Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. Versions prior to 1.10.8, 1.12.8, 1.14.4, and 1.15.4 contain a vulnerability similar to CVE-2017-5226, but using the `TIOCLINUX` ioctl command instead of `TIOCSTI`. If a Flatpak app is run on a Linux virtual console such as `/dev/tty1`, it can copy text from the virtual console and paste it into the command buffer, from which the command might be run after the Flatpak app has exited. Ordinary graphical terminal emulators like xterm, gnome-terminal and Konsole are unaffected. This vulnerability is specific to the Linux virtual consoles `/dev/tty1`, `/dev/tty2` and so on. A patch is available in versions 1.10.8, 1.12.8, 1.14.4, and 1.15.4. As a workaround, don't run Flatpak on a Linux virtual console. Flatpak is primarily designed to be used in a Wayland or X11 graphical environment. https://github.com/flatpak/flatpak/security/advisories/GHSA-7qpw-3vjv-xrqp https://github.com/flatpak/flatpak/commit/8e63de9a7d3124f91140fc74f8ca9ed73ed53be9 https://marc.info/?l=oss-security&m=167879021709955&w=2
Created flatpak tracking bugs for this issue: Affects: fedora-36 [bug 2179221] Affects: fedora-37 [bug 2179222]
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2023:6518 https://access.redhat.com/errata/RHSA-2023:6518
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2023:7038 https://access.redhat.com/errata/RHSA-2023:7038