{"id":"MGASA-2023-0115","summary":"Updated flatpak packages fix security vulnerability","details":"If a malicious Flatpak app is run on a Linux virtual console such as\n/dev/tty1, it can copy text from the virtual console and paste it back\ninto the virtual console's input buffer, from which the command might\nbe run by the user's shell after the Flatpak app has exited. This is\nsimilar to CVE-2017-5226, but using the TIOCLINUX ioctl command instead\nof TIOCSTI. (CVE-2023-28100)\nFlatpak app with elevated permissions mayhide those permissions from\nusers of the 'flatpak(1)' command-line interface by setting other\npermissions to crafted values that contain non-printable control\ncharacters such as 'ESC'. (CVE-2023-28101)\n","modified":"2026-02-02T05:51:16.819753Z","published":"2023-03-24T05:55:49Z","related":["CVE-2023-28100","CVE-2023-28101"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2023-0115.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=31688"},{"type":"REPORT","url":"https://github.com/flatpak/flatpak/releases/tag/1.12.8"},{"type":"REPORT","url":"https://www.openwall.com/lists/oss-security/2023/03/17/1"},{"type":"REPORT","url":"https://www.openwall.com/lists/oss-security/2023/03/17/2"}],"affected":[{"package":{"name":"flatpak","ecosystem":"Mageia:8","purl":"pkg:rpm/mageia/flatpak?arch=source&distro=mageia-8"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.12.8-1.mga8"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2023-0115.json"}}],"schema_version":"1.7.3","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}