Fixed two bugs in Flatpak with the new fix updates

recently were corrective updates released of the tool kit Flatpak for the different versions 1.14.4, 1.12.8, 1.10.8 and 1.15.4, which are already available and which solve two vulnerabilities.

For those unfamiliar with Flatpak, you should know that this makes it possible for application developers to simplify the distribution of their programs that are not included in the regular distribution repositories by preparing a universal container without creating separate builds for each distribution.

For security-conscious users, Flatpak allows a questionable application to run in a container, giving access only to network functions and user files associated with the application. For users interested in what's new, Flatpak allows them to install the latest test and stable versions of applications without having to make changes to the system.

The key difference between Flatpak and Snap is that Snap uses the main system environment components and isolation based on system call filtering, while Flatpak creates a separate system container and operates with large runtime assemblies, providing typical packages instead of packages as dependencies.

About the bugs detected in Flatpak

In these new security updates, the solution is given to two detected errors, one of which was discovered by Ryan Gonzalez (CVE-2023-28101) discovered that malicious maintainers of the Flatpak application could manipulate or hide this permission display by requesting permissions that include ANSI terminal control codes or other non-printable characters.

This was fixed in Flatpak 1.14.4, 1.15.4, 1.12.8 and 1.10.8 by displaying escaped non-printing characters (\xXX, \uXXXX, \UXXXXXXXXXX) so they don't alter terminal behavior, and also by trying non-printable characters in certain contexts as invalid (not allowed).

When installing or updating a Flatpak app using the flatpak CLI, the user is typically shown the special permissions the new app has in its metadata, so they can make a somewhat informed decision about whether to allow its installation.

When recovering a application permissions to display to the user, the graphical interface continues being responsible for filtering or escaping any characters that they have special meaning to your GUI libraries.

For the part from the description of vulnerabilitiesThey share the following with us:

• CVE-2023-28100: ability to copy and paste text into the virtual console input buffer via TIOCLINUX ioctl manipulation when installing an attacker-crafted Flatpak package. For example, the vulnerability could be used to stage the launch of arbitrary console commands after the installation process of a third-party package is complete. The problem appears only in the classic virtual console (/dev/tty1, /dev/tty2, etc.) and does not affect sessions in xterm, gnome-terminal, Konsole and other graphical terminals. The vulnerability is not specific to flatpak and can be used to attack other applications, for example, similar vulnerabilities were previously found that allowed character substitution via the TIOCSTI ioctl interface in the /bin/ sandbox and snap.
• CVE-2023-28101– Ability to use escape sequences in the permissions list in the package metadata to hide information about the requested extended permissions that are displayed in the terminal during package installation or upgrade via the command line interface. An attacker could use this vulnerability to trick users about the permissions used on the package. It is mentioned that the GUIs for libflatpak, such as GNOME Software and KDE Plasma Discover, are not directly affected by this.

Finally, it is mentioned that as a workaround you can use a GUI like the GNOME Software Center instead of the command line
interface, or it is also recommended to only install applications whose maintainers you trust.

If you are interested in knowing more about it, you can consult the details in the following link.