OESA-2021-1043
- Source
- https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2021-1043
- Import Source
- https://repo.openeuler.org/security/data/osv/OESA-2021-1043.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/OESA-2021-1043
- Upstream
- Published
- 2021-03-05T11:02:37Z
- Modified
- 2025-08-12T05:07:09.916770Z
- Summary
- flatpak security update
- Details
-
flatpak is a system for building, distributing and running sandboxed desktop applications on Linux. See https://wiki.gnome.org/Projects/SandboxedApps for more information.
Security Fix(es):
Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. A bug was discovered in the
flatpak-portalservice that can allow sandboxed applications to execute arbitrary code on the host system (a sandbox escape). This sandbox-escape bug is present in versions from 0.11.4 and before fixed versions 1.8.5 and 1.9.4. The Flatpak portal D-Bus service (flatpak-portal, also known by its D-Bus service nameorg.freedesktop.portal.Flatpak) allows apps in a Flatpak sandbox to launch their own subprocesses in a new sandbox instance, either with the same security settings as the caller or with more restrictive security settings. For example, this is used in Flatpak-packaged web browsers such as Chromium to launch subprocesses that will process untrusted web content, and give those subprocesses a more restrictive sandbox than the browser itself. In vulnerable versions, the Flatpak portal service passes caller-specified environment variables to non-sandboxed processes on the host system, and in particular to theflatpak runcommand that is used to launch the new sandbox instance. A malicious or compromised Flatpak app could set environment variables that are trusted by theflatpak runcommand, and use them to execute arbitrary code that is not in a sandbox. As a workaround, this vulnerability can be mitigated by preventing theflatpak-portalservice from starting, but that mitigation will prevent many Flatpak apps from working correctly. This is fixed in versions 1.8.5 and 1.9.4.(CVE-2021-21261) - Database specific
{ "severity": "High" }- References
Affected packages
openEuler:20.03-LTS / flatpak
Package
- Name
- flatpak
- Purl
- pkg:rpm/openEuler/flatpak&distro=openEuler-20.03-LTS
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed1.0.3-3.oe1
Ecosystem specific
{
"src": [
"flatpak-1.0.3-3.oe1.src.rpm",
"flatpak-1.0.3-3.oe1.src.rpm"
],
"noarch": [
"flatpak-help-1.0.3-3.oe1.noarch.rpm",
"flatpak-help-1.0.3-3.oe1.noarch.rpm"
],
"x86_64": [
"flatpak-devel-1.0.3-3.oe1.x86_64.rpm",
"flatpak-debugsource-1.0.3-3.oe1.x86_64.rpm",
"flatpak-debuginfo-1.0.3-3.oe1.x86_64.rpm",
"flatpak-1.0.3-3.oe1.x86_64.rpm",
"flatpak-devel-1.0.3-3.oe1.x86_64.rpm",
"flatpak-debugsource-1.0.3-3.oe1.x86_64.rpm",
"flatpak-debuginfo-1.0.3-3.oe1.x86_64.rpm",
"flatpak-1.0.3-3.oe1.x86_64.rpm"
],
"aarch64": [
"flatpak-debugsource-1.0.3-3.oe1.aarch64.rpm",
"flatpak-debuginfo-1.0.3-3.oe1.aarch64.rpm",
"flatpak-devel-1.0.3-3.oe1.aarch64.rpm",
"flatpak-1.0.3-3.oe1.aarch64.rpm",
"flatpak-debugsource-1.0.3-3.oe1.aarch64.rpm",
"flatpak-debuginfo-1.0.3-3.oe1.aarch64.rpm",
"flatpak-devel-1.0.3-3.oe1.aarch64.rpm",
"flatpak-1.0.3-3.oe1.aarch64.rpm"
]
}
openEuler:20.03-LTS-SP1 / flatpak
Package
- Name
- flatpak
- Purl
- pkg:rpm/openEuler/flatpak&distro=openEuler-20.03-LTS-SP1
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed1.0.3-3.oe1
Ecosystem specific
{
"src": [
"flatpak-1.0.3-3.oe1.src.rpm"
],
"noarch": [
"flatpak-help-1.0.3-3.oe1.noarch.rpm"
],
"x86_64": [
"flatpak-devel-1.0.3-3.oe1.x86_64.rpm",
"flatpak-debugsource-1.0.3-3.oe1.x86_64.rpm",
"flatpak-debuginfo-1.0.3-3.oe1.x86_64.rpm",
"flatpak-1.0.3-3.oe1.x86_64.rpm"
],
"aarch64": [
"flatpak-debugsource-1.0.3-3.oe1.aarch64.rpm",
"flatpak-debuginfo-1.0.3-3.oe1.aarch64.rpm",
"flatpak-devel-1.0.3-3.oe1.aarch64.rpm",
"flatpak-1.0.3-3.oe1.aarch64.rpm"
]
}