[Bug 1918482] Re: Update for GHSA-xgh4-387p-hqpp
Hey Andrew, thanks for preparing these updates. I have reviewed them, adjusted the patch names and the changelogs to refer to CVE-2021-21381, and have packages available for testing in the ubuntu-security-proposed ppa https://launchpad.net/~ubuntu-security- proposed/+archive/ubuntu/ppa/+packages . Any feedback on them would be greatly appreciated. Thanks ** Changed in: flatpak (Ubuntu Bionic) Assignee: Andrew Hayzen (ahayzen) => Steve Beattie (sbeattie) ** Changed in: flatpak (Ubuntu Focal) Assignee: Andrew Hayzen (ahayzen) => Steve Beattie (sbeattie) ** Changed in: flatpak (Ubuntu Groovy) Assignee: Andrew Hayzen (ahayzen) => Steve Beattie (sbeattie) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1918482 Title: Update for GHSA-xgh4-387p-hqpp To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/1918482/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1918482] Re: Update for GHSA-xgh4-387p-hqpp
** Changed in: flatpak (Ubuntu) Importance: High => Medium -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1918482 Title: Update for GHSA-xgh4-387p-hqpp To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/1918482/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1918482] Re: Update for GHSA-xgh4-387p-hqpp
** Changed in: flatpak (Ubuntu Bionic) Importance: High => Medium ** Changed in: flatpak (Ubuntu Focal) Importance: High => Medium ** Changed in: flatpak (Ubuntu Groovy) Importance: High => Medium -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1918482 Title: Update for GHSA-xgh4-387p-hqpp To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/1918482/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1918482] Re: Update for GHSA-xgh4-387p-hqpp
** Changed in: flatpak (Debian) Status: Unknown => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1918482 Title: Update for GHSA-xgh4-387p-hqpp To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/1918482/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1918482] Re: Update for GHSA-xgh4-387p-hqpp
** Bug watch added: Debian Bug tracker #984859 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=984859 ** Also affects: flatpak (Debian) via https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=984859 Importance: Unknown Status: Unknown ** Changed in: flatpak (Ubuntu) Importance: Undecided => High ** Changed in: flatpak (Ubuntu Bionic) Importance: Undecided => High ** Changed in: flatpak (Ubuntu Focal) Importance: Undecided => High ** Changed in: flatpak (Ubuntu Groovy) Importance: Undecided => High -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1918482 Title: Update for GHSA-xgh4-387p-hqpp To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/1918482/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1918482] Re: Update for GHSA-xgh4-387p-hqpp
Hirsute now contains 1.10.2-1 with the fix, so I am marking it as fixed released. ** Changed in: flatpak (Ubuntu) Status: In Progress => Fix Released ** Description changed: [Links] https://github.com/flatpak/flatpak/security/advisories/GHSA-xgh4-387p-hqpp https://github.com/flatpak/flatpak/pull/4156 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=984859 + https://security-tracker.debian.org/tracker/CVE-2021-21381 [Impact] Versions in Ubuntu right now: Hirsute: 1.10.1-4 Groovy: 1.8.2-1ubuntu0.1 Focal: 1.6.5-0ubuntu0.2 Bionic: 1.0.9-0ubuntu0.2 Affected versions: >= 0.9.4 Patched versions: >= 1.10.2 [Test Case] No test case has been mentioned yet, but in the patches there are changes/additions to the unit tests. [Regression Potential] Flatpak has a test suite, which is run on build across all relevant architectures and passes. There is also a manual test plan https://wiki.ubuntu.com/Process/Merges/TestPlan/flatpak . Flatpak has autopkgtests enabled http://autopkgtest.ubuntu.com/packages/f/flatpak . Regression potential is low, and upstream is very responsive to any issues raised. [Other information] Sandbox escape via special tokens in .desktop file (flatpak#4146) Flatpak since 0.9.4 has a vulnerability in the "file forwarding" feature which can be used by an attacker to gain access to files that would not ordinarily be allowed by the app's permissions. Impact By putting the special tokens @@ and/or @@u in the Exec field of a Flatpak app's .desktop file, a malicious app publisher can trick flatpak into behaving as though the user had chosen to open a target file with their Flatpak app, which automatically makes that file available to the Flatpak app. A minimal solution is the first commit "Disallow @@ and @@U usage in desktop files". The follow-up commits "dir: Reserve the whole @@ prefix" and "dir: Refuse to export .desktop files with suspicious uses of @@ tokens" are recommended, but not strictly required. Workarounds Avoid installing Flatpak apps from untrusted sources, or check the contents of the exported .desktop files in exports/share/applications/*.desktop (typically ~/.local/share/flatpak/exports/share/applications/*.desktop and /var/lib/flatpak/exports/share/applications/*.desktop) to make sure that literal filenames do not follow @@ or @@u. References Acknowledgements Thanks to @AntonLydike for reporting this issue, and @refi64 for providing the initial solution. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1918482 Title: Update for GHSA-xgh4-387p-hqpp To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/1918482/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1918482] Re: Update for GHSA-xgh4-387p-hqpp
This is now CVE-2021-21381, whoever comes to upload the debdiffs please consider the following: * Please rename "- GHSA-xgh4-387p-hqpp" in the debian/changelog to "- CVE-2021-21381" * Please consider renaming the debian/patches from (for example) "GHSA-xgh4-387p-hqpp-1.patch" to "CVE-2021-21381-1.patch" ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-21381 ** Changed in: flatpak (Ubuntu Bionic) Assignee: (unassigned) => Andrew Hayzen (ahayzen) ** Changed in: flatpak (Ubuntu Focal) Assignee: (unassigned) => Andrew Hayzen (ahayzen) ** Changed in: flatpak (Ubuntu Groovy) Assignee: (unassigned) => Andrew Hayzen (ahayzen) ** Changed in: flatpak (Ubuntu Bionic) Status: New => In Progress ** Changed in: flatpak (Ubuntu Focal) Status: New => In Progress ** Changed in: flatpak (Ubuntu Groovy) Status: New => In Progress -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1918482 Title: Update for GHSA-xgh4-387p-hqpp To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/1918482/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1918482] Re: Update for GHSA-xgh4-387p-hqpp
** Also affects: flatpak (Ubuntu Focal) Importance: Undecided Status: New ** Also affects: flatpak (Ubuntu Groovy) Importance: Undecided Status: New ** Also affects: flatpak (Ubuntu Bionic) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1918482 Title: Update for GHSA-xgh4-387p-hqpp To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/1918482/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1918482] Re: Update for GHSA-xgh4-387p-hqpp
** Description changed: [Links] https://github.com/flatpak/flatpak/security/advisories/GHSA-xgh4-387p-hqpp https://github.com/flatpak/flatpak/pull/4156 + https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=984859 [Impact] Versions in Ubuntu right now: Hirsute: 1.10.1-4 Groovy: 1.8.2-1ubuntu0.1 Focal: 1.6.5-0ubuntu0.2 Bionic: 1.0.9-0ubuntu0.2 Affected versions: >= 0.9.4 Patched versions: >= 1.10.2 [Test Case] No test case has been mentioned yet, but in the patches there are changes/additions to the unit tests. [Regression Potential] Flatpak has a test suite, which is run on build across all relevant architectures and passes. There is also a manual test plan https://wiki.ubuntu.com/Process/Merges/TestPlan/flatpak . Flatpak has autopkgtests enabled http://autopkgtest.ubuntu.com/packages/f/flatpak . Regression potential is low, and upstream is very responsive to any issues raised. [Other information] Sandbox escape via special tokens in .desktop file (flatpak#4146) Flatpak since 0.9.4 has a vulnerability in the "file forwarding" feature which can be used by an attacker to gain access to files that would not ordinarily be allowed by the app's permissions. Impact By putting the special tokens @@ and/or @@u in the Exec field of a Flatpak app's .desktop file, a malicious app publisher can trick flatpak into behaving as though the user had chosen to open a target file with their Flatpak app, which automatically makes that file available to the Flatpak app. A minimal solution is the first commit "Disallow @@ and @@U usage in desktop files". The follow-up commits "dir: Reserve the whole @@ prefix" and "dir: Refuse to export .desktop files with suspicious uses of @@ tokens" are recommended, but not strictly required. Workarounds Avoid installing Flatpak apps from untrusted sources, or check the contents of the exported .desktop files in exports/share/applications/*.desktop (typically ~/.local/share/flatpak/exports/share/applications/*.desktop and /var/lib/flatpak/exports/share/applications/*.desktop) to make sure that literal filenames do not follow @@ or @@u. References Acknowledgements Thanks to @AntonLydike for reporting this issue, and @refi64 for providing the initial solution. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1918482 Title: Update for GHSA-xgh4-387p-hqpp To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/1918482/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1918482] Re: Update for GHSA-xgh4-387p-hqpp
If someone has the permissions could they add bionic, focal, and groovy as affected series ? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1918482 Title: Update for GHSA-xgh4-387p-hqpp To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/1918482/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1918482] Re: Update for GHSA-xgh4-387p-hqpp
So we do not have a CVE yet, I believe one will be auto assigned via github at some point (I don't know how long this takes :-) ). I realised there is a typo in the bionic changelog "- GHSA-xgh4-387p- hqpp-1" should be "- GHSA-xgh4-387p-hqpp". But once a CVE is available this line will need to be replaced anyway ? For hirsute, 1.10.1-4 has the first commit from https://github.com/flatpak/flatpak/pull/4156/commits but 1.10.2-1 has just been submitted to debian sid with the full fixes, so should be syncing shortly ( https://tracker.debian.org/news/1235768/accepted- flatpak-1102-1-source-into-unstable/ ). I have not performed any deep testing yet, I have only built the bionic and focal debdiffs in a PPA (I was surprised that the patches still applied cleanly for bionic so wanted to check that, as the line numbers are quite different). -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1918482 Title: Update for GHSA-xgh4-387p-hqpp To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/1918482/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1918482] Re: Update for GHSA-xgh4-387p-hqpp
This is the focal debdiff. ** Attachment added: "[focal] flatpak_1.6.5-0ubuntu0.2_to_flatpak_1.6.5-0ubuntu0.3.debdiff" https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/1918482/+attachment/5475503/+files/flatpak_1.6.5-0ubuntu0.2_to_flatpak_1.6.5-0ubuntu0.3.debdiff.gz -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1918482 Title: Update for GHSA-xgh4-387p-hqpp To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/1918482/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1918482] Re: Update for GHSA-xgh4-387p-hqpp
This is the groovy debdiff. ** Attachment added: "[groovy] flatpak_1.8.2-1ubuntu0.1_to_flatpak_1.8.2-1ubuntu0.2.debdiff" https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/1918482/+attachment/5475504/+files/flatpak_1.8.2-1ubuntu0.1_to_flatpak_1.8.2-1ubuntu0.2.debdiff.gz -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1918482 Title: Update for GHSA-xgh4-387p-hqpp To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/1918482/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs