>
		<CVE>CVE-2023-28100</CVE>
		<ProductStatuses>
			<Status Type="Fixed">
				<ProductID>openEuler-22.03-LTS-SP2</ProductID>
			</Status>
		</ProductStatuses>
		<Threats>
			<Threat Type="Impact">
				<Description>Medium</Description>
			</Threat>
		</Threats>
		<CVSSScoreSets>
			<ScoreSet>
				<BaseScore>6.5</BaseScore>
				<Vector>AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H</Vector>
			</ScoreSet>
		</CVSSScoreSets>
		<Remediations>
			<Remediation Type="Vendor Fix">
				<Description>flatpak security update</Description>
				<DATE>2024-04-12</DATE>
				<URL>https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2024-1426</URL>
			</Remediation>
		</Remediations>
	</Vulnerability>
	<Vulnerability Ordinal="2" xmlns="http://www.icasi.org/CVRF/schema/vuln/1.1">
		<Notes>
			<Note Title="Vulnerability Description" Type="General" Ordinal="2" xml:lang="en">Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. In versions prior to 1.10.8, 1.12.8, 1.14.4, and 1.15.4, if an attacker publishes a Flatpak app with elevated permissions, they can hide those permissions from users of the `flatpak(1)` command-line interface by setting other permissions to crafted values that contain non-printable control characters such as `ESC`. A fix is available in versions 1.10.8, 1.12.8, 1.14.4, and 1.15.4. As a workaround, use a GUI like GNOME Software rather than the command-line interface, or only install apps whose maintainers you trust.</Note>
		</Notes>
		<ReleaseDate>2024-04-12</ReleaseDate>
		<CVE>CVE-2023-28101</CVE>
		<ProductStatuses>
			<Status Type="Fixed">
				<ProductID>openEuler-22.03-LTS-SP2</ProductID>
			</Status>
		</ProductStatuses>
		<Threats>
			<Threat Type="Impact">
				<Description>Medium</Description>
			</Threat>
		</Threats>
		<CVSSScoreSets>
			<ScoreSet>
				<BaseScore>4.3</BaseScore>
				<Vector>AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N</Vector>
			</ScoreSet>
		</CVSSScoreSets>
		<Remediations>
			<Remediation Type="Vendor Fix">
				<Description>flatpak security update</Description>
				<DATE>2024-04-12</DATE>
				<URL>https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2024-1426</URL>
			</Remediation>
		</Remediations>
	</Vulnerability>
</cvrfdoc>
增加测试用的配置和目录 Signed-off-by: Jia Chao <jiac13@chinaunicom.cn> 2024-07-02 07:51:55 +00:00			`<?xml version="1.0" encoding="UTF-8"?>`
			`<cvrfdoc xmlns="http://www.icasi.org/CVRF/schema/cvrf/1.1" xmlns:cvrf="http://www.icasi.org/CVRF/schema/cvrf/1.1">`
			`<DocumentTitle xml:lang="en">An update for flatpak is now available for openEuler-22.03-LTS-SP2</DocumentTitle>`
			`<DocumentType>Security Advisory</DocumentType>`
			`<DocumentPublisher Type="Vendor">`
			`<ContactDetails>openeuler-security@openeuler.org</ContactDetails>`
			`<IssuingAuthority>openEuler security committee</IssuingAuthority>`
			`</DocumentPublisher>`
			`<DocumentTracking>`
			`<Identification>`
			`<ID>openEuler-SA-2024-1426</ID>`
			`</Identification>`
			`<Status>Final</Status>`
			`<Version>1.0</Version>`
			`<RevisionHistory>`
			`<Revision>`
			`<Number>1.0</Number>`
			`<Date>2024-04-12</Date>`
			`<Description>Initial</Description>`
			`</Revision>`
			`</RevisionHistory>`
			`<InitialReleaseDate>2024-04-12</InitialReleaseDate>`
			`<CurrentReleaseDate>2024-04-12</CurrentReleaseDate>`
			`<Generator>`
			`<Engine>openEuler SA Tool V1.0</Engine>`
			`<Date>2024-04-12</Date>`
			`</Generator>`
			`</DocumentTracking>`
			`<DocumentNotes>`
			`<Note Title="Synopsis" Type="General" Ordinal="1" xml:lang="en">flatpak security update</Note>`
			`<Note Title="Summary" Type="General" Ordinal="2" xml:lang="en">An update for flatpak is now available for openEuler-22.03-LTS-SP2.</Note>`
			`<Note Title="Description" Type="General" Ordinal="3" xml:lang="en">flatpak is a system for building, distributing and running sandboxed desktop applications on Linux. See https://wiki.gnome.org/Projects/SandboxedApps for more information.`

			`Security Fix(es):`

			Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. Versions prior to 1.10.8, 1.12.8, 1.14.4, and 1.15.4 contain a vulnerability similar to CVE-2017-5226, but using the `TIOCLINUX` ioctl command instead of `TIOCSTI`. If a Flatpak app is run on a Linux virtual console such as `/dev/tty1`, it can copy text from the virtual console and paste it into the command buffer, from which the command might be run after the Flatpak app has exited. Ordinary graphical terminal emulators like xterm, gnome-terminal and Konsole are unaffected. This vulnerability is specific to the Linux virtual consoles `/dev/tty1`, `/dev/tty2` and so on. A patch is available in versions 1.10.8, 1.12.8, 1.14.4, and 1.15.4. As a workaround, don't run Flatpak on a Linux virtual console. Flatpak is primarily designed to be used in a Wayland or X11 graphical environment.(CVE-2023-28100)

			Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. In versions prior to 1.10.8, 1.12.8, 1.14.4, and 1.15.4, if an attacker publishes a Flatpak app with elevated permissions, they can hide those permissions from users of the `flatpak(1)` command-line interface by setting other permissions to crafted values that contain non-printable control characters such as `ESC`. A fix is available in versions 1.10.8, 1.12.8, 1.14.4, and 1.15.4. As a workaround, use a GUI like GNOME Software rather than the command-line interface, or only install apps whose maintainers you trust.(CVE-2023-28101)</Note>
			`<Note Title="Topic" Type="General" Ordinal="4" xml:lang="en">An update for flatpak is now available for openEuler-22.03-LTS-SP2.`

			`openEuler Security has rated this update as having a security impact of medium. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.</Note>`
			`<Note Title="Severity" Type="General" Ordinal="5" xml:lang="en">Medium</Note>`
			`<Note Title="Affected Component" Type="General" Ordinal="6" xml:lang="en">flatpak</Note>`
			`</DocumentNotes>`
			`<DocumentReferences>`
			`<Reference Type="Self">`
			`<URL>https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2024-1426</URL>`
			`</Reference>`
			`<Reference Type="openEuler CVE">`
			`<URL>https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2023-28100</URL>`
			`<URL>https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2023-28101</URL>`
			`</Reference>`
			`<Reference Type="Other">`
			`<URL>https://nvd.nist.gov/vuln/detail/CVE-2023-28100</URL>`
			`<URL>https://nvd.nist.gov/vuln/detail/CVE-2023-28101</URL>`
			`</Reference>`
			`</DocumentReferences>`
			`<ProductTree xmlns="http://www.icasi.org/CVRF/schema/prod/1.1">`
			`<Branch Type="Product Name" Name="openEuler">`
			`<FullProductName ProductID="openEuler-22.03-LTS-SP2" CPE="cpe:/a:openEuler:openEuler:22.03-LTS-SP2">openEuler-22.03-LTS-SP2</FullProductName>`
			`</Branch>`
			`<Branch Type="Package Arch" Name="aarch64">`
			`<FullProductName ProductID="flatpak-1.10.2-7" CPE="cpe:/a:openEuler:openEuler:22.03-LTS-SP2">flatpak-1.10.2-7.oe2203sp2.aarch64.rpm</FullProductName>`
			`<FullProductName ProductID="flatpak-debuginfo-1.10.2-7" CPE="cpe:/a:openEuler:openEuler:22.03-LTS-SP2">flatpak-debuginfo-1.10.2-7.oe2203sp2.aarch64.rpm</FullProductName>`
			`<FullProductName ProductID="flatpak-debugsource-1.10.2-7" CPE="cpe:/a:openEuler:openEuler:22.03-LTS-SP2">flatpak-debugsource-1.10.2-7.oe2203sp2.aarch64.rpm</FullProductName>`
			`<FullProductName ProductID="flatpak-devel-1.10.2-7" CPE="cpe:/a:openEuler:openEuler:22.03-LTS-SP2">flatpak-devel-1.10.2-7.oe2203sp2.aarch64.rpm</FullProductName>`
			`</Branch>`
			`<Branch Type="Package Arch" Name="noarch">`
			`<FullProductName ProductID="flatpak-help-1.10.2-7" CPE="cpe:/a:openEuler:openEuler:22.03-LTS-SP2">flatpak-help-1.10.2-7.oe2203sp2.noarch.rpm</FullProductName>`
			`</Branch>`
			`<Branch Type="Package Arch" Name="src">`
			`<FullProductName ProductID="flatpak-1.10.2-7" CPE="cpe:/a:openEuler:openEuler:22.03-LTS-SP2">flatpak-1.10.2-7.oe2203sp2.src.rpm</FullProductName>`
			`</Branch>`
			`<Branch Type="Package Arch" Name="x86_64">`
			`<FullProductName ProductID="flatpak-devel-1.10.2-7" CPE="cpe:/a:openEuler:openEuler:22.03-LTS-SP2">flatpak-devel-1.10.2-7.oe2203sp2.x86_64.rpm</FullProductName>`
			`<FullProductName ProductID="flatpak-debugsource-1.10.2-7" CPE="cpe:/a:openEuler:openEuler:22.03-LTS-SP2">flatpak-debugsource-1.10.2-7.oe2203sp2.x86_64.rpm</FullProductName>`
			`<FullProductName ProductID="flatpak-debuginfo-1.10.2-7" CPE="cpe:/a:openEuler:openEuler:22.03-LTS-SP2">flatpak-debuginfo-1.10.2-7.oe2203sp2.x86_64.rpm</FullProductName>`
			`<FullProductName ProductID="flatpak-1.10.2-7" CPE="cpe:/a:openEuler:openEuler:22.03-LTS-SP2">flatpak-1.10.2-7.oe2203sp2.x86_64.rpm</FullProductName>`
			`</Branch>`
			`</ProductTree>`
			`<Vulnerability Ordinal="1" xmlns="http://www.icasi.org/CVRF/schema/vuln/1.1">`
			`<Notes>`
			<Note Title="Vulnerability Description" Type="General" Ordinal="1" xml:lang="en">Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. Versions prior to 1.10.8, 1.12.8, 1.14.4, and 1.15.4 contain a vulnerability similar to CVE-2017-5226, but using the `TIOCLINUX` ioctl command instead of `TIOCSTI`. If a Flatpak app is run on a Linux virtual console such as `/dev/tty1`, it can copy text from the virtual console and paste it into the command buffer, from which the command might be run after the Flatpak app has exited. Ordinary graphical terminal emulators like xterm, gnome-terminal and Konsole are unaffected. This vulnerability is specific to the Linux virtual consoles `/dev/tty1`, `/dev/tty2` and so on. A patch is available in versions 1.10.8, 1.12.8, 1.14.4, and 1.15.4. As a workaround, don't run Flatpak on a Linux virtual console. Flatpak is primarily designed to be used in a Wayland or X11 graphical environment.</Note>
			`</Notes>`
			`<ReleaseDate>2024-04-12</ReleaseDate>`
			`<CVE>CVE-2023-28100</CVE>`
			`<ProductStatuses>`
			`<Status Type="Fixed">`
			`<ProductID>openEuler-22.03-LTS-SP2</ProductID>`
			`</Status>`
			`</ProductStatuses>`
			`<Threats>`
			`<Threat Type="Impact">`
			`<Description>Medium</Description>`
			`</Threat>`
			`</Threats>`
			`<CVSSScoreSets>`
			`<ScoreSet>`
			`<BaseScore>6.5</BaseScore>`
			`<Vector>AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H</Vector>`
			`</ScoreSet>`
			`</CVSSScoreSets>`
			`<Remediations>`
			`<Remediation Type="Vendor Fix">`
			`<Description>flatpak security update</Description>`
			`<DATE>2024-04-12</DATE>`
			`<URL>https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2024-1426</URL>`
			`</Remediation>`
			`</Remediations>`
			`</Vulnerability>`
			`<Vulnerability Ordinal="2" xmlns="http://www.icasi.org/CVRF/schema/vuln/1.1">`
			`<Notes>`
			<Note Title="Vulnerability Description" Type="General" Ordinal="2" xml:lang="en">Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. In versions prior to 1.10.8, 1.12.8, 1.14.4, and 1.15.4, if an attacker publishes a Flatpak app with elevated permissions, they can hide those permissions from users of the `flatpak(1)` command-line interface by setting other permissions to crafted values that contain non-printable control characters such as `ESC`. A fix is available in versions 1.10.8, 1.12.8, 1.14.4, and 1.15.4. As a workaround, use a GUI like GNOME Software rather than the command-line interface, or only install apps whose maintainers you trust.</Note>
			`</Notes>`
			`<ReleaseDate>2024-04-12</ReleaseDate>`
			`<CVE>CVE-2023-28101</CVE>`
			`<ProductStatuses>`
			`<Status Type="Fixed">`
			`<ProductID>openEuler-22.03-LTS-SP2</ProductID>`
			`</Status>`
			`</ProductStatuses>`
			`<Threats>`
			`<Threat Type="Impact">`
			`<Description>Medium</Description>`
			`</Threat>`
			`</Threats>`
			`<CVSSScoreSets>`
			`<ScoreSet>`
			`<BaseScore>4.3</BaseScore>`
			`<Vector>AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N</Vector>`
			`</ScoreSet>`
			`</CVSSScoreSets>`
			`<Remediations>`
			`<Remediation Type="Vendor Fix">`
			`<Description>flatpak security update</Description>`
			`<DATE>2024-04-12</DATE>`
			`<URL>https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2024-1426</URL>`
			`</Remediation>`
			`</Remediations>`
			`</Vulnerability>`
			`</cvrfdoc>`