Comment 16 for bug 1911473

This bug was fixed in the package flatpak - 1.6.5-0ubuntu0.2

---------------
flatpak (1.6.5-0ubuntu0.2) focal-security; urgency=medium

  * SECURITY UPDATE: Flatpak sandbox escape via spawn portal (LP: #1911473)
    - debian/patches/CVE-2021-21261-1.patch: tests: Add minimal version
      of "ok" helper.
    - debian/patches/CVE-2021-21261-2.patch: common: Add a backport of
      G_DBUS_METHOD_INVOCATION_HANDLED.
    - debian/patches/CVE-2021-21261-3.patch: run: Convert all environment
      variables into bwrap arguments.
    - debian/patches/CVE-2021-21261-4.patch: tests: Expand coverage for
      environment variable overrides.
    - debian/patches/CVE-2021-21261-5.patch: context: Add --env-fd option.
    - debian/patches/CVE-2021-21261-6.patch: portal: Convert --env in
      extra-args into --env-fd.
    - debian/patches/CVE-2021-21261-7.patch: tests: Exercise --env-fd.
    - debian/patches/CVE-2021-21261-8.patch: portal: Do not use
      caller-supplied variables in environment.
    - debian/patches/CVE-2021-21261-9.patch: tests: Assert that --env= does
      not go in `flatpak run` or bwrap environ.
    - CVE-2021-21261

 -- Andrew Hayzen <email address hidden> Wed, 13 Jan 2021 21:09:15 +0000