Flatpak 1.2.4 Released To Address Security Issue - Sandbox Bypass Vulnerability
Written by Michael Larabel in Free Software on 27 March 2019 at 05:36 AM EDT. 23 Comments
Flatpak 1.2.4 was issued today as an emergency release to address a new CVE vulnerability.

CVE-2019-10063 is a Flatpak vulnerability affecting versions going back to the 0.8 series that allow for a potential bypassing of its sandbox.

Flatpak was previously patched to address CVE-2017-5226, which is a vulnerability where a non-privileged session could escape the parent session in a bubblewrap sandbox by using the TIOCSTI ioctl (TIOCSTI is used for faking input in the input queue) to escape the sandbox. But two years later it turns out their addressing of that former CVE by using a SECCOMP filter was inadequate on 64-bit platforms. Up to now in Flatpak on 64-bit platforms, the sandbox could still be bypassed/escaped as the filter wasn't properly handled on 64-bit architectures. Details in CVE-2019-10063.

As a result, Flatpak 1.2.4 was released with the proper mitigation.

This Flatpak update also has handling for multiple NVIDIA graphics cards on the same system, a fix for Gentoo and other platforms around XDG_RUNTIME_DIR being a symlink, a potential crash when updating applications, and ensuring flatpak list --arch works.

For those on the older Flatpak 1.0 series, Flatpak 1.0.8 was also released this morning.
Related News
About The Author
Author picture

Michael Larabel is the principal author of Phoronix.com and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 20,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org automated benchmarking software. He can be followed via Twitter or contacted via MichaelLarabel.com.

Popular News This Week