Package: release.debian.org Severity: normal Tags: stretch User: release.debian....@packages.debian.org Usertags: pu
I've prepared a flatpak update for stable to fix CVE-2019-10063 in the next point release. The security team told me they don't intend to release a DSA for this. May I upload? I've uploaded 1.2.3-2 to unstable to fix the same thing, although I'm hoping to replace it with a new upstream release. Thanks, smcv
diffstat for flatpak-0.8.9 flatpak-0.8.9 changelog | 11 +++ patches/run-Only-compare-the-lowest-32-ioctl-arg-bits-for-TIOCSTI.patch | 32 ++++++++++ patches/series | 1 3 files changed, 43 insertions(+), 1 deletion(-) diff -Nru flatpak-0.8.9/debian/changelog flatpak-0.8.9/debian/changelog --- flatpak-0.8.9/debian/changelog 2019-02-11 21:13:02.000000000 +0000 +++ flatpak-0.8.9/debian/changelog 2019-03-26 21:11:16.000000000 +0000 @@ -1,10 +1,19 @@ +flatpak (0.8.9-0+deb9u3) stretch; urgency=medium + + * d/p/run-Only-compare-the-lowest-32-ioctl-arg-bits-for-TIOCSTI.patch: + Reject all ioctls that the kernel will interpret as TIOCSTI, + including those where the high 32 bits in a 64-bit word are nonzero. + (Closes: #925541, CVE-2019-10063) + + -- Simon McVittie <s...@debian.org> Tue, 26 Mar 2019 21:11:16 +0000 + flatpak (0.8.9-0+deb9u2) stretch-security; urgency=medium * d/p/Don-t-expose-proc-when-running-apply_extra.patch: Backport patch from upstream v1.2.3: do not let the apply_extra script for a system installation modify the host-side executable via /proc/self/exe, similar to CVE-2019-5736 in runc - (Closes: #922059) + (Closes: #922059; CVE-2019-8308) -- Simon McVittie <s...@debian.org> Mon, 11 Feb 2019 21:13:02 +0000 diff -Nru flatpak-0.8.9/debian/patches/run-Only-compare-the-lowest-32-ioctl-arg-bits-for-TIOCSTI.patch flatpak-0.8.9/debian/patches/run-Only-compare-the-lowest-32-ioctl-arg-bits-for-TIOCSTI.patch --- flatpak-0.8.9/debian/patches/run-Only-compare-the-lowest-32-ioctl-arg-bits-for-TIOCSTI.patch 1970-01-01 01:00:00.000000000 +0100 +++ flatpak-0.8.9/debian/patches/run-Only-compare-the-lowest-32-ioctl-arg-bits-for-TIOCSTI.patch 2019-03-26 21:11:16.000000000 +0000 @@ -0,0 +1,32 @@ +From: Ryan Gonzalez <rym...@gmail.com> +Date: Mon, 25 Mar 2019 13:00:15 -0500 +Subject: run: Only compare the lowest 32 ioctl arg bits for TIOCSTI + +Closes #2782. + +Closes: #2783 +Approved by: alexlarsson + +(cherry picked from commit a9107feeb4b8275b78965b36bf21b92d5724699e) + +Origin: upstream, 1.2.4, commit:8e0aaf4b70d6d7c02c331c655e1a05763485085e +Bug: https://github.com/flatpak/flatpak/issues/2782 +Bug-Debian: https://bugs.debian.org/925541 +Bug-CVE: CVE-2019-10063 +--- + common/flatpak-run.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/common/flatpak-run.c b/common/flatpak-run.c +index 9a69f7b..b3ed2ea 100644 +--- a/common/flatpak-run.c ++++ b/common/flatpak-run.c +@@ -3866,7 +3866,7 @@ setup_seccomp (GPtrArray *argv_array, + {SCMP_SYS (clone), &SCMP_A0 (SCMP_CMP_MASKED_EQ, CLONE_NEWUSER, CLONE_NEWUSER)}, + + /* Don't allow faking input to the controlling tty (CVE-2017-5226) */ +- {SCMP_SYS (ioctl), &SCMP_A1(SCMP_CMP_EQ, (int)TIOCSTI)}, ++ {SCMP_SYS (ioctl), &SCMP_A1 (SCMP_CMP_MASKED_EQ, 0xFFFFFFFFu, (int) TIOCSTI)}, + }; + + struct diff -Nru flatpak-0.8.9/debian/patches/series flatpak-0.8.9/debian/patches/series --- flatpak-0.8.9/debian/patches/series 2019-02-11 21:13:02.000000000 +0000 +++ flatpak-0.8.9/debian/patches/series 2019-03-26 21:11:16.000000000 +0000 @@ -1 +1,2 @@ Don-t-expose-proc-when-running-apply_extra.patch +run-Only-compare-the-lowest-32-ioctl-arg-bits-for-TIOCSTI.patch