This bug was fixed in the package flatpak - 1.8.2-1ubuntu0.1
---
flatpak (1.8.2-1ubuntu0.1) groovy-security; urgency=medium
* SECURITY UPDATE: Flatpak sandbox escape via spawn portal (LP: #1911473)
- debian/patches/CVE-2021-21261-1.patch: common: Add a backport of
This bug was fixed in the package flatpak - 1.0.9-0ubuntu0.2
---
flatpak (1.0.9-0ubuntu0.2) bionic-security; urgency=medium
* SECURITY UPDATE: Flatpak sandbox escape via spawn portal (LP: #1911473)
- debian/patches/CVE-2021-21261-1.patch: run: Convert all environment
This bug was fixed in the package flatpak - 1.6.5-0ubuntu0.2
---
flatpak (1.6.5-0ubuntu0.2) focal-security; urgency=medium
* SECURITY UPDATE: Flatpak sandbox escape via spawn portal (LP: #1911473)
- debian/patches/CVE-2021-21261-1.patch: tests: Add minimal version
of "ok"
@Andrew, hello. Focal and Groovy with your backports are fine and ready
to go. I still resistant about Bionic since I couldn't import the tests.
I'll try to manually test it a little more tomorrow and if everything
goes well I'll publish it on Monday.
--
You received this bug notification
@Paulo, was there any progress on this or anything you need help with ?
I've posted debdiffs for focal and groovy. Sounds like you have a diff
for bionic.
Let me know if there is anything I can do to help this move to the next
step :-)
--
You received this bug notification because you are a
Thanks. I managed to backport version 1.2 to bionic (1.0.9). I had to
exclude the tests because the framework is very different between both
versions. I'll test in on Monday.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
** Tags added: patch
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1911473
Title:
Update for ghsa-4ppf-fxf6-vxg2
To manage notifications about this bug go to:
Please find attached the debdiff for Ubuntu 20.10 groovy. This includes
a similar set of patches to the focal set and has been picked from
between the 1.8.4 and 1.8.5 tags.
Let me know if anything has been done incorrectly or missed any commits.
I will leave it up to the security team to decide
@Paulo, Thanks !
BTW smcv just pointed out two more potential patches that could be
included in the focal 1.6 patch, these are only for users that use
setuid on the bubblewrap binary though (users who disable user
namespaces - like Debian). It would be up to us if we want to include
them. See
Just a heads up. Your focal backport seems fine, no problems there. I'm
working on the bionic version but, since it's based on 1.0.9, it's not
straightforward.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
** Changed in: flatpak (Ubuntu Groovy)
Assignee: (unassigned) => Andrew Hayzen (ahayzen)
** Changed in: flatpak (Ubuntu Bionic)
Assignee: (unassigned) => Andrew Hayzen (ahayzen)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to
** Changed in: flatpak (Ubuntu Bionic)
Importance: Undecided => Medium
** Changed in: flatpak (Ubuntu Focal)
Importance: Undecided => Medium
** Changed in: flatpak (Ubuntu Hirsute)
Importance: Undecided => Medium
** Changed in: flatpak (Ubuntu Groovy)
Importance: Undecided => Medium
1.8.5 has landed in hirsute now, so marking hirsute as fixed released.
** Changed in: flatpak (Ubuntu Hirsute)
Status: In Progress => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
** Changed in: flatpak (Ubuntu Focal)
Status: New => In Progress
** Changed in: flatpak (Ubuntu Focal)
Assignee: (unassigned) => Andrew Hayzen (ahayzen)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
** Also affects: flatpak (Ubuntu Focal)
Importance: Undecided
Status: New
** Also affects: flatpak (Ubuntu Bionic)
Importance: Undecided
Status: New
** Also affects: flatpak (Ubuntu Groovy)
Importance: Undecided
Status: New
** Also affects: flatpak (Ubuntu Hirsute)
If anyone has the permission to propose this bug for the series, bionic,
focal, and groovy that would be useful :-)
** Description changed:
+ [Links]
+
+ Upstream Advisory:
https://github.com/flatpak/flatpak/security/advisories/GHSA-4ppf-fxf6-vxg2
+ Debian:
Please find attached the debdiff for Ubuntu 20.04 focal. I have tested
this using the manual test plan in a VM and built in a PPA.
Let me know if anything has been done incorrectly.
** Summary changed:
- Placeholder for ghsa-4ppf-fxf6-vxg2
+ Update for ghsa-4ppf-fxf6-vxg2
** Description
Also note that hirsute now has 1.8.5 in hirsute-proposed (which contains
the fix), although it looks like s390x has failed in the tests - I
wonder if a retest will make it pass or if it is a genuine failure.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is
18 matches
Mail list logo
