Flatpak: Sandbox escape A vulnerability was discovered in Flatpak which could allow a remote attacker to execute arbitrary code. flatpak 2021-01-25 2021-01-25 765457 remote 1.10.0 1.10.0

Flatpak is a Linux application sandboxing and distribution framework.

A bug was discovered in the flatpak-portal service that can allow sandboxed applications to execute arbitrary code on the host system (a sandbox escape).

A remote attacker could entice a user to open a specially crafted Flatpak app possibly resulting in execution of arbitrary code with the privileges of the process or a Denial of Service condition.

As a workaround, this vulnerability can be mitigated by preventing the flatpak-portal service from starting, but that mitigation will prevent many Flatpak apps from working correctly. It is highly recommended to upgrade.

All Flatpak users should upgrade to the latest version:

# emerge --sync # emerge --ask --oneshot --verbose ">=sys-apps/flatpak-1.10.0" CVE-2021-21261 sam_c b-man