Security update for flatpak SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2018:0389-1 Final 1 1 2018-02-07T19:28:48Z current 2018-02-07T19:28:48Z 2018-02-07T19:28:48Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for flatpak This update for flatpak to version 0.8.9 fixes security issues and bugs. The following vulnerabilities were fixed: - CVE-2018-6560: sandbox escape in the flatpak dbus proxy (boo#1078923) - CVE-2017-9780: Malicious apps could have included inappropriate permissions (boo#1078989) - old-style eavesdropping in the dbus proxy (boo#1078993) This update also includes all upstream improvements and fixes in this stable release series. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/opensuse-updates/2018-02/msg00019.html E-Mail link for openSUSE-SU-2018:0389-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings openSUSE Leap 42.3 flatpak-0.8.9-3.1 flatpak-builder-0.8.9-3.1 flatpak-devel-0.8.9-3.1 libflatpak0-0.8.9-3.1 typelib-1_0-Flatpak-1_0-0.8.9-3.1 flatpak-0.8.9-3.1 as a component of openSUSE Leap 42.3 flatpak-builder-0.8.9-3.1 as a component of openSUSE Leap 42.3 flatpak-devel-0.8.9-3.1 as a component of openSUSE Leap 42.3 libflatpak0-0.8.9-3.1 as a component of openSUSE Leap 42.3 typelib-1_0-Flatpak-1_0-0.8.9-3.1 as a component of openSUSE Leap 42.3 In Flatpak before 0.8.7, a third-party app repository could include malicious apps that contain files with inappropriate permissions, for example setuid or world-writable. The files are deployed with those permissions, which would let a local attacker run the setuid executable or write to the world-writable location. In the case of the "system helper" component, files deployed as part of the app are owned by root, so in the worst case they could be setuid root. CVE-2017-9780 openSUSE Leap 42.3:flatpak-0.8.9-3.1 openSUSE Leap 42.3:flatpak-builder-0.8.9-3.1 openSUSE Leap 42.3:flatpak-devel-0.8.9-3.1 openSUSE Leap 42.3:libflatpak0-0.8.9-3.1 openSUSE Leap 42.3:typelib-1_0-Flatpak-1_0-0.8.9-3.1 moderate Please Install the update. https://lists.opensuse.org/opensuse-updates/2018-02/msg00019.html https://www.suse.com/security/cve/CVE-2017-9780.html CVE-2017-9780 https://bugzilla.suse.com/1012961 SUSE Bug 1012961 https://bugzilla.suse.com/1078923 SUSE Bug 1078923 https://bugzilla.suse.com/1078989 SUSE Bug 1078989 In dbus-proxy/flatpak-proxy.c in Flatpak before 0.8.9, and 0.9.x and 0.10.x before 0.10.3, crafted D-Bus messages to the host can be used to break out of the sandbox, because whitespace handling in the proxy is not identical to whitespace handling in the daemon. CVE-2018-6560 openSUSE Leap 42.3:flatpak-0.8.9-3.1 openSUSE Leap 42.3:flatpak-builder-0.8.9-3.1 openSUSE Leap 42.3:flatpak-devel-0.8.9-3.1 openSUSE Leap 42.3:libflatpak0-0.8.9-3.1 openSUSE Leap 42.3:typelib-1_0-Flatpak-1_0-0.8.9-3.1 moderate Please Install the update. https://lists.opensuse.org/opensuse-updates/2018-02/msg00019.html https://www.suse.com/security/cve/CVE-2018-6560.html CVE-2018-6560 https://bugzilla.suse.com/1078923 SUSE Bug 1078923