[Ftp-release] Announce: Flatpak 1.10.8 (security fix release)

Simon McVittie smcv at collabora.com
Thu Mar 16 19:07:16 UTC 2023

Available here: https://github.com/flatpak/flatpak/releases/tag/1.10.8

This is a maintenance release fixing security issues. If possible,
upgrade to 1.14.x instead of using this branch.

$ sha256sum -b flatpak-1.10.8.tar.xz
65569dbf31344581a1e7782d09e702bb41e7011ae21cd021c414a2925f84b82c *flatpak-1.10.8.tar.xz

Security fixes backported from 1.14.4:

* Escape special characters when displaying permissions and metadata,
  preventing malicious apps from manipulating the appearance of the
  permissions list using crafted metadata (CVE-2023-28101).

* If a Flatpak app is run on a Linux virtual console (tty1, tty2, etc.),
  don't allow copy/paste via the TIOCLINUX ioctl (CVE-2023-28100). Note
  that this is specific to virtual consoles: Flatpak is not vulnerable
  to this if run from a graphical terminal emulator such as xterm,
  gnome-terminal or Konsole.

Other bug fixes backported from 1.12.x and 1.14.x:

* If an app update is blocked by parental controls policies, clean up
  the temporary deploy directory (#5146)
* Fix Autotools build with versions of gpgme that no longer provide
  gpgme-config(1) (#5173)
* Fix regressions in flatpak history since 1.9.1
    * Don't display the appstream branch used internally
    * Don't display temporary repositories used internally
    * Ignore transaction log entries with empty REF field
    * Warn instead of failing if other non-app, non-runtime refs are found
    * Don't set up an unnecessary polkit agent for flatpak history
    * Add test coverage
* Fix a typo in an error message
* Fix incorrect year in NEWS for 1.10.7 release
* Translation update: pl
* Add test coverage for Flatpak's seccomp filters

Simon McVittie, Collabora Ltd. / Debian
on behalf of the Flatpak maintainers

More information about the Ftp-release mailing list