Skip to content

Release 1.8.7
Compare
Choose a tag to compare
@alexlarsson alexlarsson released this 03 Feb 11:57
1.8.7
This tag was signed with the committer’s verified signature.
alexlarsson Alexander Larsson
GPG key ID: EB6216DDB76C70E9
Learn about vigilant mode.
199a05c

This is an "old-stable" update for users of the Flatpak 1.8.x branch, such as Red Hat Enterprise Linux 8. In environments that do not need to stay on a specific branch, updating to the newest stable version instead of using this version is recommended. At the time of writing, the newest stable version is 1.12.4.

This is a security update that fixes two issues that were found in flatpak:

GHSA-qpjc-vq3c-572j
(also known as CVE-2021-43860)

This issue is about the possibility for a malicious repository to send
invalid application metadata in a way that hides some of the app
permissions displayed during installation.

GHSA-8ch7-5j3h-g4fx
(also known as CVE-2022-21682)

This issue is a problem with how flatpak-builder uses flatpak, that
can cause flatpak-builder --mirror-screenshots-url commands to be
allowed to create directories outside of the build directory.

The fix for this is is the addition of a new option
--nofilesystem=host:reset, which in addition to behaving like
--nofilesystem=host, the new option prevents filesystem permissions
from being inherited from the app manifest.

$ sha256sum flatpak-1.8.7.tar.xz 
9d082c81fa733382fc5688b880941e6c82ec671b0a4a4f875b5d66c091a224c3  flatpak-1.8.7.tar.xz
Assets 3