** Also affects: flatpak (Ubuntu Focal)
Importance: Undecided
Status: New
** Also affects: flatpak (Ubuntu Bionic)
Importance: Undecided
Status: New
** Also affects: flatpak (Ubuntu Groovy)
Importance: Undecided
Status: New
** Also affects: flatpak (Ubuntu Hirsute)
Importance: Undecided
Assignee: Andrew Hayzen (ahayzen)
Status: In Progress
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to flatpak in Ubuntu.
https://bugs.launchpad.net/bugs/1911473
Title:
Update for ghsa-4ppf-fxf6-vxg2
Status in flatpak package in Ubuntu:
In Progress
Status in flatpak source package in Bionic:
New
Status in flatpak source package in Focal:
New
Status in flatpak source package in Groovy:
New
Status in flatpak source package in Hirsute:
In Progress
Bug description:
[Links]
Upstream Advisory:
https://github.com/flatpak/flatpak/security/advisories/GHSA-4ppf-fxf6-vxg2
Debian: https://security-tracker.debian.org/tracker/CVE-2021-21261
DSA: https://security-tracker.debian.org/tracker/DSA-4830-1
[Impact]
Versions in Ubuntu right now:
Hirsute: 1.8.4-2
Groovy: 1.8.2-1
Focal: 1.6.5-0ubuntu0.1
Bionic: 1.0.9-0ubuntu0.1
Affected versions:
>= 0.11.4 and < 1.9.4, except for 1.8.x >= 1.8.5
Patched versions:
Expected to be >= 1.9.4, 1.8.x >= 1.8.5
There are also branches with patches for 1.6.x (Ubuntu 20.04), but
nothing available yet for 1.0.x (Ubuntu 18.04).
[Test Case]
No test case has been mentioned yet, but in the patches there are
changes/additions to the unit tests.
[Regression Potential]
Flatpak has a test suite, which is run on build across all
architectures and passes.
There is also a manual test plan
https://wiki.ubuntu.com/Process/Merges/TestPlan/flatpak .
Flatpak has autopkgtests enabled
http://autopkgtest.ubuntu.com/packages/f/flatpak .
Regression potential is low, and upstream is very responsive to any
issues raised.
[Other information]
Simon McVittie discovered a bug in the flatpak-portal service that can
allow sandboxed applications to execute arbitrary code on the host
system (a sandbox escape).
The Flatpak portal D-Bus service (flatpak-portal, also known by its D-Bus
service name org.freedesktop.portal.Flatpak) allows apps in a Flatpak sandbox
to launch their own subprocesses in a new sandbox instance, either with the
same security settings as the caller or with
more restrictive security settings. For example, this is used in
Flatpak-packaged web browsers such as Chromium to launch subprocesses
that will process untrusted web content, and give those subprocesses a more
restrictive sandbox than the browser itself.
In vulnerable versions, the Flatpak portal service passes caller-
specified environment variables to non-sandboxed processes on the host
system, and in particular to the flatpak run command that is used to
launch the new sandbox instance. A malicious or compromised Flatpak
app could set environment variables that are trusted by the flatpak
run command, and use them to execute arbitrary code that is not in a
sandbox.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/1911473/+subscriptions
--
Mailing list: https://launchpad.net/~desktop-packages
Post to : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help : https://help.launchpad.net/ListHelp
