CVE-2024-32462: Sandbox escape via RequestBackground portal and CWE-88
Bug #2062406 reported by
Simon McVittie
This bug affects 7 people
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
flatpak (Ubuntu) |
Fix Released
|
High
|
Jeremy Bícha | ||
Bionic |
Confirmed
|
Undecided
|
Unassigned | ||
Focal |
Confirmed
|
Undecided
|
Unassigned | ||
Jammy |
Confirmed
|
Undecided
|
Unassigned | ||
Mantic |
Won't Fix
|
Undecided
|
Unassigned |
Bug Description
Upstream advisory: https:/
If possible please sync 1.14.6-1 from Debian instead of backporting fixes. That version only fixes the security issue and one other high-visibility bug (app developer names showing in the CLI as though they were the app's name).
CVE References
information type: | Private Security → Public Security |
Changed in flatpak (Ubuntu): | |
status: | New → In Progress |
assignee: | nobody → Jeremy Bícha (jbicha) |
importance: | Undecided → High |
tags: | added: noble upgrade-software-version |
description: | updated |
Changed in flatpak (Ubuntu): | |
status: | In Progress → Fix Committed |
Changed in flatpak (Ubuntu Mantic): | |
status: | Confirmed → Won't Fix |
Changed in flatpak (Ubuntu Bionic): | |
status: | New → Triaged |
Changed in flatpak (Ubuntu Focal): | |
status: | New → Triaged |
Changed in flatpak (Ubuntu Jammy): | |
status: | Confirmed → Triaged |
status: | Triaged → Confirmed |
Changed in flatpak (Ubuntu Focal): | |
status: | Triaged → Confirmed |
Changed in flatpak (Ubuntu Bionic): | |
status: | Triaged → Confirmed |
To post a comment you must log in.
I'm manually closing the bug now since it was accepted into noble-proposed without a LP bug number. I'll watch to make sure it migrates to noble release
https:/ /launchpad. net/ubuntu/ +source/ flatpak/ 1.14.6- 1