Hi Simon, On Tue, Mar 26, 2019 at 03:28:03PM +0000, Simon McVittie wrote: > Package: flatpak > Version: 0.8.0-2 > Severity: important > Tags: patch security upstream > Forwarded: https://github.com/flatpak/flatpak/issues/2782 > > flatpak versions since 0.8.1 (and Debian's 0.8.0-2, which has backports > of the upstream changes that became 0.8.1) attempt to prevent malicious > apps from escalating their privileges by injecting commands into the > controlling terminal with the TIOCSTI ioctl (CVE-2017-5226). > > This fix was incomplete: on 64-bit platforms, seccomp looks at the whole > 64-bit word, but the kernel only looks at the low 32 bits. This means we > also have to block commands like (0x1234567800000000 | TIOCSTI). > CVE-2019-10063 has been allocated for this vulnerability, which closely > resembles CVE-2019-7303 in snapd. > > Mitigation: as usual with Flatpak sandbox bypasses, this can only be > exploited if you install a malicious app from a trusted source. The > sandbox parameters used for most apps are currently sufficiently weak > that a malicious app could do other equally bad things that we cannot > prevent, for example by abusing the X11 protocol. > > For the testing/unstable distribution (buster/sid) this will be fixed > in version 1.2.4, or in 1.2.3-2 if 1.2.4 isn't released soon. > > For the stable distribution (stretch) upstream do not intend to do a > new 0.8.x release, so this will have to be fixed by backporting. It's > a simple backport. > > Security team: I assume you probably won't want to do a DSA for this?
Ack. Can you fix the issue via (upcoming) point release for stretch? Salvatore