This bug was fixed in the package flatpak - 1.14.6-1ubuntu0.1
---------------
flatpak (1.14.6-1ubuntu0.1) noble-security; urgency=medium
* SECURITY UPDATE: Access outside sandbox
- debian/patches/CVE-2024-42472-1.patch: don't follow symlinks when
mounting persisted directories in common/flatpak-context.c.
- debian/patches/CVE-2024-42472-2.patch: add test coverage for --persist
in test/test-run.sh.
- debian/patches/CVE-2024-42472-3.patch: add --bind-fd and --ro-bind-fd to
subprojects/bubblerap.c.
- debian/control: makes flatpak depend on bubblerap with --bind-fd feature
backported to avoid race condition (LP: #2077087)
- CVE-2024-42472
-- Leonidas Da Silva Barbosa <leo.barb...@canonical.com> Mon, 23 Sep
2024 15:35:49 -0300
** Changed in: flatpak (Ubuntu)
Status: New => Fix Released
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-42472
** Changed in: flatpak (Ubuntu)
Status: New => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Desktop Bugs, which is subscribed to flatpak in Ubuntu.
https://bugs.launchpad.net/bugs/2077087
Title:
CVE-2024-42472: Access to files outside sandbox for apps using
persistent= (--persist)
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/2077087/+subscriptions
--
desktop-bugs mailing list
desktop-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
