{"id":"MGASA-2022-0131","summary":"Updated flatpak packages fix security vulnerability","details":"Flatpak doesn't properly validate that the permissions displayed to the\nuser for an app at install time match the actual permissions granted to\nthe app at runtime, in the case that there's a null byte in the metadata\nfile of an app. (CVE-2021-43860)\nPath traversal vulnerability (CVE-2022-21682)\nVarious other fixes and enhancements included in update to version 1.12.7.\n","modified":"2026-04-16T00:11:01.837459940Z","published":"2022-04-09T21:20:39Z","upstream":["CVE-2021-43860","CVE-2022-21682"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2022-0131.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=29885"},{"type":"ADVISORY","url":"https://github.com/flatpak/flatpak/security/advisories/GHSA-qpjc-vq3c-572j"},{"type":"ADVISORY","url":"https://github.com/flatpak/flatpak/security/advisories/GHSA-8ch7-5j3h-g4fx"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/APFTBYGJJVJPFVHRXUW5PII5XOAFI4KH/"},{"type":"WEB","url":"https://github.com/flatpak/flatpak/releases/tag/1.10.7"},{"type":"WEB","url":"https://github.com/flatpak/flatpak/releases/tag/1.12.4"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/G4SGDDYLN2BFKCHIDCXL2QTDVHPMZZM4/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/IXKBERLJRYV7KXKGXOLI6IOXVBQNN4DP/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/UELF5NVMHRQ45DEBIRQGIVCV4PADFC37/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/F46WFOXXRE63UMMTLQB2FOJT4KLI5AR7/"},{"type":"WEB","url":"https://github.com/flatpak/flatpak/releases/tag/1.12.5"},{"type":"WEB","url":"https://github.com/flatpak/flatpak/releases/tag/1.12.6"},{"type":"WEB","url":"https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/T4OG73MX3JPZBHYMUXUULPTVL7ZOOTZ5/"},{"type":"WEB","url":"https://github.com/flatpak/flatpak/releases/tag/1.12.7"}],"affected":[{"package":{"name":"flatpak","ecosystem":"Mageia:8","purl":"pkg:rpm/mageia/flatpak?arch=source&distro=mageia-8"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.12.7-1.mga8"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2022-0131.json"}},{"package":{"name":"discover","ecosystem":"Mageia:8","purl":"pkg:rpm/mageia/discover?arch=source&distro=mageia-8"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"5.20.4-3.3.mga8"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2022-0131.json"}},{"package":{"name":"gnome-software","ecosystem":"Mageia:8","purl":"pkg:rpm/mageia/gnome-software?arch=source&distro=mageia-8"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"3.38.0-2.1.mga8"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2022-0131.json"}},{"package":{"name":"xdg-desktop-portal-kde","ecosystem":"Mageia:8","purl":"pkg:rpm/mageia/xdg-desktop-portal-kde?arch=source&distro=mageia-8"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"5.20.4-2.1.mga8"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2022-0131.json"}}],"schema_version":"1.7.5","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}