USN-4721-1: Flatpak vulnerability

04 February 2021

Flatpak could be made to crash or run programs if it received specially crafted input.

Releases

Packages

  • flatpak - Application deployment framework for desktop apps

Details

Simon McVittie discovered that flatpak-portal service allowed sandboxed
applications to execute arbitrary code on the host system (a sandbox
escape). A malicious user could create a Flatpak application that set
environment variables, trusted by the Flatpak "run" command, and use it
to execute arbitrary code outside the sandbox.

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 20.10
Ubuntu 20.04
Ubuntu 18.04

In general, a standard system update will make all the necessary changes.

References