CVE-2023-28100

16.03.2023, 16:15

Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. Versions prior to 1.10.8, 1.12.8, 1.14.4, and 1.15.4 contain a vulnerability similar to CVE-2017-5226, but using the `TIOCLINUX` ioctl command instead of `TIOCSTI`. If a Flatpak app is run on a Linux virtual console such as `/dev/tty1`, it can copy text from the virtual console and paste it into the command buffer, from which the command might be run after the Flatpak app has exited. Ordinary graphical terminal emulators like xterm, gnome-terminal and Konsole are unaffected. This vulnerability is specific to the Linux virtual consoles `/dev/tty1`, `/dev/tty2` and so on. A patch is available in versions 1.10.8, 1.12.8, 1.14.4, and 1.15.4. As a workaround, don't run Flatpak on a Linux virtual console. Flatpak is primarily designed to be used in a Wayland or X11 graphical environment.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	10 CRITICAL	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 72%

Affected Products (NVD)

Vendor	Product	Version
flatpak	flatpak	𝑥 < 1.10.8
flatpak	flatpak	1.12.0 ≤ 𝑥 < 1.12.8
flatpak	flatpak	1.14.0 ≤ 𝑥 < 1.14.4
flatpak	flatpak	1.15.0 ≤ 𝑥 < 1.15.4

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

flatpak

bookworm	1.14.10-1~deb12u1 fixed
bookworm (security)	1.14.10-1~deb12u1 fixed
bullseye	1.10.8-0+deb11u2 fixed
bullseye (security)	1.10.8-0+deb11u2 fixed
buster	ignored
sid	1.15.91-1 fixed
trixie	1.15.91-1 fixed

Ubuntu Releases

Ubuntu Product

Codename

flatpak

bionic	needs-triage
focal	needs-triage
jammy	needs-triage
kinetic	ignored
lunar	ignored
mantic	ignored
noble	needs-triage
oracular	needs-triage
trusty	ignored
xenial	ignored

openSUSE / SLES Releases

openSUSE Product

Release

flatpak

suse enterprise desktop 15 SP4	1.12.8-150400.3.3.1 fixed
suse enterprise desktop 15 SP5	1.14.4-150500.1.3 fixed
suse enterprise desktop 15 SP6	1.14.6-150600.1.2 fixed
suse enterprise desktop 15 SP7	1.16.0-150600.3.6.1 fixed
suse enterprise sap 15 SP2	1.10.8-150200.4.15.1 fixed
suse enterprise sap 15 SP3	1.10.8-150200.4.15.1 fixed
suse enterprise sap 15 SP4	1.12.8-150400.3.3.1 fixed
suse enterprise sap 15 SP5	1.14.4-150500.1.3 fixed
suse enterprise sap 15 SP6	1.14.6-150600.1.2 fixed
suse enterprise sap 15 SP7	1.16.0-150600.3.6.1 fixed
suse enterprise server 15 SP1	1.2.3-150100.4.11.1 fixed
suse enterprise server 15 SP2	1.10.8-150200.4.15.1 fixed
suse enterprise server 15 SP3	1.10.8-150200.4.15.1 fixed
suse enterprise server 15 SP4	1.12.8-150400.3.3.1 fixed
suse enterprise server 15 SP5	1.14.4-150500.1.3 fixed
suse enterprise server 15 SP6	1.14.6-150600.1.2 fixed
suse enterprise server 15 SP7	1.16.0-150600.3.6.1 fixed

flatpak-devel

suse enterprise desktop 15 SP4	1.12.8-150400.3.3.1 fixed
suse enterprise desktop 15 SP5	1.14.4-150500.1.3 fixed
suse enterprise desktop 15 SP6	1.14.6-150600.1.2 fixed
suse enterprise desktop 15 SP7	1.16.0-150600.3.6.1 fixed
suse enterprise sap 15 SP2	1.10.8-150200.4.15.1 fixed
suse enterprise sap 15 SP3	1.10.8-150200.4.15.1 fixed
suse enterprise sap 15 SP4	1.12.8-150400.3.3.1 fixed
suse enterprise sap 15 SP5	1.14.4-150500.1.3 fixed
suse enterprise sap 15 SP6	1.14.6-150600.1.2 fixed
suse enterprise sap 15 SP7	1.16.0-150600.3.6.1 fixed
suse enterprise server 15 SP1	1.2.3-150100.4.11.1 fixed
suse enterprise server 15 SP2	1.10.8-150200.4.15.1 fixed
suse enterprise server 15 SP3	1.10.8-150200.4.15.1 fixed
suse enterprise server 15 SP4	1.12.8-150400.3.3.1 fixed
suse enterprise server 15 SP5	1.14.4-150500.1.3 fixed
suse enterprise server 15 SP6	1.14.6-150600.1.2 fixed
suse enterprise server 15 SP7	1.16.0-150600.3.6.1 fixed

flatpak-remote-flathub

suse enterprise desktop 15 SP5	1.14.4-150500.1.3 fixed
suse enterprise desktop 15 SP6	1.14.6-150600.1.2 fixed
suse enterprise desktop 15 SP7	1.16.0-150600.3.6.1 fixed
suse enterprise sap 15 SP5	1.14.4-150500.1.3 fixed
suse enterprise sap 15 SP6	1.14.6-150600.1.2 fixed
suse enterprise sap 15 SP7	1.16.0-150600.3.6.1 fixed
suse enterprise server 15 SP5	1.14.4-150500.1.3 fixed
suse enterprise server 15 SP6	1.14.6-150600.1.2 fixed
suse enterprise server 15 SP7	1.16.0-150600.3.6.1 fixed

flatpak-zsh-completion

suse enterprise desktop 15 SP4	1.12.8-150400.3.3.1 fixed
suse enterprise desktop 15 SP5	1.14.4-150500.1.3 fixed
suse enterprise desktop 15 SP6	1.14.6-150600.1.2 fixed
suse enterprise desktop 15 SP7	1.16.0-150600.3.6.1 fixed
suse enterprise sap 15 SP2	1.10.8-150200.4.15.1 fixed
suse enterprise sap 15 SP3	1.10.8-150200.4.15.1 fixed
suse enterprise sap 15 SP4	1.12.8-150400.3.3.1 fixed
suse enterprise sap 15 SP5	1.14.4-150500.1.3 fixed
suse enterprise sap 15 SP6	1.14.6-150600.1.2 fixed
suse enterprise sap 15 SP7	1.16.0-150600.3.6.1 fixed
suse enterprise server 15 SP1	1.2.3-150100.4.11.1 fixed
suse enterprise server 15 SP2	1.10.8-150200.4.15.1 fixed
suse enterprise server 15 SP3	1.10.8-150200.4.15.1 fixed
suse enterprise server 15 SP4	1.12.8-150400.3.3.1 fixed
suse enterprise server 15 SP5	1.14.4-150500.1.3 fixed
suse enterprise server 15 SP6	1.14.6-150600.1.2 fixed
suse enterprise server 15 SP7	1.16.0-150600.3.6.1 fixed

libflatpak0

suse enterprise desktop 15 SP4	1.12.8-150400.3.3.1 fixed
suse enterprise desktop 15 SP5	1.14.4-150500.1.3 fixed
suse enterprise desktop 15 SP6	1.14.6-150600.1.2 fixed
suse enterprise desktop 15 SP7	1.16.0-150600.3.6.1 fixed
suse enterprise sap 15 SP2	1.10.8-150200.4.15.1 fixed
suse enterprise sap 15 SP3	1.10.8-150200.4.15.1 fixed
suse enterprise sap 15 SP4	1.12.8-150400.3.3.1 fixed
suse enterprise sap 15 SP5	1.14.4-150500.1.3 fixed
suse enterprise sap 15 SP6	1.14.6-150600.1.2 fixed
suse enterprise sap 15 SP7	1.16.0-150600.3.6.1 fixed
suse enterprise server 15 SP1	1.2.3-150100.4.11.1 fixed
suse enterprise server 15 SP2	1.10.8-150200.4.15.1 fixed
suse enterprise server 15 SP3	1.10.8-150200.4.15.1 fixed
suse enterprise server 15 SP4	1.12.8-150400.3.3.1 fixed
suse enterprise server 15 SP5	1.14.4-150500.1.3 fixed
suse enterprise server 15 SP6	1.14.6-150600.1.2 fixed
suse enterprise server 15 SP7	1.16.0-150600.3.6.1 fixed

system-user-flatpak

suse enterprise desktop 15 SP4	1.12.8-150400.3.3.1 fixed
suse enterprise desktop 15 SP5	1.14.4-150500.1.3 fixed
suse enterprise desktop 15 SP6	1.14.6-150600.1.2 fixed
suse enterprise desktop 15 SP7	1.16.0-150600.3.6.1 fixed
suse enterprise sap 15 SP2	1.10.8-150200.4.15.1 fixed
suse enterprise sap 15 SP3	1.10.8-150200.4.15.1 fixed
suse enterprise sap 15 SP4	1.12.8-150400.3.3.1 fixed
suse enterprise sap 15 SP5	1.14.4-150500.1.3 fixed
suse enterprise sap 15 SP6	1.14.6-150600.1.2 fixed
suse enterprise sap 15 SP7	1.16.0-150600.3.6.1 fixed
suse enterprise server 15 SP2	1.10.8-150200.4.15.1 fixed
suse enterprise server 15 SP3	1.10.8-150200.4.15.1 fixed
suse enterprise server 15 SP4	1.12.8-150400.3.3.1 fixed
suse enterprise server 15 SP5	1.14.4-150500.1.3 fixed
suse enterprise server 15 SP6	1.14.6-150600.1.2 fixed
suse enterprise server 15 SP7	1.16.0-150600.3.6.1 fixed

typelib-1_0-Flatpak-1_0

suse enterprise desktop 15 SP4	1.12.8-150400.3.3.1 fixed
suse enterprise desktop 15 SP5	1.14.4-150500.1.3 fixed
suse enterprise desktop 15 SP6	1.14.6-150600.1.2 fixed
suse enterprise desktop 15 SP7	1.16.0-150600.3.6.1 fixed
suse enterprise sap 15 SP2	1.10.8-150200.4.15.1 fixed
suse enterprise sap 15 SP3	1.10.8-150200.4.15.1 fixed
suse enterprise sap 15 SP4	1.12.8-150400.3.3.1 fixed
suse enterprise sap 15 SP5	1.14.4-150500.1.3 fixed
suse enterprise sap 15 SP6	1.14.6-150600.1.2 fixed
suse enterprise sap 15 SP7	1.16.0-150600.3.6.1 fixed
suse enterprise server 15 SP1	1.2.3-150100.4.11.1 fixed
suse enterprise server 15 SP2	1.10.8-150200.4.15.1 fixed
suse enterprise server 15 SP3	1.10.8-150200.4.15.1 fixed
suse enterprise server 15 SP4	1.12.8-150400.3.3.1 fixed
suse enterprise server 15 SP5	1.14.4-150500.1.3 fixed
suse enterprise server 15 SP6	1.14.6-150600.1.2 fixed
suse enterprise server 15 SP7	1.16.0-150600.3.6.1 fixed

Red Hat Enterprise Linux Releases

Red Hat Product

Release

flatpak

RHEL 8	0:1.10.8-1.el8 fixed
RHEL 9	0:1.12.8-1.el9 fixed

flatpak-devel

RHEL 8	0:1.10.8-1.el8 fixed
RHEL 9	0:1.12.8-1.el9 fixed

flatpak-libs

RHEL 8	0:1.10.8-1.el8 fixed
RHEL 9	0:1.12.8-1.el9 fixed

flatpak-selinux

RHEL 8	0:1.10.8-1.el8 fixed
RHEL 9	0:1.12.8-1.el9 fixed

flatpak-session-helper

RHEL 8	0:1.10.8-1.el8 fixed
RHEL 9	0:1.12.8-1.el9 fixed

Common Weakness Enumeration

CWE-20 - Improper Input Validation
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

References

https://github.com/flatpak/flatpak/commit/8e63de9a7d3124f91140fc74f8ca9ed73ed53be9

https://github.com/flatpak/flatpak/security/advisories/GHSA-7qpw-3vjv-xrqp

https://marc.info/?l=oss-security&m=167879021709955&w=2

https://security.gentoo.org/glsa/202312-12

https://github.com/flatpak/flatpak/commit/8e63de9a7d3124f91140fc74f8ca9ed73ed53be9

https://github.com/flatpak/flatpak/security/advisories/GHSA-7qpw-3vjv-xrqp

https://marc.info/?l=oss-security&m=167879021709955&w=2

https://security.gentoo.org/glsa/202312-12