Main Vulnerability Database SB2017062618

SB2017062618 - Fedora 24 update for flatpak

Published: June 26, 2017 Updated: April 24, 2025

Security Bulletin ID SB2017062618

Severity

Low

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Local access

Highest impact Code execution

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Incorrect permission assignment for critical resource (CVE-ID: CVE-2017-9780)

The vulnerability allows a local authenticated user to execute arbitrary code.

In Flatpak before 0.8.7, a third-party app repository could include malicious apps that contain files with inappropriate permissions, for example setuid or world-writable. The files are deployed with those permissions, which would let a local attacker run the setuid executable or write to the world-writable location. In the case of the "system helper" component, files deployed as part of the app are owned by root, so in the worst case they could be setuid root.

Remediation

Install update from vendor's website.

References

https://bodhi.fedoraproject.org/updates/FEDORA-2017-6b1f07acd9