A vulnerability was discovered in Flatpak which could allow a remote attacker to execute arbitrary code.
|Package||sys-apps/flatpak on all architectures|
|Affected versions||< 1.10.0|
|Unaffected versions||>= 1.10.0|
Flatpak is a Linux application sandboxing and distribution framework.
A bug was discovered in the flatpak-portal service that can allow sandboxed applications to execute arbitrary code on the host system (a sandbox escape).
A remote attacker could entice a user to open a specially crafted Flatpak app possibly resulting in execution of arbitrary code with the privileges of the process or a Denial of Service condition.
As a workaround, this vulnerability can be mitigated by preventing the flatpak-portal service from starting, but that mitigation will prevent many Flatpak apps from working correctly. It is highly recommended to upgrade.
All Flatpak users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=sys-apps/flatpak-1.10.0"
January 25, 2021
January 25, 2021: 1