Advisory ROSA-SA-2024-2337

software: flatpak 1.14.4
AXIS: ROSA-CHROME

package_evr_string: flatpak-1.14.4-1.src.rpm

CVE-ID: CVE-2023-28100
BDU-ID: None
CVE-Crit: MEDIUM
CVE-DESC.: If the Flatpak application runs on a Linux virtual console, such as /dev/tty1, it can copy text from the virtual console and paste it into a command buffer from which the command can be run after exiting the Flatpak application. Common graphical terminal emulators such as xterm, gnome-terminal and Konsole are not affected. This vulnerability is specific to Linux virtual consoles /dev/tty1, /dev/tty2, etc
CVE-STATUS: Fixed
CVE-REV: To close, run the command: sudo dnf update flatpak

CVE-ID: CVE-2023-28101
BDU-ID: None
CVE-Crit: MEDIUM
CVE-DESC.: If an attacker publishes a Flatpak application with elevated permissions, they can hide these permissions from users of the flatpak(1) command line interface by setting different permissions for created values containing non-printable control characters such as ESC. The fix is available in versions 1.10.8, 1.12.8, 1.14.4, and 1.15.4. As a workaround, use a graphical interface such as GNOME software rather than a command-line interface, or install only applications whose developers you trust.
CVE-STATUS: Fixed
CVE-REV: To close, run the command: sudo dnf update flatpak