[Bug 1918482] Re: Update for GHSA-xgh4-387p-hqpp

Thu, 11 Mar 2021 13:20:50 -0800 

Hirsute now contains 1.10.2-1 with the fix, so I am marking it as fixed
released.

** Changed in: flatpak (Ubuntu)
       Status: In Progress => Fix Released

** Description changed:

  [Links]
  https://github.com/flatpak/flatpak/security/advisories/GHSA-xgh4-387p-hqpp
  https://github.com/flatpak/flatpak/pull/4156
  https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=984859
+ https://security-tracker.debian.org/tracker/CVE-2021-21381
  
  [Impact]
  Versions in Ubuntu right now:
  Hirsute: 1.10.1-4
  Groovy: 1.8.2-1ubuntu0.1
  Focal: 1.6.5-0ubuntu0.2
  Bionic: 1.0.9-0ubuntu0.2
  
  Affected versions:
      >= 0.9.4
  
  Patched versions:
      >= 1.10.2
  
  [Test Case]
  
  No test case has been mentioned yet, but in the patches there are
  changes/additions to the unit tests.
  
  [Regression Potential]
  
  Flatpak has a test suite, which is run on build across all relevant
  architectures and passes.
  
  There is also a manual test plan
  https://wiki.ubuntu.com/Process/Merges/TestPlan/flatpak .
  
  Flatpak has autopkgtests enabled
  http://autopkgtest.ubuntu.com/packages/f/flatpak .
  
  Regression potential is low, and upstream is very responsive to any
  issues raised.
  
  [Other information]
  
  Sandbox escape via special tokens in .desktop file (flatpak#4146)
  
  Flatpak since 0.9.4 has a vulnerability in the "file forwarding" feature 
which can be used by an attacker to gain access to files that would not 
ordinarily be allowed by the app's permissions.
  Impact
  
  By putting the special tokens @@ and/or @@u in the Exec field of a
  Flatpak app's .desktop file, a malicious app publisher can trick flatpak
  into behaving as though the user had chosen to open a target file with
  their Flatpak app, which automatically makes that file available to the
  Flatpak app.
  
  A minimal solution is the first commit "Disallow @@ and @@U usage in desktop 
files". The follow-up commits "dir: Reserve the whole @@ prefix" and "dir: 
Refuse to export .desktop files with suspicious uses of @@ tokens" are 
recommended, but not strictly required.
  Workarounds
  
  Avoid installing Flatpak apps from untrusted sources, or check the contents 
of the exported .desktop files in exports/share/applications/*.desktop 
(typically ~/.local/share/flatpak/exports/share/applications/*.desktop and 
/var/lib/flatpak/exports/share/applications/*.desktop) to make sure that 
literal filenames do not follow @@ or @@u.
  References
  
  Acknowledgements
  
  Thanks to @AntonLydike for reporting this issue, and @refi64 for
  providing the initial solution.

-- 
You received this bug notification because you are a member of Ubuntu
Desktop Bugs, which is subscribed to flatpak in Ubuntu.
https://bugs.launchpad.net/bugs/1918482

Title:
  Update for GHSA-xgh4-387p-hqpp

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/1918482/+subscriptions

-- 
desktop-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/desktop-bugs

Reply via email to