ALAS2-2021-1597


Amazon Linux 2 Security Advisory: ALAS-2021-1597
Advisory Release Date: 2021-02-17 00:55 Pacific
Advisory Updated Date: 2021-02-19 22:07 Pacific
Severity: Important
References: CVE-2021-21261 

Issue Overview:

A flaw was found in Flatpak. The Flatpak portal D-Bus service passes caller-specified environment variables to non-sandboxed processes on the host system, and in particular to the `flatpak run` command that is used to launch the new sandbox instance. A malicious or compromised Flatpak app could set environment variables that are trusted by the `flatpak run` command, and use them to execute arbitrary code that is outside the sandbox. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. (CVE-2021-21261 )


Affected Packages:

flatpak


Issue Correction:
Run yum update flatpak to update your system.

New Packages:
aarch64:
    flatpak-1.0.9-10.amzn2.aarch64
    flatpak-builder-1.0.0-10.amzn2.aarch64
    flatpak-devel-1.0.9-10.amzn2.aarch64
    flatpak-libs-1.0.9-10.amzn2.aarch64
    flatpak-debuginfo-1.0.9-10.amzn2.aarch64

i686:
    flatpak-1.0.9-10.amzn2.i686
    flatpak-builder-1.0.0-10.amzn2.i686
    flatpak-devel-1.0.9-10.amzn2.i686
    flatpak-libs-1.0.9-10.amzn2.i686
    flatpak-debuginfo-1.0.9-10.amzn2.i686

src:
    flatpak-1.0.9-10.amzn2.src

x86_64:
    flatpak-1.0.9-10.amzn2.x86_64
    flatpak-builder-1.0.0-10.amzn2.x86_64
    flatpak-devel-1.0.9-10.amzn2.x86_64
    flatpak-libs-1.0.9-10.amzn2.x86_64
    flatpak-debuginfo-1.0.9-10.amzn2.x86_64