{"document":{"aggregate_severity":{"namespace":"https://www.suse.com/support/security/rating/","text":"important"},"category":"csaf_vex","csaf_version":"2.0","distribution":{"text":"Copyright 2024 SUSE LLC. All rights reserved.","tlp":{"label":"WHITE","url":"https://www.first.org/tlp/"}},"lang":"en","notes":[{"category":"summary","text":"SUSE CVE-2017-9780","title":"Title"},{"category":"description","text":"In Flatpak before 0.8.7, a third-party app repository could include malicious apps that contain files with inappropriate permissions, for example setuid or world-writable. The files are deployed with those permissions, which would let a local attacker run the setuid executable or write to the world-writable location. In the case of the \"system helper\" component, files deployed as part of the app are owned by root, so in the worst case they could be setuid root.","title":"Description of the CVE"},{"category":"legal_disclaimer","text":"CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).","title":"Terms of use"}],"publisher":{"category":"vendor","contact_details":"https://www.suse.com/support/security/contact/","name":"SUSE Product Security Team","namespace":"https://www.suse.com/"},"references":[{"category":"external","summary":"CVE-2017-9780","url":"https://www.suse.com/security/cve/CVE-2017-9780"},{"category":"external","summary":"SUSE Security Ratings","url":"https://www.suse.com/support/security/rating/"},{"category":"external","summary":"SUSE Bug 1012961 for CVE-2017-9780","url":"https://bugzilla.suse.com/1012961"},{"category":"external","summary":"SUSE Bug 1078923 for CVE-2017-9780","url":"https://bugzilla.suse.com/1078923"},{"category":"external","summary":"SUSE Bug 1078989 for CVE-2017-9780","url":"https://bugzilla.suse.com/1078989"}],"title":"SUSE CVE CVE-2017-9780","tracking":{"current_release_date":"2025-10-07T10:27:34Z","generator":{"date":"2023-02-15T04:44:23Z","engine":{"name":"cve-database.git:bin/generate-csaf-vex.pl","version":"1"}},"id":"CVE-2017-9780","initial_release_date":"2023-02-15T04:44:23Z","revision_history":[{"date":"2023-02-15T04:44:23Z","number":"2","summary":"Current version"},{"date":"2023-12-08T04:23:26Z","number":"3","summary":"Current version"},{"date":"2025-01-01T08:48:53Z","number":"4","summary":"Current version"},{"date":"2025-02-18T07:43:16Z","number":"5","summary":"Current version"},{"date":"2025-03-14T04:50:02Z","number":"6","summary":"Current version"},{"date":"2025-03-16T03:01:38Z","number":"7","summary":"Current version"},{"date":"2025-04-25T08:00:46Z","number":"8","summary":"Current version"},{"date":"2025-07-01T02:36:15Z","number":"9","summary":"Current version"},{"date":"2025-10-07T10:27:34Z","number":"10","summary":"Current version"}],"status":"interim","version":"10"}},"product_tree":{"branches":[{"branches":[{"branches":[{"category":"product_name","name":"SUSE Linux Enterprise Desktop 15","product":{"name":"SUSE Linux Enterprise Desktop 15","product_id":"SUSE Linux Enterprise Desktop 15","product_identification_helper":{"cpe":"cpe:/o:suse:sled:15"}}},{"category":"product_name","name":"SUSE Linux Enterprise High Performance Computing 15","product":{"name":"SUSE Linux Enterprise High Performance Computing 15","product_id":"SUSE Linux Enterprise High Performance Computing 15","product_identification_helper":{"cpe":"cpe:/o:suse:sle_hpc:15"}}},{"category":"product_name","name":"SUSE Linux Enterprise Module for Desktop Applications 15","product":{"name":"SUSE Linux Enterprise Module for Desktop Applications 15","product_id":"SUSE Linux Enterprise Module for Desktop Applications 15","product_identification_helper":{"cpe":"cpe:/o:suse:sle-module-desktop-applications:15"}}},{"category":"product_name","name":"SUSE Linux Enterprise Server 15","product":{"name":"SUSE Linux Enterprise Server 15","product_id":"SUSE Linux Enterprise Server 15","product_identification_helper":{"cpe":"cpe:/o:suse:sles:15"}}},{"category":"product_name","name":"SUSE Linux Enterprise Server for SAP Applications 15","product":{"name":"SUSE Linux Enterprise Server for SAP Applications 15","product_id":"SUSE Linux Enterprise Server for SAP Applications 15","product_identification_helper":{"cpe":"cpe:/o:suse:sles_sap:15"}}},{"category":"product_version","name":"flatpak","product":{"name":"flatpak","product_id":"flatpak","product_identification_helper":{"cpe":"cpe:2.3:a:flatpak:flatpak:*:*:*:*:*:*:*:*","purl":"pkg:rpm/suse/flatpak@?upstream=flatpak.src.rpm"}}},{"category":"product_version","name":"flatpak-devel","product":{"name":"flatpak-devel","product_id":"flatpak-devel","product_identification_helper":{"cpe":"cpe:2.3:a:flatpak:flatpak:*:*:*:*:*:*:*:*","purl":"pkg:rpm/suse/flatpak-devel@?upstream=flatpak.src.rpm"}}},{"category":"product_version","name":"libflatpak0","product":{"name":"libflatpak0","product_id":"libflatpak0","product_identification_helper":{"cpe":"cpe:2.3:a:flatpak:flatpak:*:*:*:*:*:*:*:*","purl":"pkg:rpm/suse/libflatpak0@?upstream=flatpak.src.rpm"}}},{"category":"product_version","name":"typelib-1_0-Flatpak-1_0","product":{"name":"typelib-1_0-Flatpak-1_0","product_id":"typelib-1_0-Flatpak-1_0","product_identification_helper":{"purl":"pkg:rpm/suse/typelib-1_0@Flatpak-1_0"}}}],"category":"product_family","name":"SUSE Linux Enterprise"}],"category":"vendor","name":"SUSE"}],"relationships":[{"category":"default_component_of","full_product_name":{"name":"flatpak as component of SUSE Linux Enterprise Server 15","product_id":"SUSE Linux Enterprise Server 15:flatpak"},"product_reference":"flatpak","relates_to_product_reference":"SUSE Linux Enterprise Server 15"},{"category":"default_component_of","full_product_name":{"name":"flatpak-devel as component of SUSE Linux Enterprise Server 15","product_id":"SUSE Linux Enterprise Server 15:flatpak-devel"},"product_reference":"flatpak-devel","relates_to_product_reference":"SUSE Linux Enterprise Server 15"},{"category":"default_component_of","full_product_name":{"name":"libflatpak0 as component of SUSE Linux Enterprise Server 15","product_id":"SUSE Linux Enterprise Server 15:libflatpak0"},"product_reference":"libflatpak0","relates_to_product_reference":"SUSE Linux Enterprise Server 15"},{"category":"default_component_of","full_product_name":{"name":"typelib-1_0-Flatpak-1_0 as component of SUSE Linux Enterprise Server 15","product_id":"SUSE Linux Enterprise Server 15:typelib-1_0-Flatpak-1_0"},"product_reference":"typelib-1_0-Flatpak-1_0","relates_to_product_reference":"SUSE Linux Enterprise Server 15"},{"category":"default_component_of","full_product_name":{"name":"flatpak as component of SUSE Linux Enterprise Desktop 15","product_id":"SUSE Linux Enterprise Desktop 15:flatpak"},"product_reference":"flatpak","relates_to_product_reference":"SUSE Linux Enterprise Desktop 15"},{"category":"default_component_of","full_product_name":{"name":"flatpak-devel as component of SUSE Linux Enterprise Desktop 15","product_id":"SUSE Linux Enterprise Desktop 15:flatpak-devel"},"product_reference":"flatpak-devel","relates_to_product_reference":"SUSE Linux Enterprise Desktop 15"},{"category":"default_component_of","full_product_name":{"name":"libflatpak0 as component of SUSE Linux Enterprise Desktop 15","product_id":"SUSE Linux Enterprise Desktop 15:libflatpak0"},"product_reference":"libflatpak0","relates_to_product_reference":"SUSE Linux Enterprise Desktop 15"},{"category":"default_component_of","full_product_name":{"name":"typelib-1_0-Flatpak-1_0 as component of SUSE Linux Enterprise Desktop 15","product_id":"SUSE Linux Enterprise Desktop 15:typelib-1_0-Flatpak-1_0"},"product_reference":"typelib-1_0-Flatpak-1_0","relates_to_product_reference":"SUSE Linux Enterprise Desktop 15"},{"category":"default_component_of","full_product_name":{"name":"flatpak as component of SUSE Linux Enterprise Server for SAP Applications 15","product_id":"SUSE Linux Enterprise Server for SAP Applications 15:flatpak"},"product_reference":"flatpak","relates_to_product_reference":"SUSE Linux Enterprise Server for SAP Applications 15"},{"category":"default_component_of","full_product_name":{"name":"flatpak-devel as component of SUSE Linux Enterprise Server for SAP Applications 15","product_id":"SUSE Linux Enterprise Server for SAP Applications 15:flatpak-devel"},"product_reference":"flatpak-devel","relates_to_product_reference":"SUSE Linux Enterprise Server for SAP Applications 15"},{"category":"default_component_of","full_product_name":{"name":"libflatpak0 as component of SUSE Linux Enterprise Server for SAP Applications 15","product_id":"SUSE Linux Enterprise Server for SAP Applications 15:libflatpak0"},"product_reference":"libflatpak0","relates_to_product_reference":"SUSE Linux Enterprise Server for SAP Applications 15"},{"category":"default_component_of","full_product_name":{"name":"typelib-1_0-Flatpak-1_0 as component of SUSE Linux Enterprise Server for SAP Applications 15","product_id":"SUSE Linux Enterprise Server for SAP Applications 15:typelib-1_0-Flatpak-1_0"},"product_reference":"typelib-1_0-Flatpak-1_0","relates_to_product_reference":"SUSE Linux Enterprise Server for SAP Applications 15"},{"category":"default_component_of","full_product_name":{"name":"flatpak as component of SUSE Linux Enterprise High Performance Computing 15","product_id":"SUSE Linux Enterprise High Performance Computing 15:flatpak"},"product_reference":"flatpak","relates_to_product_reference":"SUSE Linux Enterprise High Performance Computing 15"},{"category":"default_component_of","full_product_name":{"name":"flatpak-devel as component of SUSE Linux Enterprise High Performance Computing 15","product_id":"SUSE Linux Enterprise High Performance Computing 15:flatpak-devel"},"product_reference":"flatpak-devel","relates_to_product_reference":"SUSE Linux Enterprise High Performance Computing 15"},{"category":"default_component_of","full_product_name":{"name":"libflatpak0 as component of SUSE Linux Enterprise High Performance Computing 15","product_id":"SUSE Linux Enterprise High Performance Computing 15:libflatpak0"},"product_reference":"libflatpak0","relates_to_product_reference":"SUSE Linux Enterprise High Performance Computing 15"},{"category":"default_component_of","full_product_name":{"name":"typelib-1_0-Flatpak-1_0 as component of SUSE Linux Enterprise High Performance Computing 15","product_id":"SUSE Linux Enterprise High Performance Computing 15:typelib-1_0-Flatpak-1_0"},"product_reference":"typelib-1_0-Flatpak-1_0","relates_to_product_reference":"SUSE Linux Enterprise High Performance Computing 15"},{"category":"default_component_of","full_product_name":{"name":"flatpak as component of SUSE Linux Enterprise Module for Desktop Applications 15","product_id":"SUSE Linux Enterprise Module for Desktop Applications 15:flatpak"},"product_reference":"flatpak","relates_to_product_reference":"SUSE Linux Enterprise Module for Desktop Applications 15"},{"category":"default_component_of","full_product_name":{"name":"flatpak-devel as component of SUSE Linux Enterprise Module for Desktop Applications 15","product_id":"SUSE Linux Enterprise Module for Desktop Applications 15:flatpak-devel"},"product_reference":"flatpak-devel","relates_to_product_reference":"SUSE Linux Enterprise Module for Desktop Applications 15"},{"category":"default_component_of","full_product_name":{"name":"libflatpak0 as component of SUSE Linux Enterprise Module for Desktop Applications 15","product_id":"SUSE Linux Enterprise Module for Desktop Applications 15:libflatpak0"},"product_reference":"libflatpak0","relates_to_product_reference":"SUSE Linux Enterprise Module for Desktop Applications 15"},{"category":"default_component_of","full_product_name":{"name":"typelib-1_0-Flatpak-1_0 as component of SUSE Linux Enterprise Module for Desktop Applications 15","product_id":"SUSE Linux Enterprise Module for Desktop Applications 15:typelib-1_0-Flatpak-1_0"},"product_reference":"typelib-1_0-Flatpak-1_0","relates_to_product_reference":"SUSE Linux Enterprise Module for Desktop Applications 15"}]},"vulnerabilities":[{"cve":"CVE-2017-9780","ids":[{"system_name":"SUSE CVE Page","text":"https://www.suse.com/security/cve/CVE-2017-9780"}],"notes":[{"category":"general","text":"In Flatpak before 0.8.7, a third-party app repository could include malicious apps that contain files with inappropriate permissions, for example setuid or world-writable. The files are deployed with those permissions, which would let a local attacker run the setuid executable or write to the world-writable location. In the case of the \"system helper\" component, files deployed as part of the app are owned by root, so in the worst case they could be setuid root.","title":"CVE description"}],"product_status":{"known_not_affected":["SUSE Linux Enterprise Desktop 15:flatpak","SUSE Linux Enterprise Desktop 15:flatpak-devel","SUSE Linux Enterprise Desktop 15:libflatpak0","SUSE Linux Enterprise Desktop 15:typelib-1_0-Flatpak-1_0","SUSE Linux Enterprise High Performance Computing 15:flatpak","SUSE Linux Enterprise High Performance Computing 15:flatpak-devel","SUSE Linux Enterprise High Performance Computing 15:libflatpak0","SUSE Linux Enterprise High Performance Computing 15:typelib-1_0-Flatpak-1_0","SUSE Linux Enterprise Module for Desktop Applications 15:flatpak","SUSE Linux Enterprise Module for Desktop Applications 15:flatpak-devel","SUSE Linux Enterprise Module for Desktop Applications 15:libflatpak0","SUSE Linux Enterprise Module for Desktop Applications 15:typelib-1_0-Flatpak-1_0","SUSE Linux Enterprise Server 15:flatpak","SUSE Linux Enterprise Server 15:flatpak-devel","SUSE Linux Enterprise Server 15:libflatpak0","SUSE Linux Enterprise Server 15:typelib-1_0-Flatpak-1_0","SUSE Linux Enterprise Server for SAP Applications 15:flatpak","SUSE Linux Enterprise Server for SAP Applications 15:flatpak-devel","SUSE Linux Enterprise Server for SAP Applications 15:libflatpak0","SUSE Linux Enterprise Server for SAP Applications 15:typelib-1_0-Flatpak-1_0"]},"references":[{"category":"external","summary":"CVE-2017-9780","url":"https://www.suse.com/security/cve/CVE-2017-9780"},{"category":"external","summary":"SUSE Security Ratings","url":"https://www.suse.com/support/security/rating/"},{"category":"external","summary":"SUSE Bug 1012961 for CVE-2017-9780","url":"https://bugzilla.suse.com/1012961"},{"category":"external","summary":"SUSE Bug 1078923 for CVE-2017-9780","url":"https://bugzilla.suse.com/1078923"},{"category":"external","summary":"SUSE Bug 1078989 for CVE-2017-9780","url":"https://bugzilla.suse.com/1078989"}],"threats":[{"category":"impact","date":"2018-02-02T08:19:53Z","details":"important"}],"title":"CVE-2017-9780"}]}