{"id":"MGASA-2021-0143","summary":"Updated flatpak packages fix security vulnerabilities","details":"Sandbox escape where a malicious application can execute code outside the\nsandbox by controlling the environment of the \"flatpak run\" command when\nspawning a sub-sandbox (CVE-2021-21261).\n\nA potential attack where a flatpak application could use custom formatted\n.desktop files to gain access to files on the host system (CVE-2021-21381).\n\nThe update also removes the unnecessary flatpak-tests subpackage.\n","modified":"2026-02-04T04:22:53.004971Z","published":"2021-03-18T09:56:09Z","related":["CVE-2021-21261","CVE-2021-21381"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2021-0143.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=27126"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=25978"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=28575"},{"type":"REPORT","url":"https://github.com/flatpak/flatpak/security/advisories/GHSA-4ppf-fxf6-vxg2"},{"type":"REPORT","url":"https://github.com/flatpak/flatpak/security/advisories/GHSA-xgh4-387p-hqpp"},{"type":"REPORT","url":"https://github.com/flatpak/flatpak/issues/4146"},{"type":"REPORT","url":"https://github.com/flatpak/flatpak/releases"},{"type":"REPORT","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/2K2Q5P4IIUN2SFJKQKB4UJQ37CE2E55K/"}],"affected":[{"package":{"name":"libglib-testing","ecosystem":"Mageia:7","purl":"pkg:rpm/mageia/libglib-testing?arch=source&distro=mageia-7"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"0.1.0-2.mga7"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2021-0143.json"}},{"package":{"name":"appstream-glib","ecosystem":"Mageia:7","purl":"pkg:rpm/mageia/appstream-glib?arch=source&distro=mageia-7"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"0.7.15-1.mga7"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2021-0143.json"}},{"package":{"name":"malcontent","ecosystem":"Mageia:7","purl":"pkg:rpm/mageia/malcontent?arch=source&distro=mageia-7"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"0.9.0-2.mga7"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2021-0143.json"}},{"package":{"name":"bubblewrap","ecosystem":"Mageia:7","purl":"pkg:rpm/mageia/bubblewrap?arch=source&distro=mageia-7"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"0.4.1-1.mga7"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2021-0143.json"}},{"package":{"name":"ostree","ecosystem":"Mageia:7","purl":"pkg:rpm/mageia/ostree?arch=source&distro=mageia-7"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2020.8-1.mga7"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2021-0143.json"}},{"package":{"name":"flatpak","ecosystem":"Mageia:7","purl":"pkg:rpm/mageia/flatpak?arch=source&distro=mageia-7"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.10.2-1.mga7"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2021-0143.json"}},{"package":{"name":"gnome-software","ecosystem":"Mageia:7","purl":"pkg:rpm/mageia/gnome-software?arch=source&distro=mageia-7"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"3.32.2-2.1.mga7"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2021-0143.json"}}],"schema_version":"1.7.3","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}