This bug was fixed in the package flatpak - 1.6.5-0ubuntu0.2
---------------
flatpak (1.6.5-0ubuntu0.2) focal-security; urgency=medium
* SECURITY UPDATE: Flatpak sandbox escape via spawn portal (LP: #1911473)
- debian/patches/CVE-2021-21261-1.patch: tests: Add minimal version
of "ok" helper.
- debian/patches/CVE-2021-21261-2.patch: common: Add a backport of
G_DBUS_METHOD_INVOCATION_HANDLED.
- debian/patches/CVE-2021-21261-3.patch: run: Convert all environment
variables into bwrap arguments.
- debian/patches/CVE-2021-21261-4.patch: tests: Expand coverage for
environment variable overrides.
- debian/patches/CVE-2021-21261-5.patch: context: Add --env-fd option.
- debian/patches/CVE-2021-21261-6.patch: portal: Convert --env in
extra-args into --env-fd.
- debian/patches/CVE-2021-21261-7.patch: tests: Exercise --env-fd.
- debian/patches/CVE-2021-21261-8.patch: portal: Do not use
caller-supplied variables in environment.
- debian/patches/CVE-2021-21261-9.patch: tests: Assert that --env= does
not go in `flatpak run` or bwrap environ.
- CVE-2021-21261
-- Andrew Hayzen <[email protected]> Wed, 13 Jan 2021 21:09:15 +0000
** Changed in: flatpak (Ubuntu Focal)
Status: In Progress => Fix Released
** Changed in: flatpak (Ubuntu Bionic)
Status: New => Fix Released
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to flatpak in Ubuntu.
https://bugs.launchpad.net/bugs/1911473
Title:
Update for ghsa-4ppf-fxf6-vxg2
Status in flatpak package in Ubuntu:
Fix Released
Status in flatpak source package in Bionic:
Fix Released
Status in flatpak source package in Focal:
Fix Released
Status in flatpak source package in Groovy:
Fix Released
Status in flatpak source package in Hirsute:
Fix Released
Bug description:
[Links]
Upstream Advisory:
https://github.com/flatpak/flatpak/security/advisories/GHSA-4ppf-fxf6-vxg2
Debian: https://security-tracker.debian.org/tracker/CVE-2021-21261
DSA: https://security-tracker.debian.org/tracker/DSA-4830-1
[Impact]
Versions in Ubuntu right now:
Hirsute: 1.8.4-2
Groovy: 1.8.2-1
Focal: 1.6.5-0ubuntu0.1
Bionic: 1.0.9-0ubuntu0.1
Affected versions:
>= 0.11.4 and < 1.9.4, except for 1.8.x >= 1.8.5
Patched versions:
Expected to be >= 1.9.4, 1.8.x >= 1.8.5
There are also branches with patches for 1.6.x (Ubuntu 20.04), but
nothing available yet for 1.0.x (Ubuntu 18.04).
[Test Case]
No test case has been mentioned yet, but in the patches there are
changes/additions to the unit tests.
[Regression Potential]
Flatpak has a test suite, which is run on build across all
architectures and passes.
There is also a manual test plan
https://wiki.ubuntu.com/Process/Merges/TestPlan/flatpak .
Flatpak has autopkgtests enabled
http://autopkgtest.ubuntu.com/packages/f/flatpak .
Regression potential is low, and upstream is very responsive to any
issues raised.
[Other information]
Simon McVittie discovered a bug in the flatpak-portal service that can
allow sandboxed applications to execute arbitrary code on the host
system (a sandbox escape).
The Flatpak portal D-Bus service (flatpak-portal, also known by its D-Bus
service name org.freedesktop.portal.Flatpak) allows apps in a Flatpak sandbox
to launch their own subprocesses in a new sandbox instance, either with the
same security settings as the caller or with
more restrictive security settings. For example, this is used in
Flatpak-packaged web browsers such as Chromium to launch subprocesses
that will process untrusted web content, and give those subprocesses a more
restrictive sandbox than the browser itself.
In vulnerable versions, the Flatpak portal service passes caller-
specified environment variables to non-sandboxed processes on the host
system, and in particular to the flatpak run command that is used to
launch the new sandbox instance. A malicious or compromised Flatpak
app could set environment variables that are trusted by the flatpak
run command, and use them to execute arbitrary code that is not in a
sandbox.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/1911473/+subscriptions
--
Mailing list: https://launchpad.net/~desktop-packages
Post to : [email protected]
Unsubscribe : https://launchpad.net/~desktop-packages
More help : https://help.launchpad.net/ListHelp
