USN-4721-1: Flatpak vulnerability
04 February 2021
Flatpak could be made to crash or run programs if it received specially crafted input.
- flatpak - Application deployment framework for desktop apps
Simon McVittie discovered that flatpak-portal service allowed sandboxed
applications to execute arbitrary code on the host system (a sandbox
escape). A malicious user could create a Flatpak application that set
environment variables, trusted by the Flatpak "run" command, and use it
to execute arbitrary code outside the sandbox.
The problem can be corrected by updating your system to the following package versions:
In general, a standard system update will make all the necessary changes.