Amazon Linux 2 Security Advisory: ALAS-2021-1597
Advisory Release Date: 2021-02-17 00:55 Pacific
Advisory Updated Date: 2021-02-19 22:07 Pacific
A flaw was found in Flatpak. The Flatpak portal D-Bus service passes caller-specified environment variables to non-sandboxed processes on the host system, and in particular to the `flatpak run` command that is used to launch the new sandbox instance. A malicious or compromised Flatpak app could set environment variables that are trusted by the `flatpak run` command, and use them to execute arbitrary code that is outside the sandbox. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. (CVE-2021-21261)
Affected Packages:
flatpak
Note:
This advisory is applicable to Amazon Linux 2 (AL2) Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories.
Issue Correction:
Run yum update flatpak to update your system.
aarch64:
flatpak-1.0.9-10.amzn2.aarch64
flatpak-builder-1.0.0-10.amzn2.aarch64
flatpak-devel-1.0.9-10.amzn2.aarch64
flatpak-libs-1.0.9-10.amzn2.aarch64
flatpak-debuginfo-1.0.9-10.amzn2.aarch64
i686:
flatpak-1.0.9-10.amzn2.i686
flatpak-builder-1.0.0-10.amzn2.i686
flatpak-devel-1.0.9-10.amzn2.i686
flatpak-libs-1.0.9-10.amzn2.i686
flatpak-debuginfo-1.0.9-10.amzn2.i686
src:
flatpak-1.0.9-10.amzn2.src
x86_64:
flatpak-1.0.9-10.amzn2.x86_64
flatpak-builder-1.0.0-10.amzn2.x86_64
flatpak-devel-1.0.9-10.amzn2.x86_64
flatpak-libs-1.0.9-10.amzn2.x86_64
flatpak-debuginfo-1.0.9-10.amzn2.x86_64