An update for flatpak-builder is now available for openEuler-22.03-LTS Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2022-1788 Final 1.0 1.0 2022-07-30 Initial 2022-07-30 2022-07-30 openEuler SA Tool V1.0 2022-07-30 flatpak-builder security update An update for flatpak-builder is now available for openEuler-22.03-LTS. Flatpak-builder is a tool for building flatpaks from sources. Security Fix(es): Flatpak is a Linux application sandboxing and distribution framework. A path traversal vulnerability affects versions of Flatpak prior to 1.12.3 and 1.10.6. flatpak-builder applies `finish-args` last in the build. At this point the build directory will have the full access that is specified in the manifest, so running `flatpak build` against it will gain those permissions. Normally this will not be done, so this is not problem. However, if `--mirror-screenshots-url` is specified, then flatpak-builder will launch `flatpak build --nofilesystem=host appstream-utils mirror-screenshots` after finalization, which can lead to issues even with the `--nofilesystem=host` protection. In normal use, the only issue is that these empty directories can be created wherever the user has write permissions. However, a malicious application could replace the `appstream-util` binary and potentially do something more hostile. This has been resolved in Flatpak 1.12.3 and 1.10.6 by changing the behaviour of `--nofilesystem=home` and `--nofilesystem=host`.(CVE-2022-21682) An update for flatpak-builder is now available for openEuler-22.03-LTS. openEuler Security has rated this update as having a security impact of medium. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. Medium flatpak-builder https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-1788 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2022-21682 https://nvd.nist.gov/vuln/detail/CVE-2022-21682 openEuler-22.03-LTS flatpak-builder-debugsource-1.0.14-2.oe2203.aarch64.rpm flatpak-builder-debuginfo-1.0.14-2.oe2203.aarch64.rpm flatpak-builder-1.0.14-2.oe2203.aarch64.rpm flatpak-builder-1.0.14-2.oe2203.src.rpm flatpak-builder-debuginfo-1.0.14-2.oe2203.x86_64.rpm flatpak-builder-1.0.14-2.oe2203.x86_64.rpm flatpak-builder-debugsource-1.0.14-2.oe2203.x86_64.rpm Flatpak is a Linux application sandboxing and distribution framework. A path traversal vulnerability affects versions of Flatpak prior to 1.12.3 and 1.10.6. flatpak-builder applies `finish-args` last in the build. At this point the build directory will have the full access that is specified in the manifest, so running `flatpak build` against it will gain those permissions. Normally this will not be done, so this is not problem. However, if `--mirror-screenshots-url` is specified, then flatpak-builder will launch `flatpak build --nofilesystem=host appstream-utils mirror-screenshots` after finalization, which can lead to issues even with the `--nofilesystem=host` protection. In normal use, the only issue is that these empty directories can be created wherever the user has write permissions. However, a malicious application could replace the `appstream-util` binary and potentially do something more hostile. This has been resolved in Flatpak 1.12.3 and 1.10.6 by changing the behaviour of `--nofilesystem=home` and `--nofilesystem=host`. 2022-07-30 CVE-2022-21682 openEuler-22.03-LTS Medium 6.5 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N flatpak-builder security update 2022-07-30 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-1788