CVE-2023-28101: Metadata with ANSI control codes can cause misleading terminal output
Package
Flatpak
(freedesktop.org)
Affected versions
< 1.10.8, 1.12.x < 1.12.8, 1.14.x < 1.14.4, 1.15.x < 1.15.4
Patched versions
1.15.4, 1.10.x >= 1.10.8, 1.12.x >= 1.12.8, 1.14.x >= 1.14.4
Impact
If an attacker publishes a Flatpak app with elevated permissions, they can hide those permissions from users of the
flatpak(1)
command-line interface by setting other permissions to crafted values that contain non-printable control characters such asESC
.Patches
See the
flatpak-1.14.x
,flatpak-1.12.x
,flatpak-1.10.x
branches for backports to older codebases.Workarounds
Use a GUI like GNOME Software rather than the command-line interface, or only install apps whose maintainers you trust.