Package: flatpak Version: 1.2.2-1 Severity: critical Tags: security upstream patch Justification: root security hole (?) Control: found -1 1.2.0-1~bpo9+1 Control: found -1 0.8.9-0+deb9u1 Control: found -1 0.8.9-0+deb9u1~bpo8+1 Control: found -1 0.8.5-2+deb9u1
Flatpak upstream releases 1.2.3 and 1.0.7 fix a vulnerability similar to runc vulnerability CVE-2019-5736. If a user installs a system-wide Flatpak app or runtime that has an 'apply_extra' script, then the apply_extra script is run in a sandbox, as root, with /proc mounted. A malicious app or runtime could traverse /proc/self/exe to modify a host-side executable. It is not completely clear to me *which* host-side executable. To be on the safe side, I'm assuming that it's something that could lead to an unsandboxed privilege escalation vulnerability. I don't currently have an exploit that can be used to demonstrate this vulnerability. Mitigation: the app or runtime would have to come from a trusted Flatpak repository (such as Flathub) that was previously added as a system-wide source of Flatpak apps by a root-equivalent user. (Non-malicious apply_extra scripts are normally used to process "extra data" files that had to be downloaded out-of-band, such as the archives containing the proprietary Nvidia graphics drivers, which the Flathub maintainers do not believe they are allowed to redistribute directly.) For buster/sid, I'm preparing a 1.2.3-1 release that will fix this. For stretch, 0.8.5 and 0.8.9 appear to be vulnerable. I don't think upstream plan to release a 0.8.10 version, but the patch doesn't seem difficult to backport (untested patch attached). Do the security team want to issue a DSA for this, or should I be targeting the next stretch point release? References: https://lists.freedesktop.org/archives/flatpak/2019-February/001476.html https://github.com/flatpak/flatpak/releases/tag/1.2.3 https://lists.freedesktop.org/archives/flatpak/2019-February/001477.html https://github.com/flatpak/flatpak/releases/tag/1.0.7 Thanks, smcv
From: Alexander Larsson <[email protected]> Date: Sun, 10 Feb 2019 18:23:44 +0100 Subject: Don't expose /proc when running apply_extra As shown by CVE-2019-5736, it is sometimes possible for the sandbox app to access outside files using /proc/self/exe. This is not typically an issue for flatpak as the sandbox runs as the user which has no permissions to e.g. modify the host files. However, when installing apps using extra-data into the system repo we *do* actually run a sandbox as root. So, in this case we disable mounting /proc in the sandbox, which will neuter attacks like this. (cherry picked from commit 468858c1cbcdbcb27266deb5c7347b37adf3a9e4) --- common/flatpak-dir.c | 2 +- common/flatpak-run.c | 6 +++++- common/flatpak-run.h | 1 + 3 files changed, 7 insertions(+), 2 deletions(-) diff --git a/common/flatpak-dir.c b/common/flatpak-dir.c index 4f6f54d..35e0a65 100644 --- a/common/flatpak-dir.c +++ b/common/flatpak-dir.c @@ -3914,7 +3914,7 @@ apply_extra_data (FlatpakDir *self, NULL); if (!flatpak_run_setup_base_argv (argv_array, fd_array, runtime_files, NULL, runtime_ref_parts[2], - FLATPAK_RUN_FLAG_NO_SESSION_HELPER, + FLATPAK_RUN_FLAG_NO_SESSION_HELPER | FLATPAK_RUN_FLAG_NO_PROC, error)) return FALSE; diff --git a/common/flatpak-run.c b/common/flatpak-run.c index cad8bc9..9a69f7b 100644 --- a/common/flatpak-run.c +++ b/common/flatpak-run.c @@ -4071,9 +4071,13 @@ flatpak_run_setup_base_argv (GPtrArray *argv_array, if (fd_array) g_array_append_val (fd_array, group_fd); + if ((flags & FLATPAK_RUN_FLAG_NO_PROC) == 0) + add_args (argv_array, + "--proc", "/proc", + NULL); + add_args (argv_array, "--unshare-pid", - "--proc", "/proc", "--dir", "/tmp", "--dir", "/var/tmp", "--dir", "/run/host", diff --git a/common/flatpak-run.h b/common/flatpak-run.h index 8a29fe0..e16c4db 100644 --- a/common/flatpak-run.h +++ b/common/flatpak-run.h @@ -105,6 +105,7 @@ typedef enum { FLATPAK_RUN_FLAG_NO_SESSION_HELPER = (1 << 4), FLATPAK_RUN_FLAG_MULTIARCH = (1 << 5), FLATPAK_RUN_FLAG_WRITABLE_ETC = (1 << 6), + FLATPAK_RUN_FLAG_NO_PROC = (1 << 19), } FlatpakRunFlags; gboolean flatpak_run_setup_base_argv (GPtrArray *argv_array,
