Candidate: CVE-2017-9780
PublicDate: 2017-06-21 15:29:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9780
 https://github.com/flatpak/flatpak/issues/845
 https://bugs.debian.org/865413
Description:
 In Flatpak before 0.8.7, a third-party app repository could include
 malicious apps that contain files with inappropriate permissions, for
 example setuid or world-writable. The files are deployed with those
 permissions, which would let a local attacker run the setuid executable or
 write to the world-writable location. In the case of the "system helper"
 component, files deployed as part of the app are owned by root, so in the
 worst case they could be setuid root.
Ubuntu-Description:
Notes:
Bugs:
 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=865413
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H [7.8 HIGH]

Patches_flatpak:
upstream_flatpak: released (0.8.7-1)
precise/esm_flatpak: DNE
trusty_flatpak: DNE
trusty/esm_flatpak: DNE
vivid/ubuntu-core_flatpak: DNE
xenial_flatpak: DNE
yakkety_flatpak: ignored (reached end-of-life)
zesty_flatpak: ignored (reached end-of-life)
artful_flatpak: ignored (reached end-of-life)
bionic_flatpak: not-affected (1.0.1-0ubuntu0.1)
cosmic_flatpak: not-affected (1.0.1-0ubuntu0.1)
devel_flatpak: not-affected (1.0.1-0ubuntu0.1)