Your message dated Sun, 25 Feb 2018 15:02:10 +0000 with message-id <[email protected]> and subject line Bug#888842: fixed in flatpak 0.8.9-0+deb9u1 has caused the Debian Bug report #888842, regarding flatpak: CVE-2018-6560: D-Bus filtering can be bypassed by a crafted authentication handshake to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 888842: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=888842 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: flatpak Version: 0.6.0-1 Severity: important Tags: security Many Flatpak apps ship with sandboxing metadata that gives them filtered access to the D-Bus session and/or system bus. Gabriel Campana of the Google security team discovered that a malicious app could bypass the intended filtering by crafting an authentication message that will be processed as end-of-authentication by the dbus-daemon, but not recognised as end-of-authentication by flatpak-dbus-proxy. This has been fixed upstream in versions 0.10.3 and 0.8.9, which I'm going to package now. The Debian security team has not generally treated Flatpak sandboxing bypasses as security vulnerabilities, on the basis that the sandboxed app provides its own security policy, so no privilege boundary is crossed (in the absence of a curated "app store" where changes to security policy are audited, or a software-downloading UI that highlights security policy changes, neither of which is widely deployed right now). I assume this is still the case, but I'm cc'ing the security team for their information (please let me know if you would like me to prepare a security update). smcv
--- End Message ---
--- Begin Message ---Source: flatpak Source-Version: 0.8.9-0+deb9u1 We believe that the bug you reported is fixed in the latest version of flatpak, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [email protected], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Simon McVittie <[email protected]> (supplier of updated flatpak package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [email protected]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Tue, 30 Jan 2018 14:49:40 +0000 Source: flatpak Binary: flatpak flatpak-builder flatpak-tests gir1.2-flatpak-1.0 libflatpak-dev libflatpak-doc libflatpak0 Architecture: source Version: 0.8.9-0+deb9u1 Distribution: stretch Urgency: medium Maintainer: Utopia Maintenance Team <[email protected]> Changed-By: Simon McVittie <[email protected]> Description: flatpak - Application deployment framework for desktop apps flatpak-builder - Flatpak application building helper flatpak-tests - Application deployment framework for desktop apps (tests) gir1.2-flatpak-1.0 - Application deployment framework for desktop apps (introspection) libflatpak-dev - Application deployment framework for desktop apps (development) libflatpak-doc - Application deployment framework for desktop apps (documentation) libflatpak0 - Application deployment framework for desktop apps (library) Closes: 888842 Changes: flatpak (0.8.9-0+deb9u1) stretch; urgency=medium . * New upstream release backporting the following fixes from 0.10.x: - common/flatpak-run.c: Ignore unrecognised permission strings instead of failing, for forwards compatibility - dbus-proxy/flatpak-proxy.c: Fix a D-Bus filtering bypass in flatpak-dbus-proxy (Closes: #888842) - profile/flatpak.sh.in: Simplify and improve profile.d snippet (already done in Debian since 0.8.4-1, no practical effect) * Drop our patch to profile/flatpak.sh.in, no longer necessary * debian/control: Update Vcs-* metadata for salsa.d.o migration Checksums-Sha1: d4bc6ad8d04104c6f8960a1f98d0b42a8b7b2ece 3021 flatpak_0.8.9-0+deb9u1.dsc d52bd785423ea882df548aa71d6fcd2f4db09e83 750480 flatpak_0.8.9.orig.tar.xz 49cafbd9250e54f8b9a480e2591fcda37a4f9110 17472 flatpak_0.8.9-0+deb9u1.debian.tar.xz 30557a01efbbac3e135f0d692ddbca21fa60cc6c 10692 flatpak_0.8.9-0+deb9u1_source.buildinfo Checksums-Sha256: c11b4a27f51c6e9909b486e175552a09e756132713ccb67a504a315a159f82e9 3021 flatpak_0.8.9-0+deb9u1.dsc 9df2823e12461c96c87d1e3cadf49963b5fefb6be8ad04dafb84c58b8bcbbf50 750480 flatpak_0.8.9.orig.tar.xz 92a4f709d0b7c2c659ec78d47de178a2ab2b72cea81a8e49b5c0a6f4c6f2b992 17472 flatpak_0.8.9-0+deb9u1.debian.tar.xz fa65e63fd5668b51e758b1da5c2b87e3e43604974e59bd368cde1df735f6de21 10692 flatpak_0.8.9-0+deb9u1_source.buildinfo Files: 44c8b5dcea855ed5530e703ddcd7cb8c 3021 admin optional flatpak_0.8.9-0+deb9u1.dsc 9e4dd45c0b7082063bab9fc688a5b26e 750480 admin optional flatpak_0.8.9.orig.tar.xz f534975d96b2412e4d7899bd7e583acd 17472 admin optional flatpak_0.8.9-0+deb9u1.debian.tar.xz 8054097cd2df861987d211595e903a13 10692 admin optional flatpak_0.8.9-0+deb9u1_source.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEENuxaZEik9e95vv6Y4FrhR4+BTE8FAlqQoiAACgkQ4FrhR4+B TE/qLRAArC3afQ4ThXDAbuM3b6XHMY2a4hswimUXYnhujQic3dDptiaOWCRoc31O XZSanIGyAL2AU1TVtBOd5V7YWNWO4ajwJsCWXfBfDIw7h06mXvotfPE/HFZgUw8g y9RVpSs8GcLkBshO1UzcgbNWUnCxG5dK0axeMrJ1lokJ6pyT/ZaKs/HgjZxfoZIf rNOtOTW1L1Z8OnsrabkWcELoHblj4w2PLKxcQN82fHA+CA82Kk6J/OIS3QWZ6T7e 3XQF2iG0C3PMZUe/X1kIfoXtEuD/tiqwtCdQvWnoD+wi179SaI12+FcClgcB0kZb X27WA4gGOsUF4pGlZON2wd0w0Zu+afCEHOWOxMf55Q4SRr8OtWl9gEyw/KLo7XGJ 3M1YFvYr9YritMr0JxXaqOgY0c1dLpFfbXuQjnuLF+gLJboLJTWWXL8iaMQEwH3k dpzqWYZ7T/YpaXKzw76APVQr//Si6V5nJyd/cb0Jef8TpaMoVpnFjKaruDkGXVej +IuAUity0KE1VBFGKPQmke1J7tzjQslcQ0DbMyp8WG+MPxace/OPSFi/b7y9wEIy g0kRYc6Z7lWTleBjxRzKDYNKmJga5CJGpOB1mGqGN3UqoMJfmsZGNyKHcy624Mgd rx7t65E8i1hmSzKwwTSDqrw0qNzMyh2x/BO4fCyLrThlEZnhV4o= =0159 -----END PGP SIGNATURE-----
--- End Message ---
_______________________________________________ Pkg-utopia-maintainers mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-utopia-maintainers
