This bug was fixed in the package flatpak - 1.10.2-1ubuntu1.1
---------------
flatpak (1.10.2-1ubuntu1.1) hirsute-security; urgency=medium
* SECURITY UPDATE: Sandbox bypass via recent VFS-manipulating syscalls
(LP: #1946578)
- debian/paches/CVE-2021-41133-1.patch
- debian/paches/CVE-2021-41133-2.patch
- debian/paches/CVE-2021-41133-3.patch
- debian/paches/CVE-2021-41133-4.patch
- debian/paches/CVE-2021-41133-5.patch
- debian/paches/CVE-2021-41133-6.patch
- debian/paches/CVE-2021-41133-7.patch
- debian/paches/CVE-2021-41133-8.patch
- debian/paches/CVE-2021-41133-9.patch
- debian/paches/CVE-2021-41133-10.patch
- CVE-2021-41133
-- Andrew Hayzen <[email protected]> Wed, 13 Oct 2021 00:36:35 +0100
** Changed in: flatpak (Ubuntu Focal)
Status: In Progress => Fix Released
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to flatpak in Ubuntu.
https://bugs.launchpad.net/bugs/1946578
Title:
Update for CVE-2021-41133
Status in flatpak package in Ubuntu:
In Progress
Status in flatpak source package in Bionic:
Fix Released
Status in flatpak source package in Focal:
Fix Released
Status in flatpak source package in Hirsute:
Fix Released
Status in flatpak source package in Impish:
Fix Released
Bug description:
[Links]
https://github.com/flatpak/flatpak/security/advisories/GHSA-67h7-w3jq-vh4q
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=995935
https://security-tracker.debian.org/tracker/CVE-2021-41133
[Impact]
Versions in Ubuntu right now:
Impish: 1.10.2-3
Hirsute: 1.10.2-1ubuntu1
Focal: 1.6.5-0ubuntu0.3
Bionic: 1.0.9-0ubuntu0.3
Affected versions:
1.11.x, 1.10.x <= 1.10.3, all <= 1.8.2
Patched versions:
1.10.5, 1.12.1, also expected in 1.8.2
[Test Case]
Unknown
[Regression Potential]
Flatpak has a test suite, which is run on build across all relevant
architectures and passes.
There is also a manual test plan
https://wiki.ubuntu.com/Process/Merges/TestPlan/flatpak .
Flatpak has autopkgtests enabled
http://autopkgtest.ubuntu.com/packages/f/flatpak .
Regression potential is low, and upstream is very responsive to any
issues raised.
[Patches]
There were 8 initial patches, then some regressions have been found, one has
been patched, but a second has a pending pull request (see the github advisory
for links). As noted in the debian bug as well there might be further changes
to bubblewrap, so guess it makes sense to wait until this has settled.
[Other Information]
An anonymous reporter discovered that Flatpak apps with direct access to
AF_UNIX sockets such as those used by Wayland, Pipewire or pipewire-pulse can
trick portals and other host-OS services into treating the Flatpak app as
though it was an ordinary, non-sandboxed host-OS process, by manipulating the
VFS using recent mount-related syscalls that are not blocked by Flatpak's
denylist seccomp filter, in order to substitute a crafted /.flatpak-info or
make that file disappear entirely.
Impact
Flatpak apps that act as clients for AF_UNIX sockets such as those
used by Wayland, Pipewire or pipewire-pulse can escalate the
privileges that the corresponding services will believe the Flatpak
app has.
Mitigation: Note that protocols that operate entirely over the D-Bus
session bus (user bus), system bus or accessibility bus are not
affected by this. This is due to the use of a proxy process xdg-dbus-
proxy, whose VFS cannot be manipulated by the Flatpak app, when
interacting with these buses.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/1946578/+subscriptions
--
Mailing list: https://launchpad.net/~desktop-packages
Post to : [email protected]
Unsubscribe : https://launchpad.net/~desktop-packages
More help : https://help.launchpad.net/ListHelp
