安全公告详情

NS-SA-2022-0043

2022-05-08 20:18:47

简介

important: flatpak/linuxptp security update

严重级别

important

主题

An update for flatpak/linuxptp is now available for NewStart CGSL MAIN 5.05/CGSL CORE 5.05.
NewStart Security has rated this update as having a security impact of important. A Common Vunlnerability Scoring System(CVSS)base score, which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.

详细描述

flatpak: This package provides debug information for package flatpak. Debug information is useful when developing applications that use this package or when debugging this package.
linuxptp: This software is an implementation of the Precision Time Protocol (PTP) according to IEEE standard 1588 for Linux. The dual design goals are to provide a robust implementation of the standard and to use the most relevant and modern Application Programming Interfaces (API) offered by the Linux kernel. Supporting legacy APIs and other platforms is not a goal.


Security Fix(es):
flatpak: A sandbox escape flaw was found in the way flatpak handled special tokens in ".desktop" files. This flaw allows an attacker to gain access to files that are not ordinarily allowed by the app's permissions. The highest threat from this vulnerability is to confidentiality and integrity.(CVE-2021-21381)
flatpak: bugfix
linuxptp: A flaw was found in the ptp4l program of the linuxptp package. A missing length check when forwarding a PTP message between ports allows a remote attacker to cause an information leak, crash, or potentially remote code execution. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.(CVE-2021-3570)
linuxptp: bugfix


Solution:
For details on how to apply this update, which includes the changes described in this advisory, refer to:
http://security.gd-linux.com/how_to_apply_patch.html
Remember the build tag is 5.05.F14B4.

影响组件

  • flatpak
  • linuxptp

影响产品

  • CGSL MAIN 5.05
  • CGSL CORE 5.05

更新包

{"fix":[{"product":"CGSL MAIN 5.05","pkgs":[{"binary":["flatpak-builder-1.0.0-11.el7_9.x86_64.rpm","flatpak-libs-1.0.9-11.el7_9.x86_64.rpm","flatpak-devel-1.0.9-11.el7_9.x86_64.rpm","flatpak-debuginfo-1.0.9-11.el7_9.x86_64.rpm","flatpak-1.0.9-11.el7_9.x86_64.rpm"],"source":"flatpak-1.0.9-11.el7_9.src.rpm"},{"binary":["linuxptp-2.0-2.el7_9.1.x86_64.rpm","linuxptp-debuginfo-2.0-2.el7_9.1.x86_64.rpm"],"source":"linuxptp-2.0-2.el7_9.1.src.rpm"}]},{"product":"CGSL CORE 5.05","pkgs":[{"binary":["flatpak-builder-1.0.0-11.el7_9.x86_64.rpm","flatpak-libs-1.0.9-11.el7_9.x86_64.rpm","flatpak-devel-1.0.9-11.el7_9.x86_64.rpm","flatpak-debuginfo-1.0.9-11.el7_9.x86_64.rpm","flatpak-1.0.9-11.el7_9.x86_64.rpm"],"source":"flatpak-1.0.9-11.el7_9.src.rpm"},{"binary":["linuxptp-2.0-2.el7_9.1.x86_64.rpm","linuxptp-debuginfo-2.0-2.el7_9.1.x86_64.rpm"],"source":"linuxptp-2.0-2.el7_9.1.src.rpm"}]}]}

CVE

参考