[Ftp-release] Announce: Flatpak 1.14.4 (security fix release)

Simon McVittie smcv at collabora.com
Thu Mar 16 18:58:35 UTC 2023

Available here: https://github.com/flatpak/flatpak/releases/tag/1.14.4

This is a maintenance release fixing security issues.

$ sha256sum -b flatpak-1.14.4.tar.xz
8a34dbd0b67c434e7598b98ec690953d046f0db26e480aeafb46d72aec716799 *flatpak-1.14.4.tar.xz

Security fixes:

* Escape special characters when displaying permissions and metadata,
  preventing malicious apps from manipulating the appearance of the
  permissions list using crafted metadata (CVE-2023-28101).

* If a Flatpak app is run on a Linux virtual console (tty1, tty2, etc.),
  don't allow copy/paste via the TIOCLINUX ioctl (CVE-2023-28100). Note
  that this is specific to virtual consoles: Flatpak is not vulnerable
  to this if run from a graphical terminal emulator such as xterm,
  gnome-terminal or Konsole.

Other bug fixes:

* Translation update: pl

Simon McVittie, Collabora Ltd. / Debian
on behalf of the Flatpak maintainers

More information about the Ftp-release mailing list