This bug was fixed in the package flatpak - 1.0.9-0ubuntu0.3
---
flatpak (1.0.9-0ubuntu0.3) bionic-security; urgency=medium
* SECURITY UPDATE: Flatpak sandbox escape via crafted .desktop file
(LP: #1918482)
- debian/patches/CVE-2021-21381-1.patch: Disallow @@ and @@u usage
This bug was fixed in the package flatpak - 1.6.5-0ubuntu0.3
---
flatpak (1.6.5-0ubuntu0.3) focal-security; urgency=medium
* SECURITY UPDATE: Flatpak sandbox escape via crafted .desktop file
(LP: #1918482)
- debian/patches/CVE-2021-21381-1.patch: Disallow @@ and @@u usage in
This bug was fixed in the package flatpak - 1.8.2-1ubuntu0.2
---
flatpak (1.8.2-1ubuntu0.2) groovy-security; urgency=medium
* SECURITY UPDATE: Flatpak sandbox escape via crafted .desktop file
(LP: #1918482)
- debian/patches/CVE-2021-21381-1.patch: Disallow @@ and @@u usage
I've also done some exploratory testing of .desktop icon related tests
from the test plan on a Bionic VM and things are working normally.
$ apt policy flatpak
flatpak:
Installed: 1.0.9-0ubuntu0.3
Candidate: 1.0.9-0ubuntu0.3
Version table:
*** 1.0.9-0ubuntu0.3 500
500
@Steve Beattie, was there any progress on this or anything I can do to
help ? Or is it just stuck in a queue of items to be reviewed? :-)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1918482
Title:
Thanks for reviewing these updates!
I've done some exploratory testing of .desktop icon related tests from
the test plan on a Focal VM and things are working normally.
$ apt policy flatpak
flatpak:
Installed: 1.6.5-0ubuntu0.3
Candidate: 1.6.5-0ubuntu0.3
Version table:
*** 1.6.5-0ubuntu0.3
** Summary changed:
- Update for GHSA-xgh4-387p-hqpp
+ Update for CVE-2021-21381
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1918482
Title:
Update for CVE-2021-21381
To manage notifications
