Detections
Analytics

Fedora 29 : flatpak (2018-009a65a873)

high Nessus Plugin ID 120200

Language:

Synopsis

The remote Fedora host is missing a security update.

Description

flatpak 1.0.5 release.

There was a sandbox bug in the previous version where parts of the runtime /etc was not mounted read-only. In case the runtime was installed as the user (not the default) this means that the app could modify files on the runtime. Nothing in the host uses the runtime files, so this is not a direct sandbox escape, but it is possible that an app can confuse a different app that has higher permissions and so gain privileges.

Detailed changes :

 - Make the /etc -> /usr/etc bind-mounts read-only.

 - Make various app-specific configuration files read-only.

 - flatpak is more picky about remote names to avoid problems with storing weird names in the ostree config.

 - A segfault in libflatpak handling of bundles was fixed.

 - Updated translations

 - Fixed a regression in flatpak run that caused problems running user-installed apps when the system installation was broken.

In addition to upstream changes, this update also fixes a packaging issue and adds a missing dependency on p11-kit-server to fix accessing host TLS certificates.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Solution

Update the affected flatpak package.

See Also

https://bodhi.fedoraproject.org/updates/FEDORA-2018-009a65a873

Plugin Details

Severity: High

ID: 120200

File Name: fedora_2018-009a65a873.nasl

Version: 1.4

Type: local

Agent: unix

Published: 1/3/2019

Updated: 1/6/2021

Supported Sensors: Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Continuous Assessment, Nessus

Vulnerability Information

CPE: p-cpe:/a:fedoraproject:fedora:flatpak, cpe:/o:fedoraproject:fedora:29

Required KB Items: Host/local_checks_enabled, Host/RedHat/release, Host/RedHat/rpm-list

Patch Publication Date: 11/14/2018

Vulnerability Publication Date: 11/14/2018

Reference Information