[Ftp-release] Announce: Flatpak 1.12.8 (security fix release)

Simon McVittie smcv at collabora.com
Thu Mar 16 19:05:11 UTC 2023

Available here: https://github.com/flatpak/flatpak/releases/tag/1.12.8

This is a maintenance release fixing security issues. If possible,
upgrade to 1.14.x instead of using this branch.

$ sha256sum -b flatpak-1.12.8.tar.xz
e6db731e7a746372e8f8461e6225c0c9b26623c08a3a9914dbfd8e7c91944931 *flatpak-1.12.8.tar.xz

Security fixes backported from 1.14.4:

* Escape special characters when displaying permissions and metadata,
  preventing malicious apps from manipulating the appearance of the
  permissions list using crafted metadata (CVE-2023-28101).

* If a Flatpak app is run on a Linux virtual console (tty1, tty2, etc.),
  don't allow copy/paste via the TIOCLINUX ioctl (CVE-2023-28100). Note
  that this is specific to virtual consoles: Flatpak is not vulnerable
  to this if run from a graphical terminal emulator such as xterm,
  gnome-terminal or Konsole.

Other bug fixes backported from 1.14.x:

* Update the SELinux module to explicitly permit the system helper have
  read access to /etc/passwd and systemd-userdbd, read and lock access
  to /var/lib/flatpak, and watch files inside $libexecdir (#4852, #4855,
  #4892; Red Hat #2071217, #2071215, #2070741, #2053634, #2070350)
* If an app update is blocked by parental controls policies, clean up
  the temporary deploy directory (#5146)
* Fix Autotools build with versions of gpgme that no longer provide
  gpgme-config(1) (#5173)
* Remove some unreachable code (Coverity: CID 1514265)
* Add missing handling for some D-Bus errors

Simon McVittie, Collabora Ltd. / Debian
on behalf of the Flatpak maintainers

More information about the Ftp-release mailing list