SB2022091544 - SUSE update for flatpak
Published: September 15, 2022
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 3 secuirty vulnerabilities.
1) Code Injection (CVE-ID: CVE-2021-21261)
The vulnerability allows a local application to elevate privileges on the system.
The vulnerability exists due to improper input validation when processing environment variables, passed from a sandboxed process to a non-sandboxed process on the host system, and in particular to the `flatpak run` command that is used to launch the new sandbox instance. A malicious or compromised Flatpak app can set environment variables that are trusted by the `flatpak run` command, and use them to execute arbitrary code that is not in a sandbox.
2) Security restrictins bypass (CVE-ID: CVE-2021-41133)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to an error in the VFS-manipulating syscalls implementation. A local user can bypass sandbox restrictions and escalate privileges on the system.
3) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2021-43860)
The vulnerability allows a remote attacker to escalate privileges on the system.
The vulnerability exists due to application does not properly validate that the permissions displayed to the user for an app at install time match the actual permissions granted to the app at runtime, which leads to security restrictions bypass and privilege escalation.
Remediation
Install update from vendor's website.