CVE-2023-28100

Name of the Vulnerable Software and Affected Versions Flatpak versions prior to 1.10.8 Flatpak versions prior to 1.12.8 Flatpak versions prior to 1.14.4 Flatpak versions prior to 1.15.4

Description The issue is related to the ioctl component of the Flatpak tool for managing applications and environments. It involves copying text from a virtual console and pasting it into the command buffer, from which the command might be run after the Flatpak app has exited. This can lead to a denial of service. The vulnerability is specific to Linux virtual consoles such as /dev/tty1, /dev/tty2, and so on. Graphical terminal emulators like xterm, gnome-terminal, and Konsole are unaffected.

Recommendations For versions prior to 1.10.8, update to version 1.10.8 or later. For versions prior to 1.12.8, update to version 1.12.8 or later. For versions prior to 1.14.4, update to version 1.14.4 or later. For versions prior to 1.15.4, update to version 1.15.4 or later. As a temporary workaround, do not run Flatpak on a Linux virtual console. Instead, use it in a Wayland or X11 graphical environment.