Flatpak 1.2.4 Released To Address Security Issue - Sandbox Bypass Vulnerability

Written by Michael Larabel in Free Software on 27 March 2019 at 05:36 AM EDT. 23 Comments
FREE SOFTWARE
Flatpak 1.2.4 was issued today as an emergency release to address a new CVE vulnerability.

CVE-2019-10063 is a Flatpak vulnerability affecting versions going back to the 0.8 series that allow for a potential bypassing of its sandbox.

Flatpak was previously patched to address CVE-2017-5226, which is a vulnerability where a non-privileged session could escape the parent session in a bubblewrap sandbox by using the TIOCSTI ioctl (TIOCSTI is used for faking input in the input queue) to escape the sandbox. But two years later it turns out their addressing of that former CVE by using a SECCOMP filter was inadequate on 64-bit platforms. Up to now in Flatpak on 64-bit platforms, the sandbox could still be bypassed/escaped as the filter wasn't properly handled on 64-bit architectures. Details in CVE-2019-10063.

As a result, Flatpak 1.2.4 was released with the proper mitigation.

This Flatpak update also has handling for multiple NVIDIA graphics cards on the same system, a fix for Gentoo and other platforms around XDG_RUNTIME_DIR being a symlink, a potential crash when updating applications, and ensuring flatpak list --arch works.

For those on the older Flatpak 1.0 series, Flatpak 1.0.8 was also released this morning.
23 Comments
Related News
Autodafe 1.0 Released For Freeing Projects Of Autotools
Servo Web Engine Continues Advancing But Seeing Just $1.6k In Monthly Donations
XZ 5.6.2 Released With The Frightening Backdoor Removed
Linux Foundation Launches The High Performance Software Foundation
Rustls Can Now Work With Nginx Via New OpenSSL Compatibility Layer
Zed Code Editor Making Progress On Linux Support
About The Author
Michael Larabel

Michael Larabel is the principal author of Phoronix.com and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 20,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org automated benchmarking software. He can be followed via Twitter, LinkedIn, or contacted via MichaelLarabel.com.

Popular News This Week
Amazon Cloud Traffic Is Suffocating Fedora's Mirrors
Microsoft Rolling Out New Windows Subsystem For Linux "WSL" Features For 2024
Linux 6.10-rc1 Kernel Released With Many New Features
Linux 6.10 Improves AMD ROCm Compute Support For "Small" Ryzen APUs
Real-Time Kernel Now Available On Ubuntu 24.04 LTS
AMD & Intel Team Up For UALink As Open Alternative To NVIDIA's NVLink
Linux Shoots Past The 2% Threshold For The Steam Survey, AMD CPU Use Breaks 75%
GNOME Continues Working On New Installer, "Major Issue" With STF