Your message dated Tue, 31 Oct 2017 18:50:31 +0000
with message-id <[email protected]>
and subject line Re: Bug#880451: flatpak: older flatpak-dbus-proxy versions 
allowed legacy D-Bus eavesdropping
has caused the Debian Bug report #880451,
regarding flatpak: older flatpak-dbus-proxy versions allowed legacy D-Bus 
eavesdropping
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
880451: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=880451
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: flatpak
Version: 0.8.5-2
Severity: important
Tags: security

In Flatpak versions prior to 0.9.9 (mainline) and 0.8.8 (0.8.x), the
flatpak-dbus-proxy that is optionally used to filter D-Bus traffic did not
forbid match rules with eavesdrop="true", as used by dbus-monitor versions
prior to 1.9.10. Such match rules could be used by a sandboxed app to
spy on non-sandboxed apps' D-Bus session bus method calls (a local
confidentiality breach).

Apps that are configured to have unrestricted D-Bus access
([Context] sockets=session-bus;, see flatpak-metadata(5)) can do this even
in later versions, but this is not considered to be a bug: unrestricted
D-Bus access is just as unrestricted as you might expect it to be.

Mitigations:
* The apps that could exploit this are not entirely untrusted (the user
  has chosen to install and run them, and in particular has given them
  access to the attack surface of the Linux kernel)
* In practical sandboxed apps, the ability to spy on X11 (which
  everything is going to need to have until Wayland is ubiquitous)
  is more sensitive than the ability to spy on D-Bus
* We can't spy on the system bus like this, because of the security
  boundary between users

My guess is that the security team is not interested in issuing a DSA
for this vulnerability and would prefer me to issue a stable update
(I'm going to ask the SRMs whether they'll accept 0.8.8 into stable,
and if not, propose a 0.8.7-2~deb9u2 version). Is my guess correct?

Thanks,
    smcv

--- End Message ---
--- Begin Message ---
Version: 0.9.9-1

On Tue, 31 Oct 2017 at 18:18:18 +0000, Simon McVittie wrote:
> In Flatpak versions prior to 0.9.9 (mainline) and 0.8.8 (0.8.x)...

Closing this as fixed in 0.9.9. It remains unfixed in 0.8.x until
we get 0.8.8 or a backported patch.

    smcv

--- End Message ---
_______________________________________________
Pkg-utopia-maintainers mailing list
[email protected]
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-utopia-maintainers

Reply via email to