[Bug 1946578] Re: Update for CVE-2021-41133
Thanks for testing! https://ubuntu.com/security/notices/USN-5191-1 ** Changed in: flatpak (Ubuntu) Status: In Progress => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1946578 Title: Update for CVE-2021-41133 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/1946578/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1946578] Re: Update for CVE-2021-41133
This bug was fixed in the package flatpak - 1.0.9-0ubuntu0.4 --- flatpak (1.0.9-0ubuntu0.4) bionic-security; urgency=medium * SECURITY UPDATE: Sandbox bypass via recent VFS-manipulating syscalls (LP: #1946578) - debian/paches/CVE-2021-41133-1.patch - debian/paches/CVE-2021-41133-2.patch - debian/paches/CVE-2021-41133-3.patch - debian/paches/CVE-2021-41133-4.patch - debian/paches/CVE-2021-41133-5.patch - debian/paches/CVE-2021-41133-6.patch - debian/paches/CVE-2021-41133-7.patch - debian/paches/CVE-2021-41133-8.patch - debian/paches/CVE-2021-41133-9.patch - debian/paches/CVE-2021-41133-10.patch - CVE-2021-41133 -- Andrew Hayzen Wed, 13 Oct 2021 00:36:35 +0100 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1946578 Title: Update for CVE-2021-41133 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/1946578/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1946578] Re: Update for CVE-2021-41133
This bug was fixed in the package flatpak - 1.6.5-0ubuntu0.4 --- flatpak (1.6.5-0ubuntu0.4) focal-security; urgency=medium * SECURITY UPDATE: Sandbox bypass via recent VFS-manipulating syscalls (LP: #1946578) - debian/paches/CVE-2021-41133-1.patch - debian/paches/CVE-2021-41133-2.patch - debian/paches/CVE-2021-41133-3.patch - debian/paches/CVE-2021-41133-4.patch - debian/paches/CVE-2021-41133-5.patch - debian/paches/CVE-2021-41133-6.patch - debian/paches/CVE-2021-41133-7.patch - debian/paches/CVE-2021-41133-8.patch - debian/paches/CVE-2021-41133-9.patch - debian/paches/CVE-2021-41133-10.patch - CVE-2021-41133 -- Andrew Hayzen Wed, 13 Oct 2021 00:36:35 +0100 ** Changed in: flatpak (Ubuntu Bionic) Status: In Progress => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1946578 Title: Update for CVE-2021-41133 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/1946578/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1946578] Re: Update for CVE-2021-41133
This bug was fixed in the package flatpak - 1.10.2-1ubuntu1.1 --- flatpak (1.10.2-1ubuntu1.1) hirsute-security; urgency=medium * SECURITY UPDATE: Sandbox bypass via recent VFS-manipulating syscalls (LP: #1946578) - debian/paches/CVE-2021-41133-1.patch - debian/paches/CVE-2021-41133-2.patch - debian/paches/CVE-2021-41133-3.patch - debian/paches/CVE-2021-41133-4.patch - debian/paches/CVE-2021-41133-5.patch - debian/paches/CVE-2021-41133-6.patch - debian/paches/CVE-2021-41133-7.patch - debian/paches/CVE-2021-41133-8.patch - debian/paches/CVE-2021-41133-9.patch - debian/paches/CVE-2021-41133-10.patch - CVE-2021-41133 -- Andrew Hayzen Wed, 13 Oct 2021 00:36:35 +0100 ** Changed in: flatpak (Ubuntu Focal) Status: In Progress => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1946578 Title: Update for CVE-2021-41133 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/1946578/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1946578] Re: Update for CVE-2021-41133
This bug was fixed in the package flatpak - 1.10.2-3ubuntu0.1 --- flatpak (1.10.2-3ubuntu0.1) impish-security; urgency=medium * SECURITY UPDATE: Sandbox bypass via recent VFS-manipulating syscalls (LP: #1946578) - debian/paches/CVE-2021-41133-1.patch - debian/paches/CVE-2021-41133-2.patch - debian/paches/CVE-2021-41133-3.patch - debian/paches/CVE-2021-41133-4.patch - debian/paches/CVE-2021-41133-5.patch - debian/paches/CVE-2021-41133-6.patch - debian/paches/CVE-2021-41133-7.patch - debian/paches/CVE-2021-41133-8.patch - debian/paches/CVE-2021-41133-9.patch - debian/paches/CVE-2021-41133-10.patch - CVE-2021-41133 -- Andrew Hayzen Wed, 13 Oct 2021 00:36:35 +0100 ** Changed in: flatpak (Ubuntu Impish) Status: In Progress => Fix Released ** Changed in: flatpak (Ubuntu Hirsute) Status: In Progress => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1946578 Title: Update for CVE-2021-41133 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/1946578/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1946578] Re: Update for CVE-2021-41133
I've done some exploratory testing of Wayland/portal related tests from the test plan on a Impish VM and things are working normally. $ apt policy flatpak flatpak: Installed: 1.10.2-3ubuntu0.1 Candidate: 1.10.2-3ubuntu0.1 Version table: *** 1.10.2-3ubuntu0.1 500 500 http://ppa.launchpad.net/ubuntu-security-proposed/ppa/ubuntu impish/main amd64 Packages 100 /var/lib/dpkg/status 1.10.2-3 500 500 http://gb.archive.ubuntu.com/ubuntu impish/universe amd64 Packages -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1946578 Title: Update for CVE-2021-41133 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/1946578/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1946578] Re: Update for CVE-2021-41133
I've done some exploratory testing of Wayland/portal related tests from the test plan on a Hirsute VM and things are working normally. $ apt policy flatpak flatpak: Installed: 1.10.2-1ubuntu1.1 Candidate: 1.10.2-1ubuntu1.1 Version table: *** 1.10.2-1ubuntu1.1 500 500 http://ppa.launchpad.net/ubuntu-security-proposed/ppa/ubuntu hirsute/main amd64 Packages 100 /var/lib/dpkg/status 1.10.2-1ubuntu1 500 500 http://gb.archive.ubuntu.com/ubuntu hirsute/universe amd64 Packages -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1946578 Title: Update for CVE-2021-41133 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/1946578/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1946578] Re: Update for CVE-2021-41133
I've done some exploratory testing of Wayland/portal related tests from the test plan on a Bionic VM and things are working normally. $ apt policy flatpak flatpak: Installed: 1.0.9-0ubuntu0.4 Candidate: 1.0.9-0ubuntu0.4 Version table: *** 1.0.9-0ubuntu0.4 500 500 http://ppa.launchpad.net/ubuntu-security-proposed/ppa/ubuntu bionic/main amd64 Packages 100 /var/lib/dpkg/status 1.0.9-0ubuntu0.3 500 500 http://gb.archive.ubuntu.com/ubuntu bionic-updates/universe amd64 Packages 500 http://security.ubuntu.com/ubuntu bionic-security/universe amd64 Packages 0.11.3-3 500 500 http://gb.archive.ubuntu.com/ubuntu bionic/universe amd64 Packages -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1946578 Title: Update for CVE-2021-41133 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/1946578/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1946578] Re: Update for CVE-2021-41133
I've done some exploratory testing of Wayland/portal related tests from the test plan on a Focal VM and things are working normally. $ apt policy flatpak flatpak: Installed: 1.6.5-0ubuntu0.4 Candidate: 1.6.5-0ubuntu0.4 Version table: *** 1.6.5-0ubuntu0.4 500 500 http://ppa.launchpad.net/ubuntu-security-proposed/ppa/ubuntu focal/main amd64 Packages 100 /var/lib/dpkg/status 1.6.5-0ubuntu0.3 500 500 http://gb.archive.ubuntu.com/ubuntu focal-updates/universe amd64 Packages 500 http://security.ubuntu.com/ubuntu focal-security/universe amd64 Packages 1.6.3-1 500 500 http://gb.archive.ubuntu.com/ubuntu focal/universe amd64 Packages -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1946578 Title: Update for CVE-2021-41133 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/1946578/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1946578] Re: Update for CVE-2021-41133
Sorry, I somehow missed comment 11 and was thinking we were still waiting for the libseccomp decision. I'll check the packages now! -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1946578 Title: Update for CVE-2021-41133 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/1946578/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1946578] Re: Update for CVE-2021-41133
Given that the security team is working on this I'm unsubscribing ubuntu-sponsors. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1946578 Title: Update for CVE-2021-41133 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/1946578/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1946578] Re: Update for CVE-2021-41133
ACK on the debdiffs, I've uploaded them with a slight changelog formatting change, and I've specified a specific version for the libseccomp Build-Depends on bionic and focal. I've build the packages, along with the required libseccomp updates in the following PPA: https://launchpad.net/~ubuntu-security- proposed/+archive/ubuntu/ppa/+packages Could you please test them and comment here if they appear to work ok? Thanks! -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1946578 Title: Update for CVE-2021-41133 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/1946578/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1946578] Re: Update for CVE-2021-41133
@mdeslaur - sure I think a no-change rebuild would be fine for libseccomp, there are no other dependencies that I am aware of for it (it requires valgrind at build-time to run some unit tests and these fail on arm64 IIRC for the valgrind version in bionic-security/release but succeed with the version in bionic-updates - hence I have a copy of this in the security-proposed PPA from the last time I was doing libseccomp builds there - https://launchpad.net/~ubuntu-security- proposed/+archive/ubuntu/ppa/+packages) So assuming we use the security-proposed PPA to do the no-change rebuild it should just work. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1946578 Title: Update for CVE-2021-41133 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/1946578/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1946578] Re: Update for CVE-2021-41133
@alex Do you think we can do a no-change rebuild of libseccomp into bionic-security and focal-security? Are there any dependencies we need to rebuild too? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1946578 Title: Update for CVE-2021-41133 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/1946578/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1946578] Re: Update for CVE-2021-41133
Please find attached the debdiff for Ubuntu 18.04 bionic. I have performed some testing in a VM and built in a PPA. Note that for bionic (same as focal), we likely want to use the version of libseccomp2 from bionic-updates ( 2.5.1-1ubuntu1~18.04.1) rather than focal-security ( 2.4.3-1ubuntu3.18.04.3). Is is possible to move libseccomp2 2.5.1-1ubuntu1~18.04.1 to focal-security? (and depending what happens here, then means a change to the control file of flatpak to specify the version?) Let me know if anything has been done incorrectly. ** Attachment added: "Partial Bionic CVE debdiff" https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/1946578/+attachment/5534671/+files/bionic_flatpak_1.0.9-0ubuntu0.3_to_1.0.9-0ubuntu0.4.debdiff.gz -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1946578 Title: Update for CVE-2021-41133 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/1946578/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1946578] Re: Update for CVE-2021-41133
Please find attached the debdiff for Ubuntu 20.04 focal. I have performed some testing in a VM and built in a PPA. Note that for focal, we likely want to use the version of libseccomp2 from focal-updates (2.5.1-1ubuntu1~20.04.1) rather than focal-security (2.4.3-1ubuntu3.20.04.3). Is is possible to move libseccomp2 2.5.1-1ubuntu1~20.04.1 to focal-security? (and depending what happens here, then means a change to the control file to specify the version?) Let me know if anything has been done incorrectly. ** Attachment added: "Partial Focal CVE debdiff" https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/1946578/+attachment/5534670/+files/focal_flatpak_1.6.5-0ubuntu0.3_to_1.6.5-0ubuntu0.4.debdiff.gz ** Changed in: flatpak (Ubuntu Bionic) Status: New => In Progress ** Changed in: flatpak (Ubuntu Bionic) Assignee: (unassigned) => Andrew Hayzen (ahayzen) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1946578 Title: Update for CVE-2021-41133 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/1946578/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1946578] Re: Update for CVE-2021-41133
I've got a set of rebased changes for focal prepared, but I'm waiting for the PPA to build and test (currently stuck in a queue as 22.04 is opening). So I'll assign focal to myself and hopefully will be able to test this tomorrow when the build completes. ** Changed in: flatpak (Ubuntu Focal) Assignee: (unassigned) => Andrew Hayzen (ahayzen) ** Changed in: flatpak (Ubuntu Focal) Status: New => In Progress -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1946578 Title: Update for CVE-2021-41133 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/1946578/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1946578] Re: Update for CVE-2021-41133
** Changed in: flatpak (Ubuntu Bionic) Importance: Undecided => Medium ** Changed in: flatpak (Ubuntu Focal) Importance: Undecided => Medium ** Changed in: flatpak (Ubuntu Hirsute) Importance: Undecided => Medium ** Changed in: flatpak (Ubuntu Impish) Importance: Undecided => Medium -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1946578 Title: Update for CVE-2021-41133 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/1946578/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1946578] Re: Update for CVE-2021-41133
So hirsute and impish have libseccomp 2.5.1, but focal and bionic have 2.4.3 in the security pocket and 2.5.1 in the updates pocket. I'm not sure if there is procedure here to try and pull 2.5.1 of focal and bionic into the security pocket with flatpak - if that is needed to solve the security issue. Focal and bionic will need also rebasing of the patches, I might take a look at this over the weekend if no one else does. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1946578 Title: Update for CVE-2021-41133 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/1946578/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1946578] Re: Update for CVE-2021-41133
Please find attached the debdiff for Ubuntu 21.04 hirsute. I have performed some testing in a VM and built in a PPA. Let me know if anything has been done incorrectly. ** Attachment added: "Hirsute CVE debdiff" https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/1946578/+attachment/5533003/+files/hirsute_flatpak_1.10.2-1ubuntu1_to_1.10.2-1ubuntu1.1.debdiff.gz -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1946578 Title: Update for CVE-2021-41133 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/1946578/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs