Announce: Flatpak 1.0.5
Alexander Larsson
alexl at redhat.com
Mon Nov 12 15:02:07 UTC 2018
Available here:
https://github.com/flatpak/flatpak/releases/tag/1.0.5
$ sha256sum flatpak-1.0.5.tar.xz
8087b9e390101fd853c30e04c64a14a738d745b604c5600b03ffaf212e4548f2
flatpak-1.0.5.tar.xz
Changes in 1.0.5
================
There was a sandbox bug in the previous version where parts of the runtime
/etc was not mounted read-only. In case the runtime was installed as the
user (not the default) this means that the app could modify files on the
runtime. Nothing in the host uses the runtime files, so this is not a direct
sandbox escape, but it is possible that an app can confuse a different app
that has higher permissions and so gain privileges.
So, it is recommended that everyone shipping flatpak to update to
1.0.5, or at least backport the change in commit
6711d7ae99c50a9dca8e4e2e9e9989a8fa6c3f06.
Detailed changes:
* Make the /etc -> /usr/etc bind-mounts read-only.
* Make various app-specific configuration files read-only.
* flatpak is more picky about remote names to avoid problems with storing weird
names in the ostree config.
* A segfault in libflatpak handling of bundles was fixed.
* Updated translations
* Fixed a regression in flatpak run that caused problems running user-installed
apps when the system installation was broken.
--
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Alexander Larsson Red Hat, Inc
alexl at redhat.com alexander.larsson at gmail.com
More information about the Flatpak
mailing list