[Bug 1964763] Re: QtChooser doesn't support qt6
I was going to request this change into Debian as well, but appears that has already been attempted and was rejected due to "qtchooser is dead upstream". https://salsa.debian.org/qt-kde- team/qt/qtchooser/-/merge_requests/2 I wonder if the situation can be improved though as if you are trying to use Qt 6 tooling in a container image then you need workarounds :-/ -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1964763 Title: QtChooser doesn't support qt6 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/qtchooser/+bug/1964763/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1957716] Re: Update for CVE-2021-43860 and CVE-2022-21682
@alexmurray, hey, I believe that commit was reverted later as it caused a behavioural regression? The Github advisory (https://github.com/flatpak/flatpak/security/advisories/GHSA-8ch7-5j3h-g4fx) was changed to point to a different commit (https://github.com/flatpak/flatpak/commit/5709f1aaed6579f0136976e14e7f3cae399134ca). When creating that debdiff, if i recall correctly I went though the commits in this branch https://github.com/flatpak/flatpak/commits/flatpak-1.10.x combined with referring to the github advisories and then skipped the "Make --nofilesystem=host/home remove access to subdirs of those" (307ee18dd62f65c1319594501d01bbdb10f88ab8) as it was reverted later with "Revert "Make --nofilesystem=host/home remove access to subdirs of those"" (ed91bba615d4e50ccd7de53ca9861e367175bbfb). Please correct me if you think i've missed something :-) In the github advisory (https://github.com/flatpak/flatpak/security/advisories/GHSA-8ch7-5j3h-g4fx) there are two commits for flatpak-builder so this could also be done. Also note I tried looking at focal/bionic but there are a large amount of merge conflicts due to substantial change in the codebase and I'm not familiar enough with GObject/GLib etc to rewrite that code. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1957716 Title: Update for CVE-2021-43860 and CVE-2022-21682 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/1957716/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1957716] Re: Update for CVE-2021-43860 and CVE-2022-21682
Please find attached the debdiff for Ubuntu 21.10 impish. I have performed some testing in a VM and built in a PPA. ** Attachment added: "Impish CVE debdiff" https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/1957716/+attachment/5557881/+files/flatpak_impish_lp1957716.debdiff.gz -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1957716 Title: Update for CVE-2021-43860 and CVE-2022-21682 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/1957716/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1957716] Re: Update for CVE-2021-43860 and CVE-2022-21682
** Changed in: flatpak (Ubuntu Impish) Status: New => In Progress ** Changed in: flatpak (Ubuntu Impish) Assignee: (unassigned) => Andrew Hayzen (ahayzen) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1957716 Title: Update for CVE-2021-43860 and CVE-2022-21682 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/1957716/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1957716] Re: Update for CVE-2021-43860 and CVE-2022-21682
** Description changed: [Links] https://github.com/flatpak/flatpak/security/advisories/GHSA-qpjc-vq3c-572j ( CVE-2021-43860 ) https://security-tracker.debian.org/tracker/CVE-2021-43860 https://github.com/flatpak/flatpak/security/advisories/GHSA-8ch7-5j3h-g4fx ( CVE-2022-21682 ) https://security-tracker.debian.org/tracker/CVE-2022-21682 [Impact] Versions in Ubuntu right now: Jammy: 1.12.2-2 Impish: 1.10.2-3ubuntu0.1 Focal: 1.6.5-0ubuntu0.4 Bionic: 1.0.9-0ubuntu0.4 Affected versions: all Patched versions: - 1.12.3, 1.10.6 + 1.12.4, 1.10.7 [Test Case] Unknown [Regression Potential] Flatpak has a test suite, which is run on build across all relevant architectures and passes. There is also a manual test plan https://wiki.ubuntu.com/Process/Merges/TestPlan/flatpak . Flatpak has autopkgtests enabled http://autopkgtest.ubuntu.com/packages/f/flatpak . Regression potential is low, and upstream is very responsive to any issues raised. [Patches] The first CVE has 4 patches (+ 1 test patch), the second CVE has 1 patch (+ 6 doc/test patches). [Other Information] For the first advisory with the CVE: Ryan Gonzalez discovered that Flatpak doesn't properly validate that the permissions displayed to the user for an app at install time match the actual permissions granted to the app at runtime, in the case that there's a null byte in the metadata file of an app. Therefore apps can grant themselves permissions without the consent of the user. Flatpak shows permissions to the user during install by reading them from the "xa.metadata" key in the commit metadata. This cannot contain a null terminator, because it is an untrusted GVariant. Flatpak compares these permissions to the actual metadata, from the "metadata" file to ensure it wasn't lied to. However, the actual metadata contents are loaded in several places where they are read as simple C-style strings. That means that, if the metadata file includes a null terminator, only the content of the file from before the terminator gets compared to xa.metadata. Thus, any permissions that appear in the metadata file after a null terminator are applied at runtime but not shown to the user. Maliciously crafted apps can use this to give themselves hidden permissions. In addition, a similar weakness was discovered, where if the permissions in the summary metadata are invalid, they would not be displayed to the user, but the the actual permissions would be granted, even though it didn't match the invalid version. - For the second advisory: flatpak-builder applies finish-args last in the build. At this point the build directory will have the full access that is specified in the manifest, so running flatpak build against it will gain that permissions. Normally this will not be done, so this is not problem. However, if --mirror-screenshots-url is specified, then flatpak-builder will launch flatpak build --nofilesystem=host appstream-utils mirror- screenshots after finalization, which can lead to issues even with the --nofilesystem=host protection. There are two issues: - --nofilesystem=host only overrides the access to the full host. The app can still request access to a specific directory, like --filesystem=~/some-dir, which is not affected by this. - If a filesystem is specified like --filesystem=~/foobar:create, then that directory will be created before running the command. + --nofilesystem=host only overrides the access to the full host. The app can still request access to a specific directory, like --filesystem=~/some-dir, which is not affected by this. + If a filesystem is specified like --filesystem=~/foobar:create, then that directory will be created before running the command. In normal use the only issue is that these empty directories can be created wherever the user has write permissions. However, a malicious application could replace the appstream-util binary and potentially do something more hostile. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1957716 Title: Update for CVE-2021-43860 and CVE-2022-21682 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/1957716/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1957716] Re: Update for CVE-2021-43860 and CVE-2022-21682
** Description changed: [Links] https://github.com/flatpak/flatpak/security/advisories/GHSA-qpjc-vq3c-572j ( CVE-2021-43860 ) https://security-tracker.debian.org/tracker/CVE-2021-43860 https://github.com/flatpak/flatpak/security/advisories/GHSA-8ch7-5j3h-g4fx ( CVE-2022-21682 ) https://security-tracker.debian.org/tracker/CVE-2022-21682 - [Impact] Versions in Ubuntu right now: Jammy: 1.12.2-2 Impish: 1.10.2-3ubuntu0.1 Focal: 1.6.5-0ubuntu0.4 Bionic: 1.0.9-0ubuntu0.4 Affected versions: all Patched versions: 1.12.3, 1.10.6 [Test Case] Unknown [Regression Potential] Flatpak has a test suite, which is run on build across all relevant architectures and passes. There is also a manual test plan https://wiki.ubuntu.com/Process/Merges/TestPlan/flatpak . Flatpak has autopkgtests enabled http://autopkgtest.ubuntu.com/packages/f/flatpak . Regression potential is low, and upstream is very responsive to any issues raised. [Patches] - There are two separate github advisories but only one of them has a CVE. - - The advisory with the CVE has 5 patches, the other has 2 patches. + The first CVE has 4 patches (+ 1 test patch), the second CVE has 1 patch (+ 6 doc/test patches). [Other Information] For the first advisory with the CVE: Ryan Gonzalez discovered that Flatpak doesn't properly validate that the permissions displayed to the user for an app at install time match the actual permissions granted to the app at runtime, in the case that there's a null byte in the metadata file of an app. Therefore apps can grant themselves permissions without the consent of the user. Flatpak shows permissions to the user during install by reading them from the "xa.metadata" key in the commit metadata. This cannot contain a null terminator, because it is an untrusted GVariant. Flatpak compares these permissions to the actual metadata, from the "metadata" file to ensure it wasn't lied to. However, the actual metadata contents are loaded in several places where they are read as simple C-style strings. That means that, if the metadata file includes a null terminator, only the content of the file from before the terminator gets compared to xa.metadata. Thus, any permissions that appear in the metadata file after a null terminator are applied at runtime but not shown to the user. Maliciously crafted apps can use this to give themselves hidden permissions. In addition, a similar weakness was discovered, where if the permissions in the summary metadata are invalid, they would not be displayed to the user, but the the actual permissions would be granted, even though it didn't match the invalid version. + For the second advisory: flatpak-builder applies finish-args last in the build. At this point the build directory will have the full access that is specified in the manifest, so running flatpak build against it will gain that permissions. Normally this will not be done, so this is not problem. However, if --mirror-screenshots-url is specified, then flatpak-builder will launch flatpak build --nofilesystem=host appstream-utils mirror- screenshots after finalization, which can lead to issues even with the --nofilesystem=host protection. - These changes result in a behaviour change as debian have noted in their - changelog: + There are two issues: - * Behaviour changes, as a result of how GHSA-8ch7-5j3h-g4fx was fixed: - - --nofilesystem=host is now special-cased to negate all --filesystem - permissions. Previously, it would cancel out --filesystem=host but - not --filesystem=/some/dir. - - --nofilesystem=home is now special-cased to negate several - home-directory-related filesystem permssions such as - --filesystem=xdg-config/foo, not just --filesystem=host. + --nofilesystem=host only overrides the access to the full host. The app can still request access to a specific directory, like --filesystem=~/some-dir, which is not affected by this. + If a filesystem is specified like --filesystem=~/foobar:create, then that directory will be created before running the command. + + In normal use the only issue is that these empty directories can be + created wherever the user has write permissions. However, a malicious + application could replace the appstream-util binary and potentially do + something more hostile. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1957716 Title: Update for CVE-2021-43860 and CVE-2022-21682 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/1957716/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1957716] Re: Update for CVE-2021-43860 and CVE-2022-21682
Note that Jammy now has 1.12.3-1 so is fixed. ** Summary changed: - Update for CVE-2021-43860 and second github advisory + Update for CVE-2021-43860 and CVE-2022-21682 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-21682 ** Description changed: [Links] - https://github.com/flatpak/flatpak/security/advisories/GHSA-qpjc-vq3c-572j - https://github.com/flatpak/flatpak/security/advisories/GHSA-8ch7-5j3h-g4fx + https://github.com/flatpak/flatpak/security/advisories/GHSA-qpjc-vq3c-572j ( CVE-2021-43860 ) https://security-tracker.debian.org/tracker/CVE-2021-43860 + + https://github.com/flatpak/flatpak/security/advisories/GHSA-8ch7-5j3h-g4fx ( CVE-2022-21682 ) + https://security-tracker.debian.org/tracker/CVE-2022-21682 + [Impact] Versions in Ubuntu right now: Jammy: 1.12.2-2 Impish: 1.10.2-3ubuntu0.1 Focal: 1.6.5-0ubuntu0.4 Bionic: 1.0.9-0ubuntu0.4 Affected versions: - all + all Patched versions: - 1.12.3, 1.10.6 + 1.12.3, 1.10.6 [Test Case] Unknown [Regression Potential] Flatpak has a test suite, which is run on build across all relevant architectures and passes. There is also a manual test plan https://wiki.ubuntu.com/Process/Merges/TestPlan/flatpak . Flatpak has autopkgtests enabled http://autopkgtest.ubuntu.com/packages/f/flatpak . Regression potential is low, and upstream is very responsive to any issues raised. [Patches] There are two separate github advisories but only one of them has a CVE. The advisory with the CVE has 5 patches, the other has 2 patches. - [Other Information] For the first advisory with the CVE: Ryan Gonzalez discovered that Flatpak doesn't properly validate that the permissions displayed to the user for an app at install time match the actual permissions granted to the app at runtime, in the case that there's a null byte in the metadata file of an app. Therefore apps can grant themselves permissions without the consent of the user. Flatpak shows permissions to the user during install by reading them from the "xa.metadata" key in the commit metadata. This cannot contain a null terminator, because it is an untrusted GVariant. Flatpak compares these permissions to the actual metadata, from the "metadata" file to ensure it wasn't lied to. However, the actual metadata contents are loaded in several places where they are read as simple C-style strings. That means that, if the metadata file includes a null terminator, only the content of the file from before the terminator gets compared to xa.metadata. Thus, any permissions that appear in the metadata file after a null terminator are applied at runtime but not shown to the user. Maliciously crafted apps can use this to give themselves hidden permissions. In addition, a similar weakness was discovered, where if the permissions in the summary metadata are invalid, they would not be displayed to the user, but the the actual permissions would be granted, even though it didn't match the invalid version. - For the second advisory: flatpak-builder applies finish-args last in the build. At this point the build directory will have the full access that is specified in the manifest, so running flatpak build against it will gain that permissions. Normally this will not be done, so this is not problem. However, if --mirror-screenshots-url is specified, then flatpak-builder will launch flatpak build --nofilesystem=host appstream-utils mirror- screenshots after finalization, which can lead to issues even with the --nofilesystem=host protection. - These changes result in a behaviour change as debian have noted in their changelog: - * Behaviour changes, as a result of how GHSA-8ch7-5j3h-g4fx was fixed: - - --nofilesystem=host is now special-cased to negate all --filesystem - permissions. Previously, it would cancel out --filesystem=host but - not --filesystem=/some/dir. - - --nofilesystem=home is now special-cased to negate several - home-directory-related filesystem permssions such as - --filesystem=xdg-config/foo, not just --filesystem=host. + * Behaviour changes, as a result of how GHSA-8ch7-5j3h-g4fx was fixed: + - --nofilesystem=host is now special-cased to negate all --filesystem + permissions. Previously, it would cancel out --filesystem=host but + not --filesystem=/some/dir. + - --nofilesystem=home is now special-cased to negate several + home-directory-related filesystem permssions such as + --filesystem=xdg-config/foo, not just --filesystem=host. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1957716 Title: Update for CVE-2021-43860 and CVE-2022-21682 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/1957716/+subscrip
[Bug 1957716] Re: Update for CVE-2021-43860 and second github advisory
** Changed in: flatpak (Ubuntu) Status: New => In Progress -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1957716 Title: Update for CVE-2021-43860 and second github advisory To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/1957716/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1957716] Re: Update for CVE-2021-43860 and second github advisory
Can someone with permission add impish, focal, bionic as affected series? (hirsute i assume we can skip as it's about to EOL). -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1957716 Title: Update for CVE-2021-43860 and second github advisory To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/1957716/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1957716] [NEW] Update for CVE-2021-43860 and second github advisory
*** This bug is a security vulnerability ***
Public security bug reported:
[Links]
https://github.com/flatpak/flatpak/security/advisories/GHSA-qpjc-vq3c-572j
https://github.com/flatpak/flatpak/security/advisories/GHSA-8ch7-5j3h-g4fx
https://security-tracker.debian.org/tracker/CVE-2021-43860
[Impact]
Versions in Ubuntu right now:
Jammy: 1.12.2-2
Impish: 1.10.2-3ubuntu0.1
Focal: 1.6.5-0ubuntu0.4
Bionic: 1.0.9-0ubuntu0.4
Affected versions:
all
Patched versions:
1.12.3, 1.10.6
[Test Case]
Unknown
[Regression Potential]
Flatpak has a test suite, which is run on build across all relevant
architectures and passes.
There is also a manual test plan
https://wiki.ubuntu.com/Process/Merges/TestPlan/flatpak .
Flatpak has autopkgtests enabled
http://autopkgtest.ubuntu.com/packages/f/flatpak .
Regression potential is low, and upstream is very responsive to any
issues raised.
[Patches]
There are two separate github advisories but only one of them has a CVE.
The advisory with the CVE has 5 patches, the other has 2 patches.
[Other Information]
For the first advisory with the CVE:
Ryan Gonzalez discovered that Flatpak doesn't properly validate that the
permissions displayed to the user for an app at install time match the
actual permissions granted to the app at runtime, in the case that
there's a null byte in the metadata file of an app. Therefore apps can
grant themselves permissions without the consent of the user.
Flatpak shows permissions to the user during install by reading them
from the "xa.metadata" key in the commit metadata. This cannot contain a
null terminator, because it is an untrusted GVariant. Flatpak compares
these permissions to the actual metadata, from the "metadata" file to
ensure it wasn't lied to.
However, the actual metadata contents are loaded in several places where
they are read as simple C-style strings. That means that, if the
metadata file includes a null terminator, only the content of the file
from before the terminator gets compared to xa.metadata. Thus, any
permissions that appear in the metadata file after a null terminator are
applied at runtime but not shown to the user. Maliciously crafted apps
can use this to give themselves hidden permissions.
In addition, a similar weakness was discovered, where if the permissions
in the summary metadata are invalid, they would not be displayed to the
user, but the the actual permissions would be granted, even though it
didn't match the invalid version.
For the second advisory:
flatpak-builder applies finish-args last in the build. At this point the
build directory will have the full access that is specified in the
manifest, so running flatpak build against it will gain that
permissions. Normally this will not be done, so this is not problem.
However, if --mirror-screenshots-url is specified, then flatpak-builder
will launch flatpak build --nofilesystem=host appstream-utils mirror-
screenshots after finalization, which can lead to issues even with the
--nofilesystem=host protection.
These changes result in a behaviour change as debian have noted in their
changelog:
* Behaviour changes, as a result of how GHSA-8ch7-5j3h-g4fx was fixed:
- --nofilesystem=host is now special-cased to negate all --filesystem
permissions. Previously, it would cancel out --filesystem=host but
not --filesystem=/some/dir.
- --nofilesystem=home is now special-cased to negate several
home-directory-related filesystem permssions such as
--filesystem=xdg-config/foo, not just --filesystem=host.
** Affects: flatpak (Ubuntu)
Importance: Undecided
Assignee: Andrew Hayzen (ahayzen)
Status: In Progress
** Information type changed from Public to Public Security
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-43860
** Changed in: flatpak (Ubuntu)
Assignee: (unassigned) => Andrew Hayzen (ahayzen)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1957716
Title:
Update for CVE-2021-43860 and second github advisory
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/1957716/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1955361] [NEW] [Jammy] steam-installer doesn't appear in software centres due to appdata changes
Public bug reported: Since the appdata changes in the recent upload, steam-installer doesn't appear in the software stores. Lets revert back to our downstream changes for now as this was an experiment. ** Affects: steam (Ubuntu) Importance: Undecided Assignee: Andrew Hayzen (ahayzen) Status: In Progress ** Changed in: steam (Ubuntu) Status: New => In Progress ** Changed in: steam (Ubuntu) Assignee: (unassigned) => Andrew Hayzen (ahayzen) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1955361 Title: [Jammy] steam-installer doesn't appear in software centres due to appdata changes To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/steam/+bug/1955361/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1951894] Re: Merge steam 1.0.0.74-1 from debian sid to ubuntu jammy
** Summary changed: - Merge steam 1.0.0.73-1 from debian sid to ubuntu jammy + Merge steam 1.0.0.74-1 from debian sid to ubuntu jammy -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1951894 Title: Merge steam 1.0.0.74-1 from debian sid to ubuntu jammy To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/steam/+bug/1951894/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1946578] Re: Update for CVE-2021-41133
I've done some exploratory testing of Wayland/portal related tests from the test plan on a Impish VM and things are working normally. $ apt policy flatpak flatpak: Installed: 1.10.2-3ubuntu0.1 Candidate: 1.10.2-3ubuntu0.1 Version table: *** 1.10.2-3ubuntu0.1 500 500 http://ppa.launchpad.net/ubuntu-security-proposed/ppa/ubuntu impish/main amd64 Packages 100 /var/lib/dpkg/status 1.10.2-3 500 500 http://gb.archive.ubuntu.com/ubuntu impish/universe amd64 Packages -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1946578 Title: Update for CVE-2021-41133 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/1946578/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1946578] Re: Update for CVE-2021-41133
I've done some exploratory testing of Wayland/portal related tests from the test plan on a Hirsute VM and things are working normally. $ apt policy flatpak flatpak: Installed: 1.10.2-1ubuntu1.1 Candidate: 1.10.2-1ubuntu1.1 Version table: *** 1.10.2-1ubuntu1.1 500 500 http://ppa.launchpad.net/ubuntu-security-proposed/ppa/ubuntu hirsute/main amd64 Packages 100 /var/lib/dpkg/status 1.10.2-1ubuntu1 500 500 http://gb.archive.ubuntu.com/ubuntu hirsute/universe amd64 Packages -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1946578 Title: Update for CVE-2021-41133 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/1946578/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1946578] Re: Update for CVE-2021-41133
I've done some exploratory testing of Wayland/portal related tests from the test plan on a Bionic VM and things are working normally. $ apt policy flatpak flatpak: Installed: 1.0.9-0ubuntu0.4 Candidate: 1.0.9-0ubuntu0.4 Version table: *** 1.0.9-0ubuntu0.4 500 500 http://ppa.launchpad.net/ubuntu-security-proposed/ppa/ubuntu bionic/main amd64 Packages 100 /var/lib/dpkg/status 1.0.9-0ubuntu0.3 500 500 http://gb.archive.ubuntu.com/ubuntu bionic-updates/universe amd64 Packages 500 http://security.ubuntu.com/ubuntu bionic-security/universe amd64 Packages 0.11.3-3 500 500 http://gb.archive.ubuntu.com/ubuntu bionic/universe amd64 Packages -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1946578 Title: Update for CVE-2021-41133 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/1946578/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1946578] Re: Update for CVE-2021-41133
I've done some exploratory testing of Wayland/portal related tests from the test plan on a Focal VM and things are working normally. $ apt policy flatpak flatpak: Installed: 1.6.5-0ubuntu0.4 Candidate: 1.6.5-0ubuntu0.4 Version table: *** 1.6.5-0ubuntu0.4 500 500 http://ppa.launchpad.net/ubuntu-security-proposed/ppa/ubuntu focal/main amd64 Packages 100 /var/lib/dpkg/status 1.6.5-0ubuntu0.3 500 500 http://gb.archive.ubuntu.com/ubuntu focal-updates/universe amd64 Packages 500 http://security.ubuntu.com/ubuntu focal-security/universe amd64 Packages 1.6.3-1 500 500 http://gb.archive.ubuntu.com/ubuntu focal/universe amd64 Packages -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1946578 Title: Update for CVE-2021-41133 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/1946578/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1946578] Re: Update for CVE-2021-41133
Sorry, I somehow missed comment 11 and was thinking we were still waiting for the libseccomp decision. I'll check the packages now! -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1946578 Title: Update for CVE-2021-41133 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/1946578/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1951894] Re: Merge steam 1.0.0.73-1 from debian sid to ubuntu jammy
** Summary changed: - Merge steam 1.0.0.72-2 from debian sid to ubuntu jammy + Merge steam 1.0.0.73-1 from debian sid to ubuntu jammy -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1951894 Title: Merge steam 1.0.0.73-1 from debian sid to ubuntu jammy To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/steam/+bug/1951894/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1951894] [NEW] Merge steam 1.0.0.72-2 from debian sid to ubuntu jammy
Public bug reported: Debian has a newer version of steam packaging available, let's merge the changes into the Ubuntu version to bring us back into sync. ** Affects: steam (Ubuntu) Importance: Undecided Assignee: Andrew Hayzen (ahayzen) Status: In Progress ** Changed in: steam (Ubuntu) Assignee: (unassigned) => Andrew Hayzen (ahayzen) ** Changed in: steam (Ubuntu) Status: New => In Progress -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1951894 Title: Merge steam 1.0.0.72-2 from debian sid to ubuntu jammy To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/steam/+bug/1951894/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1946578] Re: Update for CVE-2021-41133
Please find attached the debdiff for Ubuntu 18.04 bionic. I have performed some testing in a VM and built in a PPA. Note that for bionic (same as focal), we likely want to use the version of libseccomp2 from bionic-updates ( 2.5.1-1ubuntu1~18.04.1) rather than focal-security ( 2.4.3-1ubuntu3.18.04.3). Is is possible to move libseccomp2 2.5.1-1ubuntu1~18.04.1 to focal-security? (and depending what happens here, then means a change to the control file of flatpak to specify the version?) Let me know if anything has been done incorrectly. ** Attachment added: "Partial Bionic CVE debdiff" https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/1946578/+attachment/5534671/+files/bionic_flatpak_1.0.9-0ubuntu0.3_to_1.0.9-0ubuntu0.4.debdiff.gz -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1946578 Title: Update for CVE-2021-41133 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/1946578/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1946578] Re: Update for CVE-2021-41133
Please find attached the debdiff for Ubuntu 20.04 focal. I have performed some testing in a VM and built in a PPA. Note that for focal, we likely want to use the version of libseccomp2 from focal-updates (2.5.1-1ubuntu1~20.04.1) rather than focal-security (2.4.3-1ubuntu3.20.04.3). Is is possible to move libseccomp2 2.5.1-1ubuntu1~20.04.1 to focal-security? (and depending what happens here, then means a change to the control file to specify the version?) Let me know if anything has been done incorrectly. ** Attachment added: "Partial Focal CVE debdiff" https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/1946578/+attachment/5534670/+files/focal_flatpak_1.6.5-0ubuntu0.3_to_1.6.5-0ubuntu0.4.debdiff.gz ** Changed in: flatpak (Ubuntu Bionic) Status: New => In Progress ** Changed in: flatpak (Ubuntu Bionic) Assignee: (unassigned) => Andrew Hayzen (ahayzen) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1946578 Title: Update for CVE-2021-41133 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/1946578/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1946578] Re: Update for CVE-2021-41133
I've got a set of rebased changes for focal prepared, but I'm waiting for the PPA to build and test (currently stuck in a queue as 22.04 is opening). So I'll assign focal to myself and hopefully will be able to test this tomorrow when the build completes. ** Changed in: flatpak (Ubuntu Focal) Assignee: (unassigned) => Andrew Hayzen (ahayzen) ** Changed in: flatpak (Ubuntu Focal) Status: New => In Progress -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1946578 Title: Update for CVE-2021-41133 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/1946578/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1946578] Re: Update for CVE-2021-41133
So hirsute and impish have libseccomp 2.5.1, but focal and bionic have 2.4.3 in the security pocket and 2.5.1 in the updates pocket. I'm not sure if there is procedure here to try and pull 2.5.1 of focal and bionic into the security pocket with flatpak - if that is needed to solve the security issue. Focal and bionic will need also rebasing of the patches, I might take a look at this over the weekend if no one else does. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1946578 Title: Update for CVE-2021-41133 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/1946578/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1946578] Re: Update for CVE-2021-41133
Please find attached the debdiff for Ubuntu 21.04 hirsute. I have performed some testing in a VM and built in a PPA. Let me know if anything has been done incorrectly. ** Attachment added: "Hirsute CVE debdiff" https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/1946578/+attachment/5533003/+files/hirsute_flatpak_1.10.2-1ubuntu1_to_1.10.2-1ubuntu1.1.debdiff.gz -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1946578 Title: Update for CVE-2021-41133 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/1946578/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1946578] Re: Placeholder for CVE-2021-41133
Please find attached the debdiff for Ubuntu 21.10 impish. I have performed some testing in a VM and built in a PPA. Let me know if anything has been done incorrectly. ** Attachment added: "Impish CVE debdiff" https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/1946578/+attachment/5533002/+files/impish_flatpak_1.10.2-3_to_1.10.2-3ubuntu0.1.debdiff.gz ** Summary changed: - Placeholder for CVE-2021-41133 + Update for CVE-2021-41133 ** Description changed: - *** Placeholder until regressions are fixed upstream *** - [Links] https://github.com/flatpak/flatpak/security/advisories/GHSA-67h7-w3jq-vh4q https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=995935 https://security-tracker.debian.org/tracker/CVE-2021-41133 - [Impact] Versions in Ubuntu right now: Impish: 1.10.2-3 Hirsute: 1.10.2-1ubuntu1 Focal: 1.6.5-0ubuntu0.3 Bionic: 1.0.9-0ubuntu0.3 Affected versions: - 1.11.x, 1.10.x <= 1.10.3, all <= 1.8.2 + 1.11.x, 1.10.x <= 1.10.3, all <= 1.8.2 Patched versions: - 1.10.5, 1.12.1, also expected in 1.8.2 - + 1.10.5, 1.12.1, also expected in 1.8.2 [Test Case] Unknown - [Regression Potential] Flatpak has a test suite, which is run on build across all relevant architectures and passes. There is also a manual test plan https://wiki.ubuntu.com/Process/Merges/TestPlan/flatpak . Flatpak has autopkgtests enabled http://autopkgtest.ubuntu.com/packages/f/flatpak . Regression potential is low, and upstream is very responsive to any issues raised. - [Patches] There were 8 initial patches, then some regressions have been found, one has been patched, but a second has a pending pull request (see the github advisory for links). As noted in the debian bug as well there might be further changes to bubblewrap, so guess it makes sense to wait until this has settled. - [Other Information] An anonymous reporter discovered that Flatpak apps with direct access to AF_UNIX sockets such as those used by Wayland, Pipewire or pipewire-pulse can trick portals and other host-OS services into treating the Flatpak app as though it was an ordinary, non-sandboxed host-OS process, by manipulating the VFS using recent mount-related syscalls that are not blocked by Flatpak's denylist seccomp filter, in order to substitute a crafted /.flatpak-info or make that file disappear entirely. Impact Flatpak apps that act as clients for AF_UNIX sockets such as those used by Wayland, Pipewire or pipewire-pulse can escalate the privileges that the corresponding services will believe the Flatpak app has. Mitigation: Note that protocols that operate entirely over the D-Bus session bus (user bus), system bus or accessibility bus are not affected by this. This is due to the use of a proxy process xdg-dbus-proxy, whose VFS cannot be manipulated by the Flatpak app, when interacting with these buses. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1946578 Title: Update for CVE-2021-41133 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/1946578/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1946578] Re: Placeholder for CVE-2021-41133
** Changed in: flatpak (Ubuntu Impish) Status: New => In Progress ** Changed in: flatpak (Ubuntu Hirsute) Status: New => In Progress ** Changed in: flatpak (Ubuntu Hirsute) Assignee: (unassigned) => Andrew Hayzen (ahayzen) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1946578 Title: Placeholder for CVE-2021-41133 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/1946578/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1946578] Re: Placeholder for CVE-2021-41133
If someone has the permissions could they add bionic, focal, hirsute, and impish as affected series ? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1946578 Title: Placeholder for CVE-2021-41133 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/1946578/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1946578] Re: Placeholder for CVE-2021-41133
** Description changed: + *** Placeholder until regressions are fixed upstream *** + [Links] https://github.com/flatpak/flatpak/security/advisories/GHSA-67h7-w3jq-vh4q https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=995935 https://security-tracker.debian.org/tracker/CVE-2021-41133 + + + [Impact] + Versions in Ubuntu right now: + Impish: 1.10.2-3 + Hirsute: 1.10.2-1ubuntu1 + Focal: 1.6.5-0ubuntu0.3 + Bionic: 1.0.9-0ubuntu0.3 + + Affected versions: + 1.11.x, 1.10.x <= 1.10.3, all <= 1.8.2 + + Patched versions: + 1.10.5, 1.12.1, also expected in 1.8.2 + + + [Test Case] + Unknown + + + [Regression Potential] + Flatpak has a test suite, which is run on build across all relevant architectures and passes. + + There is also a manual test plan + https://wiki.ubuntu.com/Process/Merges/TestPlan/flatpak . + + Flatpak has autopkgtests enabled + http://autopkgtest.ubuntu.com/packages/f/flatpak . + + Regression potential is low, and upstream is very responsive to any + issues raised. + + + [Patches] + There were 8 initial patches, then some regressions have been found, one has been patched, but a second has a pending pull request (see the github advisory for links). As noted in the debian bug as well there might be further changes to bubblewrap, so guess it makes sense to wait until this has settled. + + + [Other Information] + An anonymous reporter discovered that Flatpak apps with direct access to AF_UNIX sockets such as those used by Wayland, Pipewire or pipewire-pulse can trick portals and other host-OS services into treating the Flatpak app as though it was an ordinary, non-sandboxed host-OS process, by manipulating the VFS using recent mount-related syscalls that are not blocked by Flatpak's denylist seccomp filter, in order to substitute a crafted /.flatpak-info or make that file disappear entirely. + Impact + + Flatpak apps that act as clients for AF_UNIX sockets such as those used + by Wayland, Pipewire or pipewire-pulse can escalate the privileges that + the corresponding services will believe the Flatpak app has. + + Mitigation: Note that protocols that operate entirely over the D-Bus + session bus (user bus), system bus or accessibility bus are not affected + by this. This is due to the use of a proxy process xdg-dbus-proxy, whose + VFS cannot be manipulated by the Flatpak app, when interacting with + these buses. ** Information type changed from Public to Public Security ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-41133 ** Changed in: flatpak (Ubuntu) Assignee: (unassigned) => Andrew Hayzen (ahayzen) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1946578 Title: Placeholder for CVE-2021-41133 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/1946578/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1946578] [NEW] Placeholder for CVE-2021-41133
Public bug reported: [Links] https://github.com/flatpak/flatpak/security/advisories/GHSA-67h7-w3jq-vh4q https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=995935 https://security-tracker.debian.org/tracker/CVE-2021-41133 ** Affects: flatpak (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1946578 Title: Placeholder for CVE-2021-41133 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/1946578/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1944431] Re: Changing the resolution while in the activites overview changes to the desktop
Reported an issue upstream https://gitlab.gnome.org/GNOME/gnome- shell/-/issues/4626 ** Bug watch added: gitlab.gnome.org/GNOME/gnome-shell/-/issues #4626 https://gitlab.gnome.org/GNOME/gnome-shell/-/issues/4626 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1944431 Title: Changing the resolution while in the activites overview changes to the desktop To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gnome-shell/+bug/1944431/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1944431] Re: Changing the resolution while in the activites overview changes to the desktop
** Description changed: What Happened - 1) Installed the package gnome-session (ensuring it is the latest version) - 2) At gdm picked "GNOME" and not "Ubuntu" - 3) Reboot and login to the desktop - 4) Notice that initially the activity overview is shown (correctly) - 5) Then within a second or so, something causes the desktop to be focused and activity overview closed (incorrect) - - Further notes: - - if you log out and log back in again, it doesn't happen ? - - if you wait on the gdm login for a long period of time (eg over a minute) then it doesn't happen ? - - this is *not* the Ubuntu session but the GNOME session + 1) Open GNOME Shell to the activities overview + 2) Change the resolution (eg if using a VM resize it) + 3) Notice that we switch to the desktop view What I expected to happen: - At step 5 for the activity overview to stay and not switch to the desktop until the user has interacted. + At step 3 to remain in the activities overview. - - I understand that the Ubuntu session with the dock enabled wants the desktop to be the current state after login. But for the GNOME session with no extensions enabled, the way that if one logs in quickly and something is triggering the activity overview to be dismissed appears to be a bug. - - - $ apt policy gnome-session - gnome-session: - Installed: 40.1.1-1ubuntu1 - Candidate: 40.1.1-1ubuntu1 + $ apt policy gnome-shell + gnome-shell: + Installed: 40.2-1ubuntu6 + Candidate: 40.2-1ubuntu6 Version table: - *** 40.1.1-1ubuntu1 500 - 500 http://gb.archive.ubuntu.com/ubuntu impish/universe amd64 Packages - 500 http://gb.archive.ubuntu.com/ubuntu impish/universe i386 Packages + *** 40.2-1ubuntu6 500 + 500 http://gb.archive.ubuntu.com/ubuntu impish/main amd64 Packages 100 /var/lib/dpkg/status $ lsb_release -rd Description: Ubuntu Impish Indri (development branch) Release: 21.10 ** Package changed: gnome-session (Ubuntu) => gnome-shell (Ubuntu) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1944431 Title: Changing the resolution while in the activites overview changes to the desktop To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gnome-shell/+bug/1944431/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1944431] Re: gnome-session impish 40 update login quickly causes desktop rather than activites overview
OK, I've figured out what is going on. If you are on the activities overview and you change the resolution of the VM it then goes back to the desktop. I'll see if there are any bugs upstream as it happens on Fedora rawhide as well ... ** Summary changed: - gnome-session impish 40 update login quickly causes desktop rather than activites overview + Changing the resolution while in the activites overview changes to the desktop -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1944431 Title: Changing the resolution while in the activites overview changes to the desktop To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gnome-session/+bug/1944431/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1944431] [NEW] gnome-session impish 40 update login quickly causes desktop rather than activites overview
Public bug reported: What Happened 1) Installed the package gnome-session (ensuring it is the latest version) 2) At gdm picked "GNOME" and not "Ubuntu" 3) Reboot and login to the desktop 4) Notice that initially the activity overview is shown (correctly) 5) Then within a second or so, something causes the desktop to be focused and activity overview closed (incorrect) Further notes: - if you log out and log back in again, it doesn't happen ? - if you wait on the gdm login for a long period of time (eg over a minute) then it doesn't happen ? - this is *not* the Ubuntu session but the GNOME session What I expected to happen: At step 5 for the activity overview to stay and not switch to the desktop until the user has interacted. I understand that the Ubuntu session with the dock enabled wants the desktop to be the current state after login. But for the GNOME session with no extensions enabled, the way that if one logs in quickly and something is triggering the activity overview to be dismissed appears to be a bug. $ apt policy gnome-session gnome-session: Installed: 40.1.1-1ubuntu1 Candidate: 40.1.1-1ubuntu1 Version table: *** 40.1.1-1ubuntu1 500 500 http://gb.archive.ubuntu.com/ubuntu impish/universe amd64 Packages 500 http://gb.archive.ubuntu.com/ubuntu impish/universe i386 Packages 100 /var/lib/dpkg/status $ lsb_release -rd Description:Ubuntu Impish Indri (development branch) Release:21.10 ** Affects: gnome-session (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1944431 Title: gnome-session impish 40 update login quickly causes desktop rather than activites overview To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gnome-session/+bug/1944431/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1943769] Re: Update impish to 1.10.3 microrelease
Find attached a debdiff for Ubuntu impish which takes 1.10.2-3 to 1.10.3-0ubuntu1. This is also available in a PPA here https://launchpad.net/~ahayzen/+archive/ubuntu/flatpak-manual- uploads-1-10-3-clean-1-impish ** Attachment added: "flatpak_1.10.2-3.to.1.10.3-0ubuntu1.debdiff.gz" https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/1943769/+attachment/5525773/+files/flatpak_1.10.2-3.to.1.10.3-0ubuntu1.debdiff.gz -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1943769 Title: Update impish to 1.10.3 microrelease To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/1943769/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1943769] Re: Update impish to 1.10.3 microrelease
** Description changed: - Placeholder + There is an upstream update to the 1.10 series, this allows us to drop + all patches as they are applied upstream. + + Note we cannot sync from Debian as they have moved unstable to the pre- + release 1.11 series temporarily. + + [Upstream changes] + This is a maintenance update with various bug fixes backported from 1.11.x. + + Don't inherit an unusual $XDG_RUNTIME_DIR setting into the sandbox, fixing a regression introduced when CVE-2021-21261 was fixed in 1.8.5 and 1.10.0 + Fix various memory and file descriptor leaks, in particular with flatpak-spawn --env=... + Fix fd confusion in flatpak-spawn --env=... --forward-fd=..., resolving a regression introduced in 1.8.5 and 1.10.0 + Fix deploys of local remotes in system-helper, possibly involving newer GLib versions + Fix test failures on non-x86_64 systems + create-usb: Skip copying extra-data flatpaks + Improve test coverage on Debian derivatives by ensuring /sbin is in tests' PATH + + https://github.com/flatpak/flatpak/releases/tag/1.10.3 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1943769 Title: Update impish to 1.10.3 microrelease To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/1943769/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1943769] [NEW] Update impish to 1.10.3 microrelease
Public bug reported: Placeholder ** Affects: flatpak (Ubuntu) Importance: Undecided Assignee: Andrew Hayzen (ahayzen) Status: In Progress ** Changed in: flatpak (Ubuntu) Status: New => In Progress ** Changed in: flatpak (Ubuntu) Assignee: (unassigned) => Andrew Hayzen (ahayzen) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1943769 Title: Update impish to 1.10.3 microrelease To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/1943769/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1932335] Re: Steam won't update
Thank you for taking the time to report this bug and helping to make Ubuntu better. This does seem curious, did you solve the issue? were you able to navigate to the download manifest via your web browser at the time of the error? Looking at later versions of the steam debian package, "curl" has been added as a dependency to download updates, so you could try adding this [0]. If that still doesn't work maybe try seeing if you are missing any from the "Depends:" section [1]. Until there is more information, I am going to mark this as incomplete. 0 - https://salsa.debian.org/games-team/steam/-/commit/71720db980d7d8660727b5c40c845c7565441c94 1 - https://salsa.debian.org/games-team/steam/-/blob/debian/master/debian/control ** Changed in: steam (Ubuntu) Status: New => Incomplete -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1932335 Title: Steam won't update To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/steam/+bug/1932335/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1938351] [NEW] Merge steam 1.0.0.70-2 from debian experimental to ubuntu impish
Public bug reported: Debian has a newer version of steam packaging available, let's merge the changes into the Ubuntu version to bring us back into sync. (1.0.0.70 is the current Steam stable release, 1.0.0.71 is the beta for now. And Debian is in freezes, hence pulling from experimental). ** Affects: steam (Ubuntu) Importance: Undecided Assignee: Andrew Hayzen (ahayzen) Status: In Progress ** Changed in: steam (Ubuntu) Assignee: (unassigned) => Andrew Hayzen (ahayzen) ** Changed in: steam (Ubuntu) Status: New => In Progress -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1938351 Title: Merge steam 1.0.0.70-2 from debian experimental to ubuntu impish To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/steam/+bug/1938351/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1812456] Re: [MIR] libflatpak0
tl;dr; Flatpak currently considers remotes as trusted, so after you have added one with a password at system level, you don't need a password to install apps for that remote. I don't about how polkit rules work, but this is just a comment describing what happens from a user perspective with flatpak. If you want to tighten it, I suggest discussing with upstream to ensure docs or any other assumptions etc are correct (please also ensure any changes make it into Debian, generally we have been able to avoid diffs with Debian so far - we do have a diff right now as Debian is in freeze). - Flatpak has two locations that you can add remotes and install apps to, user level and system level. System level ones are available to all users, user level ones are available to just that user - Adding a flatpak remote or installing an app at *user* level does not require any password So far I think this all makes sense, the interesting part up for debate is the next part. - When a remote is added to flatpak at *system* level, it asks for a password to verify the remote - When an app is installed at *system* level for this trusted remote, it installs without needing a password (as stated in previous comments, assuming the user is in the wheel group) To try this out you can do the following commands, the remote-add and remote-delete will need a password, the install and uninstall won't. $ flatpak remote-add --if-not-exists kdeapps --from https://distribute.kde.org/kdeapps.flatpakrepo $ flatpak install kdeapps org.kde.kate $ flatpak uninstall org.kde.kate $ flatpak remote-delete kdeapps -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1812456 Title: [MIR] libflatpak0 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/1812456/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1918482] Re: Update for CVE-2021-21381
I've also done some exploratory testing of .desktop icon related tests from the test plan on a Bionic VM and things are working normally. $ apt policy flatpak flatpak: Installed: 1.0.9-0ubuntu0.3 Candidate: 1.0.9-0ubuntu0.3 Version table: *** 1.0.9-0ubuntu0.3 500 500 http://ppa.launchpad.net/ubuntu-security-proposed/ppa/ubuntu bionic/main amd64 Packages 100 /var/lib/dpkg/status 1.0.9-0ubuntu0.2 500 500 http://gb.archive.ubuntu.com/ubuntu bionic-updates/universe amd64 Packages 500 http://security.ubuntu.com/ubuntu bionic-security/universe amd64 Packages 0.11.3-3 500 500 http://gb.archive.ubuntu.com/ubuntu bionic/universe amd64 Packages -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1918482 Title: Update for CVE-2021-21381 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/1918482/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1918482] Re: Update for CVE-2021-21381
@Steve Beattie, was there any progress on this or anything I can do to help ? Or is it just stuck in a queue of items to be reviewed? :-) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1918482 Title: Update for CVE-2021-21381 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/1918482/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1918482] Re: Update for CVE-2021-21381
Thanks for reviewing these updates! I've done some exploratory testing of .desktop icon related tests from the test plan on a Focal VM and things are working normally. $ apt policy flatpak flatpak: Installed: 1.6.5-0ubuntu0.3 Candidate: 1.6.5-0ubuntu0.3 Version table: *** 1.6.5-0ubuntu0.3 500 500 http://ppa.launchpad.net/ubuntu-security-proposed/ppa/ubuntu focal/main amd64 Packages 100 /var/lib/dpkg/status 1.6.5-0ubuntu0.2 500 500 http://gb.archive.ubuntu.com/ubuntu focal-updates/universe amd64 Packages 500 http://security.ubuntu.com/ubuntu focal-security/universe amd64 Packages 1.6.3-1 500 500 http://gb.archive.ubuntu.com/ubuntu focal/universe amd64 Packages -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1918482 Title: Update for CVE-2021-21381 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/1918482/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1915492] Re: ayatana-indicator-keyboard-service crashed with SIGSEGV in keyboard_GetLayout()
Upstream bug is here https://github.com/AyatanaIndicators/ayatana- indicator-keyboard/issues/5 ** Bug watch added: github.com/AyatanaIndicators/ayatana-indicator-keyboard/issues #5 https://github.com/AyatanaIndicators/ayatana-indicator-keyboard/issues/5 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1915492 Title: ayatana-indicator-keyboard-service crashed with SIGSEGV in keyboard_GetLayout() To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ayatana-indicator-keyboard/+bug/1915492/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1906535] Re: "Windows" Section/Setting Forces Window Button Placement To Left Side On Open
Reported a bug upstream with some analysis of the issue. https://github.com/mate-desktop/mate-control-center/issues/640 ** Bug watch added: github.com/mate-desktop/mate-control-center/issues #640 https://github.com/mate-desktop/mate-control-center/issues/640 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1906535 Title: "Windows" Section/Setting Forces Window Button Placement To Left Side On Open To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/mate-control-center/+bug/1906535/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1918482] Re: Update for GHSA-xgh4-387p-hqpp
Hirsute now contains 1.10.2-1 with the fix, so I am marking it as fixed released. ** Changed in: flatpak (Ubuntu) Status: In Progress => Fix Released ** Description changed: [Links] https://github.com/flatpak/flatpak/security/advisories/GHSA-xgh4-387p-hqpp https://github.com/flatpak/flatpak/pull/4156 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=984859 + https://security-tracker.debian.org/tracker/CVE-2021-21381 [Impact] Versions in Ubuntu right now: Hirsute: 1.10.1-4 Groovy: 1.8.2-1ubuntu0.1 Focal: 1.6.5-0ubuntu0.2 Bionic: 1.0.9-0ubuntu0.2 Affected versions: >= 0.9.4 Patched versions: >= 1.10.2 [Test Case] No test case has been mentioned yet, but in the patches there are changes/additions to the unit tests. [Regression Potential] Flatpak has a test suite, which is run on build across all relevant architectures and passes. There is also a manual test plan https://wiki.ubuntu.com/Process/Merges/TestPlan/flatpak . Flatpak has autopkgtests enabled http://autopkgtest.ubuntu.com/packages/f/flatpak . Regression potential is low, and upstream is very responsive to any issues raised. [Other information] Sandbox escape via special tokens in .desktop file (flatpak#4146) Flatpak since 0.9.4 has a vulnerability in the "file forwarding" feature which can be used by an attacker to gain access to files that would not ordinarily be allowed by the app's permissions. Impact By putting the special tokens @@ and/or @@u in the Exec field of a Flatpak app's .desktop file, a malicious app publisher can trick flatpak into behaving as though the user had chosen to open a target file with their Flatpak app, which automatically makes that file available to the Flatpak app. A minimal solution is the first commit "Disallow @@ and @@U usage in desktop files". The follow-up commits "dir: Reserve the whole @@ prefix" and "dir: Refuse to export .desktop files with suspicious uses of @@ tokens" are recommended, but not strictly required. Workarounds Avoid installing Flatpak apps from untrusted sources, or check the contents of the exported .desktop files in exports/share/applications/*.desktop (typically ~/.local/share/flatpak/exports/share/applications/*.desktop and /var/lib/flatpak/exports/share/applications/*.desktop) to make sure that literal filenames do not follow @@ or @@u. References Acknowledgements Thanks to @AntonLydike for reporting this issue, and @refi64 for providing the initial solution. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1918482 Title: Update for GHSA-xgh4-387p-hqpp To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/1918482/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1918482] Re: Update for GHSA-xgh4-387p-hqpp
This is now CVE-2021-21381, whoever comes to upload the debdiffs please consider the following: * Please rename "- GHSA-xgh4-387p-hqpp" in the debian/changelog to "- CVE-2021-21381" * Please consider renaming the debian/patches from (for example) "GHSA-xgh4-387p-hqpp-1.patch" to "CVE-2021-21381-1.patch" ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-21381 ** Changed in: flatpak (Ubuntu Bionic) Assignee: (unassigned) => Andrew Hayzen (ahayzen) ** Changed in: flatpak (Ubuntu Focal) Assignee: (unassigned) => Andrew Hayzen (ahayzen) ** Changed in: flatpak (Ubuntu Groovy) Assignee: (unassigned) => Andrew Hayzen (ahayzen) ** Changed in: flatpak (Ubuntu Bionic) Status: New => In Progress ** Changed in: flatpak (Ubuntu Focal) Status: New => In Progress ** Changed in: flatpak (Ubuntu Groovy) Status: New => In Progress -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1918482 Title: Update for GHSA-xgh4-387p-hqpp To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/1918482/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1918482] Re: Update for GHSA-xgh4-387p-hqpp
** Description changed: [Links] https://github.com/flatpak/flatpak/security/advisories/GHSA-xgh4-387p-hqpp https://github.com/flatpak/flatpak/pull/4156 + https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=984859 [Impact] Versions in Ubuntu right now: Hirsute: 1.10.1-4 Groovy: 1.8.2-1ubuntu0.1 Focal: 1.6.5-0ubuntu0.2 Bionic: 1.0.9-0ubuntu0.2 Affected versions: >= 0.9.4 Patched versions: >= 1.10.2 [Test Case] No test case has been mentioned yet, but in the patches there are changes/additions to the unit tests. [Regression Potential] Flatpak has a test suite, which is run on build across all relevant architectures and passes. There is also a manual test plan https://wiki.ubuntu.com/Process/Merges/TestPlan/flatpak . Flatpak has autopkgtests enabled http://autopkgtest.ubuntu.com/packages/f/flatpak . Regression potential is low, and upstream is very responsive to any issues raised. [Other information] Sandbox escape via special tokens in .desktop file (flatpak#4146) Flatpak since 0.9.4 has a vulnerability in the "file forwarding" feature which can be used by an attacker to gain access to files that would not ordinarily be allowed by the app's permissions. Impact By putting the special tokens @@ and/or @@u in the Exec field of a Flatpak app's .desktop file, a malicious app publisher can trick flatpak into behaving as though the user had chosen to open a target file with their Flatpak app, which automatically makes that file available to the Flatpak app. A minimal solution is the first commit "Disallow @@ and @@U usage in desktop files". The follow-up commits "dir: Reserve the whole @@ prefix" and "dir: Refuse to export .desktop files with suspicious uses of @@ tokens" are recommended, but not strictly required. Workarounds Avoid installing Flatpak apps from untrusted sources, or check the contents of the exported .desktop files in exports/share/applications/*.desktop (typically ~/.local/share/flatpak/exports/share/applications/*.desktop and /var/lib/flatpak/exports/share/applications/*.desktop) to make sure that literal filenames do not follow @@ or @@u. References Acknowledgements Thanks to @AntonLydike for reporting this issue, and @refi64 for providing the initial solution. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1918482 Title: Update for GHSA-xgh4-387p-hqpp To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/1918482/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1918482] Re: Update for GHSA-xgh4-387p-hqpp
If someone has the permissions could they add bionic, focal, and groovy as affected series ? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1918482 Title: Update for GHSA-xgh4-387p-hqpp To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/1918482/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1918482] Re: Placeholder for GHSA-xgh4-387p-hqpp
This is the bionic debdiff. ** Description changed: - Patches and description coming soon ! I need this to generate a LP bug - number :-) + [Links] + https://github.com/flatpak/flatpak/security/advisories/GHSA-xgh4-387p-hqpp + https://github.com/flatpak/flatpak/pull/4156 + + [Impact] + Versions in Ubuntu right now: + Hirsute: 1.10.1-4 + Groovy: 1.8.2-1ubuntu0.1 + Focal: 1.6.5-0ubuntu0.2 + Bionic: 1.0.9-0ubuntu0.2 + + Affected versions: + >= 0.9.4 + + Patched versions: + >= 1.10.2 + + [Test Case] + + No test case has been mentioned yet, but in the patches there are + changes/additions to the unit tests. + + [Regression Potential] + + Flatpak has a test suite, which is run on build across all relevant + architectures and passes. + + There is also a manual test plan + https://wiki.ubuntu.com/Process/Merges/TestPlan/flatpak . + + Flatpak has autopkgtests enabled + http://autopkgtest.ubuntu.com/packages/f/flatpak . + + Regression potential is low, and upstream is very responsive to any + issues raised. + + [Other information] + + Flatpak since 0.9.4 has a vulnerability in the "file forwarding" feature which can be used by an attacker to gain access to files that would not ordinarily be allowed by the app's permissions. + Impact + + By putting the special tokens @@ and/or @@u in the Exec field of a + Flatpak app's .desktop file, a malicious app publisher can trick flatpak + into behaving as though the user had chosen to open a target file with + their Flatpak app, which automatically makes that file available to the + Flatpak app. + + A minimal solution is the first commit "Disallow @@ and @@U usage in desktop files". The follow-up commits "dir: Reserve the whole @@ prefix" and "dir: Refuse to export .desktop files with suspicious uses of @@ tokens" are recommended, but not strictly required. + Workarounds + + Avoid installing Flatpak apps from untrusted sources, or check the contents of the exported .desktop files in exports/share/applications/*.desktop (typically ~/.local/share/flatpak/exports/share/applications/*.desktop and /var/lib/flatpak/exports/share/applications/*.desktop) to make sure that literal filenames do not follow @@ or @@u. + References + + Acknowledgements + + Thanks to @AntonLydike for reporting this issue, and @refi64 for + providing the initial solution. ** Summary changed: - Placeholder for GHSA-xgh4-387p-hqpp + Update for GHSA-xgh4-387p-hqpp ** Description changed: [Links] https://github.com/flatpak/flatpak/security/advisories/GHSA-xgh4-387p-hqpp https://github.com/flatpak/flatpak/pull/4156 [Impact] Versions in Ubuntu right now: Hirsute: 1.10.1-4 Groovy: 1.8.2-1ubuntu0.1 Focal: 1.6.5-0ubuntu0.2 Bionic: 1.0.9-0ubuntu0.2 Affected versions: - >= 0.9.4 + >= 0.9.4 Patched versions: - >= 1.10.2 + >= 1.10.2 [Test Case] No test case has been mentioned yet, but in the patches there are changes/additions to the unit tests. [Regression Potential] Flatpak has a test suite, which is run on build across all relevant architectures and passes. There is also a manual test plan https://wiki.ubuntu.com/Process/Merges/TestPlan/flatpak . Flatpak has autopkgtests enabled http://autopkgtest.ubuntu.com/packages/f/flatpak . Regression potential is low, and upstream is very responsive to any issues raised. [Other information] + Sandbox escape via special tokens in .desktop file (flatpak#4146) + Flatpak since 0.9.4 has a vulnerability in the "file forwarding" feature which can be used by an attacker to gain access to files that would not ordinarily be allowed by the app's permissions. Impact By putting the special tokens @@ and/or @@u in the Exec field of a Flatpak app's .desktop file, a malicious app publisher can trick flatpak into behaving as though the user had chosen to open a target file with their Flatpak app, which automatically makes that file available to the Flatpak app. A minimal solution is the first commit "Disallow @@ and @@U usage in desktop files". The follow-up commits "dir: Reserve the whole @@ prefix" and "dir: Refuse to export .desktop files with suspicious uses of @@ tokens" are recommended, but not strictly required. Workarounds Avoid installing Flatpak apps from untrusted sources, or check the contents of the exported .desktop files in exports/share/applications/*.desktop (typically ~/.local/share/flatpak/exports/share/applications/*.desktop and /var/lib/flatpak/exports/share/applications/*.desktop) to make sure that literal filenames do not follow @@ or @@u. References Acknowledgements Thanks to @AntonLydike for reporting this issue, and @refi64 for providing the initial solution. ** Information type changed from Public to Public Security ** Attachment added: "[bionic] flatpak_1.0.9-0ubuntu0.2_to_flatpak_1.0.9-0ubuntu0.3.debdiff.gz" https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/1918482
[Bug 1918482] Re: Update for GHSA-xgh4-387p-hqpp
So we do not have a CVE yet, I believe one will be auto assigned via github at some point (I don't know how long this takes :-) ). I realised there is a typo in the bionic changelog "- GHSA-xgh4-387p- hqpp-1" should be "- GHSA-xgh4-387p-hqpp". But once a CVE is available this line will need to be replaced anyway ? For hirsute, 1.10.1-4 has the first commit from https://github.com/flatpak/flatpak/pull/4156/commits but 1.10.2-1 has just been submitted to debian sid with the full fixes, so should be syncing shortly ( https://tracker.debian.org/news/1235768/accepted- flatpak-1102-1-source-into-unstable/ ). I have not performed any deep testing yet, I have only built the bionic and focal debdiffs in a PPA (I was surprised that the patches still applied cleanly for bionic so wanted to check that, as the line numbers are quite different). -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1918482 Title: Update for GHSA-xgh4-387p-hqpp To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/1918482/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1918482] Re: Update for GHSA-xgh4-387p-hqpp
This is the focal debdiff. ** Attachment added: "[focal] flatpak_1.6.5-0ubuntu0.2_to_flatpak_1.6.5-0ubuntu0.3.debdiff" https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/1918482/+attachment/5475503/+files/flatpak_1.6.5-0ubuntu0.2_to_flatpak_1.6.5-0ubuntu0.3.debdiff.gz -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1918482 Title: Update for GHSA-xgh4-387p-hqpp To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/1918482/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1918482] Re: Update for GHSA-xgh4-387p-hqpp
This is the groovy debdiff. ** Attachment added: "[groovy] flatpak_1.8.2-1ubuntu0.1_to_flatpak_1.8.2-1ubuntu0.2.debdiff" https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/1918482/+attachment/5475504/+files/flatpak_1.8.2-1ubuntu0.1_to_flatpak_1.8.2-1ubuntu0.2.debdiff.gz -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1918482 Title: Update for GHSA-xgh4-387p-hqpp To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/1918482/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1918482] [NEW] Placeholder for GHSA-xgh4-387p-hqpp
Public bug reported: Patches and description coming soon ! I need this to generate a LP bug number :-) ** Affects: flatpak (Ubuntu) Importance: Undecided Assignee: Andrew Hayzen (ahayzen) Status: In Progress ** Changed in: flatpak (Ubuntu) Assignee: (unassigned) => Andrew Hayzen (ahayzen) ** Changed in: flatpak (Ubuntu) Status: New => In Progress -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1918482 Title: Placeholder for GHSA-xgh4-387p-hqpp To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/1918482/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1730612] Re: Enable Remote desktop feature during build
@jik, I think that you need the package gnome-remote-desktop, this has a MIR request in bug 1802614. And then another package will need to recommend it to have it installed by default, you can follow this on the Trello board here https://trello.com/c/NnUq5bHv/15-mir-gnome-remote- desktop-and-seed-recommend-it -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1730612 Title: Enable Remote desktop feature during build To manage notifications about this bug go to: https://bugs.launchpad.net/baltix-default-settings/+bug/1730612/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1912902] Re: Merge steam 1.0.0.68-1 from debian sid to ubuntu hirsute
** Description changed: - Placeholder as we merge the latest changes from Debian sid to Ubuntu - hirsute. + Debian has a newer version of steam packaging available, let's merge the + changes into the Ubuntu version to bring us back into sync. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1912902 Title: Merge steam 1.0.0.68-1 from debian sid to ubuntu hirsute To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/steam/+bug/1912902/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1911473] Re: Update for ghsa-4ppf-fxf6-vxg2
@Paulo, was there any progress on this or anything you need help with ? I've posted debdiffs for focal and groovy. Sounds like you have a diff for bionic. Let me know if there is anything I can do to help this move to the next step :-) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1911473 Title: Update for ghsa-4ppf-fxf6-vxg2 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/1911473/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1912902] [NEW] Merge steam 1.0.0.68-1 from debian sid to ubuntu hirsute
Public bug reported: Placeholder as we merge the latest changes from Debian sid to Ubuntu hirsute. ** Affects: steam (Ubuntu) Importance: Undecided Assignee: Andrew Hayzen (ahayzen) Status: In Progress ** Changed in: steam (Ubuntu) Assignee: (unassigned) => Andrew Hayzen (ahayzen) ** Changed in: steam (Ubuntu) Status: New => In Progress -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1912902 Title: Merge steam 1.0.0.68-1 from debian sid to ubuntu hirsute To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/steam/+bug/1912902/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1911473] Re: Update for ghsa-4ppf-fxf6-vxg2
Please find attached the debdiff for Ubuntu 20.10 groovy. This includes a similar set of patches to the focal set and has been picked from between the 1.8.4 and 1.8.5 tags. Let me know if anything has been done incorrectly or missed any commits. I will leave it up to the security team to decide if Ubuntu should also include the extra setuid patches provides by upstream in any of these debdiffs. ** Attachment added: "flatpak_1.8.2-1_to_1.8.2-1ubuntu0.1.debdiff.gz" https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/1911473/+attachment/5455341/+files/flatpak_1.8.2-1_to_1.8.2-1ubuntu0.1.debdiff.gz ** Changed in: flatpak (Ubuntu Groovy) Status: New => In Progress -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1911473 Title: Update for ghsa-4ppf-fxf6-vxg2 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/1911473/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1910866] Re: nvme drive fails after some time
@Kleber I have installed the focal hwe kernel from proposed (as seen below). So far when A/B testing this kernel it is working correctly :-) I will continue running this kernel and report any issues I have. Also note that I have been continuously running the test kernel (from comment 22) since last week and it has worked perfectly so far :-) I look forward to this migrating from -proposed into focal. $ uname -a Linux xps-13-9360 5.8.0-41-generic #46~20.04.1-Ubuntu SMP Mon Jan 18 17:52:23 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux $ apt policy linux-generic-hwe-20.04 linux-generic-hwe-20.04: Installed: 5.8.0.41.46~20.04.27 Candidate: 5.8.0.41.46~20.04.27 Version table: *** 5.8.0.41.46~20.04.27 500 500 http://gb.archive.ubuntu.com/ubuntu focal-proposed/main amd64 Packages 100 /var/lib/dpkg/status 5.8.0.40.45~20.04.25 500 500 http://gb.archive.ubuntu.com/ubuntu focal-updates/main amd64 Packages 5.8.0.38.43~20.04.23 500 500 http://security.ubuntu.com/ubuntu focal-security/main amd64 Packages 5.4.0.26.32 500 500 http://gb.archive.ubuntu.com/ubuntu focal/main amd64 Packages -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1910866 Title: nvme drive fails after some time To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1910866/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1911473] Re: Update for ghsa-4ppf-fxf6-vxg2
@Paulo, Thanks ! BTW smcv just pointed out two more potential patches that could be included in the focal 1.6 patch, these are only for users that use setuid on the bubblewrap binary though (users who disable user namespaces - like Debian). It would be up to us if we want to include them. See https://github.com/flatpak/flatpak/pull/4070#issuecomment-764664659 I can try and include these extra two commits if you think it is useful, but not sure how many users would do this or if it would be considered "supported" ? For bionic note that the flatpak-1.2.x branch has the fixes applied (with extra setuid patches here https://github.com/flatpak/flatpak/pull/4087 ) these may help for figuring out 1.0.x And what would the security team prefer to do for groovy ? We could either sync 1.8.5 from hirsute or apply the patches to 1.8.2 ? (although looks like 1.10.0-2 is in hirsute-proposed, so might have to be quick :') unless we can sync an older version somehow ) Please advise if you want me to attempt any other areas :-) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1911473 Title: Update for ghsa-4ppf-fxf6-vxg2 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/1911473/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1911473] Re: Update for ghsa-4ppf-fxf6-vxg2
1.8.5 has landed in hirsute now, so marking hirsute as fixed released. ** Changed in: flatpak (Ubuntu Hirsute) Status: In Progress => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1911473 Title: Update for ghsa-4ppf-fxf6-vxg2 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/1911473/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1910866] Re: nvme drive fails after some time
@Marcelo So far it looks good :-) It passes the "fio" command test when A/B testing between a known bad kernel and this new kernel. I will continue running it on this machine over the weekend to ensure longer usage doesn't have any remaining issues - but looks like it resolves the issue so far :-D Thanks! $ uname -a Linux xps-13-9360 5.8.0-38-generic #43+lp1910866 SMP Fri Jan 15 20:29:27 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1910866 Title: nvme drive fails after some time To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1910866/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1910866] Re: nvme drive fails after some time
Thanks! I'll take a look :-) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1910866 Title: nvme drive fails after some time To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1910866/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1910866] Re: nvme drive fails after some time
@kaihengfeng Thanks for the quick response! bug 1908555 linked there only lists groovy as a target series, I hope that this will also be applied to the focal HWE kernel :-) Also I am happy to test any kernel in a -proposed channel or PPA to confirm it fixes the issue if that helps :-) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1910866 Title: nvme drive fails after some time To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1910866/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1910866] Re: nvme drive fails after some time
@kaihengfeng So v5.7 was fine and after many reboots it has been found that this commit below introduced the issue. Do I also need to find when the issue was resolved ? (between v5.8-rc1 and v5.9.10) or is this information enough ? 54b2fcee1db041a83b52b51752dade6090cf952f is the first bad commit commit 54b2fcee1db041a83b52b51752dade6090cf952f Author: Keith Busch Date: Mon Apr 27 11:54:46 2020 -0700 nvme-pci: remove last_sq_tail The nvme driver does not have enough tags to wrap the queue, and blk-mq will no longer call commit_rqs() when there are no new submissions to notify. Signed-off-by: Keith Busch Reviewed-by: Sagi Grimberg Signed-off-by: Christoph Hellwig Signed-off-by: Jens Axboe drivers/nvme/host/pci.c | 23 --- 1 file changed, 4 insertions(+), 19 deletions(-) And my $ git bisect log is the following FWIW. git bisect start # good: [3d77e6a8804abcc0504c904bd6e5cdf3a5cf8162] Linux 5.7 git bisect good 3d77e6a8804abcc0504c904bd6e5cdf3a5cf8162 # bad: [b3a9e3b9622ae10064826dccb4f7a52bd88c7407] Linux 5.8-rc1 git bisect bad b3a9e3b9622ae10064826dccb4f7a52bd88c7407 # bad: [ee01c4d72adffb7d424535adf630f2955748fa8b] Merge branch 'akpm' (patches from Andrew) git bisect bad ee01c4d72adffb7d424535adf630f2955748fa8b # bad: [16d91548d1057691979de4686693f0ff92f46000] Merge tag 'xfs-5.8-merge-8' of git://git.kernel.org/pub/scm/fs/xfs/xfs-linux git bisect bad 16d91548d1057691979de4686693f0ff92f46000 # good: [cfa3b8068b09f25037146bfd5eed041b78878bee] Merge tag 'for-linus-hmm' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma git bisect good cfa3b8068b09f25037146bfd5eed041b78878bee # good: [3fd911b69b3117e03181262fc19ae6c3ef6962ce] Merge tag 'drm-misc-next-2020-05-07' of git://anongit.freedesktop.org/drm/drm-misc into drm-next git bisect good 3fd911b69b3117e03181262fc19ae6c3ef6962ce # good: [1966391fa576e1fb2701be8bcca197d8f72737b7] mm/migrate.c: attach_page_private already does the get_page git bisect good 1966391fa576e1fb2701be8bcca197d8f72737b7 # bad: [0c8d3fceade2ab1bbac68bca013e62bfdb851d19] bcache: configure the asynchronous registertion to be experimental git bisect bad 0c8d3fceade2ab1bbac68bca013e62bfdb851d19 # bad: [84b8d0d7aa159652dc191d58c4d353b6c9173c54] nvmet: use type-name map for ana states git bisect bad 84b8d0d7aa159652dc191d58c4d353b6c9173c54 # good: [72e6329f86c714785ac195d293cb19dd24507880] nvme-fc and nvmet-fc: revise LLDD api for LS reception and LS request git bisect good 72e6329f86c714785ac195d293cb19dd24507880 # good: [e4fcc72c1a420bdbe425530dd19724214ceb44ec] nvmet-fc: slight cleanup for kbuild test warnings git bisect good e4fcc72c1a420bdbe425530dd19724214ceb44ec # good: [31fdad7be18992606078caed6ff71741fa76310a] nvme: consolodate io settings git bisect good 31fdad7be18992606078caed6ff71741fa76310a # bad: [2a5bcfdd41d68559567cec3c124a75e093506cc1] nvme-pci: align io queue count with allocted nvme_queue in nvme_probe git bisect bad 2a5bcfdd41d68559567cec3c124a75e093506cc1 # good: [6623c5b3dfa5513190d729a8516db7a5163ec7de] nvme: clean up error handling in nvme_init_ns_head git bisect good 6623c5b3dfa5513190d729a8516db7a5163ec7de # good: [74943d45eef4db64b1e5c9f7ad1d018576e113c5] nvme-pci: remove volatile cqes git bisect good 74943d45eef4db64b1e5c9f7ad1d018576e113c5 # bad: [54b2fcee1db041a83b52b51752dade6090cf952f] nvme-pci: remove last_sq_tail git bisect bad 54b2fcee1db041a83b52b51752dade6090cf952f # first bad commit: [54b2fcee1db041a83b52b51752dade6090cf952f] nvme-pci: remove last_sq_tail -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1910866 Title: nvme drive fails after some time To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1910866/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1911473] Re: Update for ghsa-4ppf-fxf6-vxg2
** Changed in: flatpak (Ubuntu Focal) Status: New => In Progress ** Changed in: flatpak (Ubuntu Focal) Assignee: (unassigned) => Andrew Hayzen (ahayzen) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1911473 Title: Update for ghsa-4ppf-fxf6-vxg2 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/1911473/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1911473] Re: Update for ghsa-4ppf-fxf6-vxg2
If anyone has the permission to propose this bug for the series, bionic, focal, and groovy that would be useful :-) ** Description changed: + [Links] + + Upstream Advisory: https://github.com/flatpak/flatpak/security/advisories/GHSA-4ppf-fxf6-vxg2 + Debian: https://security-tracker.debian.org/tracker/CVE-2021-21261 + DSA: https://security-tracker.debian.org/tracker/DSA-4830-1 + [Impact] Versions in Ubuntu right now: Hirsute: 1.8.4-2 Groovy: 1.8.2-1 Focal: 1.6.5-0ubuntu0.1 Bionic: 1.0.9-0ubuntu0.1 Affected versions: >= 0.11.4 and < 1.9.4, except for 1.8.x >= 1.8.5 Patched versions: Expected to be >= 1.9.4, 1.8.x >= 1.8.5 There are also branches with patches for 1.6.x (Ubuntu 20.04), but nothing available yet for 1.0.x (Ubuntu 18.04). [Test Case] No test case has been mentioned yet, but in the patches there are changes/additions to the unit tests. [Regression Potential] Flatpak has a test suite, which is run on build across all architectures and passes. There is also a manual test plan https://wiki.ubuntu.com/Process/Merges/TestPlan/flatpak . Flatpak has autopkgtests enabled http://autopkgtest.ubuntu.com/packages/f/flatpak . Regression potential is low, and upstream is very responsive to any issues raised. [Other information] Simon McVittie discovered a bug in the flatpak-portal service that can allow sandboxed applications to execute arbitrary code on the host system (a sandbox escape). The Flatpak portal D-Bus service (flatpak-portal, also known by its D-Bus service name org.freedesktop.portal.Flatpak) allows apps in a Flatpak sandbox to launch their own subprocesses in a new sandbox instance, either with the same security settings as the caller or with more restrictive security settings. For example, this is used in Flatpak-packaged web browsers such as Chromium to launch subprocesses that will process untrusted web content, and give those subprocesses a more restrictive sandbox than the browser itself. In vulnerable versions, the Flatpak portal service passes caller- specified environment variables to non-sandboxed processes on the host system, and in particular to the flatpak run command that is used to launch the new sandbox instance. A malicious or compromised Flatpak app could set environment variables that are trusted by the flatpak run command, and use them to execute arbitrary code that is not in a sandbox. - - https://github.com/flatpak/flatpak/security/advisories/GHSA-4ppf- - fxf6-vxg2 - - Debian: https://security-tracker.debian.org/tracker/CVE-2021-21261 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1911473 Title: Update for ghsa-4ppf-fxf6-vxg2 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/1911473/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1911473] Re: Update for ghsa-4ppf-fxf6-vxg2
Please find attached the debdiff for Ubuntu 20.04 focal. I have tested this using the manual test plan in a VM and built in a PPA. Let me know if anything has been done incorrectly. ** Summary changed: - Placeholder for ghsa-4ppf-fxf6-vxg2 + Update for ghsa-4ppf-fxf6-vxg2 ** Description changed: - Placeholder for ghsa-4ppf-fxf6-vxg2 as I prepare the debdiffs. - [Impact] Versions in Ubuntu right now: Hirsute: 1.8.4-2 Groovy: 1.8.2-1 Focal: 1.6.5-0ubuntu0.1 Bionic: 1.0.9-0ubuntu0.1 Affected versions: >= 0.11.4 and < 1.9.4, except for 1.8.x >= 1.8.5 Patched versions: Expected to be >= 1.9.4, 1.8.x >= 1.8.5 There are also branches with patches for 1.6.x (Ubuntu 20.04), but nothing available yet for 1.0.x (Ubuntu 18.04). [Test Case] No test case has been mentioned yet, but in the patches there are changes/additions to the unit tests. [Regression Potential] Flatpak has a test suite, which is run on build across all architectures and passes. There is also a manual test plan https://wiki.ubuntu.com/Process/Merges/TestPlan/flatpak . Flatpak has autopkgtests enabled http://autopkgtest.ubuntu.com/packages/f/flatpak . Regression potential is low, and upstream is very responsive to any issues raised. [Other information] Simon McVittie discovered a bug in the flatpak-portal service that can allow sandboxed applications to execute arbitrary code on the host system (a sandbox escape). The Flatpak portal D-Bus service (flatpak-portal, also known by its D-Bus service name org.freedesktop.portal.Flatpak) allows apps in a Flatpak sandbox to launch their own subprocesses in a new sandbox instance, either with the same security settings as the caller or with more restrictive security settings. For example, this is used in Flatpak-packaged web browsers such as Chromium to launch subprocesses that will process untrusted web content, and give those subprocesses a more restrictive sandbox than the browser itself. In vulnerable versions, the Flatpak portal service passes caller- specified environment variables to non-sandboxed processes on the host system, and in particular to the flatpak run command that is used to launch the new sandbox instance. A malicious or compromised Flatpak app could set environment variables that are trusted by the flatpak run command, and use them to execute arbitrary code that is not in a sandbox. https://github.com/flatpak/flatpak/security/advisories/GHSA-4ppf- fxf6-vxg2 - Debian: https://security-tracker.debian.org/tracker/TEMP-000-73A644 - (temporary) + Debian: https://security-tracker.debian.org/tracker/CVE-2021-21261 ** Attachment added: "flatpak_1.6.5-0ubuntu0.1_to_1.6.5-0ubuntu0.2.debdiff.gz" https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/1911473/+attachment/5453101/+files/flatpak_1.6.5-0ubuntu0.1_to_1.6.5-0ubuntu0.2.debdiff.gz -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1911473 Title: Update for ghsa-4ppf-fxf6-vxg2 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/1911473/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1911473] Re: Update for ghsa-4ppf-fxf6-vxg2
Also note that hirsute now has 1.8.5 in hirsute-proposed (which contains the fix), although it looks like s390x has failed in the tests - I wonder if a retest will make it pass or if it is a genuine failure. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1911473 Title: Update for ghsa-4ppf-fxf6-vxg2 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/1911473/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1911473] Re: Placeholder for ghsa-4ppf-fxf6-vxg2
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-21261 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1911473 Title: Placeholder for ghsa-4ppf-fxf6-vxg2 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/1911473/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1911473] Re: Placeholder for ghsa-4ppf-fxf6-vxg2
@Paulo hirsute - can sync 1.8.5 from debian sid which contains the fix. groovy - is a tricky one as it is one step behind in terms of microreleases (1.8.3) so either needs backporting or bumping to 1.8.5 focal - upstream have created a branch for me with relevant patches that allow it to build, but is untested (i plan on doing this later tonight) bionic - there is no branch upstream for this series yet, we would need to figure out patches -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1911473 Title: Placeholder for ghsa-4ppf-fxf6-vxg2 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/1911473/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1911473] Re: Placeholder for ghsa-4ppf-fxf6-vxg2
@Paulo, Hi yes there is no CVE yet, but I believe upstream have requested one via github (I can see it says one has been requested). I will also try to submit debdiffs for Ubuntu 20.04 shortly (hopefully later tonight if testing goes well). -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1911473 Title: Placeholder for ghsa-4ppf-fxf6-vxg2 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/1911473/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1911473] Re: Placeholder for ghsa-4ppf-fxf6-vxg2
This is now public. ** Information type changed from Private Security to Public Security ** Description changed: Placeholder for ghsa-4ppf-fxf6-vxg2 as I prepare the debdiffs. This issue will be made public I believe on 14/01/2021 daytime CET. - [Impact] Versions in Ubuntu right now: Hirsute: 1.8.4-2 Groovy: 1.8.2-1 Focal: 1.6.5-0ubuntu0.1 Bionic: 1.0.9-0ubuntu0.1 Affected versions: - >= 0.11.4 and < 1.9.4, except for 1.8.x >= 1.8.5 + >= 0.11.4 and < 1.9.4, except for 1.8.x >= 1.8.5 Patched versions: - Expected to be >= 1.9.4, 1.8.x >= 1.8.5 + Expected to be >= 1.9.4, 1.8.x >= 1.8.5 There are also branches with patches for 1.6.x (Ubuntu 20.04), but nothing available yet for 1.0.x (Ubuntu 18.04). [Test Case] No test case has been mentioned yet, but in the patches there are changes/additions to the unit tests. [Regression Potential] Flatpak has a test suite, which is run on build across all architectures and passes. There is also a manual test plan https://wiki.ubuntu.com/Process/Merges/TestPlan/flatpak . Flatpak has autopkgtests enabled http://autopkgtest.ubuntu.com/packages/f/flatpak . Regression potential is low, and upstream is very responsive to any issues raised. [Other information] Simon McVittie discovered a bug in the flatpak-portal service that can allow sandboxed applications to execute arbitrary code on the host system (a sandbox escape). The Flatpak portal D-Bus service (flatpak-portal, also known by its D-Bus service name org.freedesktop.portal.Flatpak) allows apps in a Flatpak sandbox to launch their own subprocesses in a new sandbox instance, either with the same security settings as the caller or with more restrictive security settings. For example, this is used in Flatpak-packaged web browsers such as Chromium to launch subprocesses that will process untrusted web content, and give those subprocesses a more restrictive sandbox than the browser itself. In vulnerable versions, the Flatpak portal service passes caller- specified environment variables to non-sandboxed processes on the host system, and in particular to the flatpak run command that is used to launch the new sandbox instance. A malicious or compromised Flatpak app could set environment variables that are trusted by the flatpak run command, and use them to execute arbitrary code that is not in a sandbox. https://github.com/flatpak/flatpak/security/advisories/GHSA-4ppf- fxf6-vxg2 + + Debian: https://security-tracker.debian.org/tracker/TEMP-000-73A644 + (temporary) ** Description changed: Placeholder for ghsa-4ppf-fxf6-vxg2 as I prepare the debdiffs. - - This issue will be made public I believe on 14/01/2021 daytime CET. [Impact] Versions in Ubuntu right now: Hirsute: 1.8.4-2 Groovy: 1.8.2-1 Focal: 1.6.5-0ubuntu0.1 Bionic: 1.0.9-0ubuntu0.1 Affected versions: >= 0.11.4 and < 1.9.4, except for 1.8.x >= 1.8.5 Patched versions: Expected to be >= 1.9.4, 1.8.x >= 1.8.5 There are also branches with patches for 1.6.x (Ubuntu 20.04), but nothing available yet for 1.0.x (Ubuntu 18.04). [Test Case] No test case has been mentioned yet, but in the patches there are changes/additions to the unit tests. [Regression Potential] Flatpak has a test suite, which is run on build across all architectures and passes. There is also a manual test plan https://wiki.ubuntu.com/Process/Merges/TestPlan/flatpak . Flatpak has autopkgtests enabled http://autopkgtest.ubuntu.com/packages/f/flatpak . Regression potential is low, and upstream is very responsive to any issues raised. [Other information] Simon McVittie discovered a bug in the flatpak-portal service that can allow sandboxed applications to execute arbitrary code on the host system (a sandbox escape). The Flatpak portal D-Bus service (flatpak-portal, also known by its D-Bus service name org.freedesktop.portal.Flatpak) allows apps in a Flatpak sandbox to launch their own subprocesses in a new sandbox instance, either with the same security settings as the caller or with more restrictive security settings. For example, this is used in Flatpak-packaged web browsers such as Chromium to launch subprocesses that will process untrusted web content, and give those subprocesses a more restrictive sandbox than the browser itself. In vulnerable versions, the Flatpak portal service passes caller- specified environment variables to non-sandboxed processes on the host system, and in particular to the flatpak run command that is used to launch the new sandbox instance. A malicious or compromised Flatpak app could set environment variables that are trusted by the flatpak run command, and use them to execute arbitrary code that is not in a sandbox. https://github.com/flatpak/flatpak/security/advisories/GHSA-4ppf-
[Bug 1910866] Re: nvme drive fails after some time
And the bisect between 5.4.78 (good) and 5.8.18 (bad). The following results with the mainline kernel v5.8.18/FAIL v5.8.4/ FAIL v5.8-rc5/ FAIL v5.8-rc1/ FAIL v5.7.19/PASS v5.7.18/PASS v5.7.16/PASS v5.6.14/PASS v5.4.78/PASS >From these and the previous comment's results it appears that the issue was introduced with 5.8-rc1 and then was fixed with 5.9.9 or 5.9.10. (it is unfortunate that 5.9.9 is missing so I cannot try it). @kaihengfeng let me know if there is any other information I can provide. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1910866 Title: nvme drive fails after some time To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1910866/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1910866] Re: nvme drive fails after some time
So bisecting between 5.8.18 (bad) and 5.11-rc3 (good). The following results with the mainline kernel v5.11-rc3/ PASS v5.9.12/PASS v5.9.10/PASS v5.9.9/ MISSING v5.9.8/ FAIL (could not boot long enough for full test) v5.9.7/ FAIL (could not boot long enough for full test) v5.9.2/ FAIL (could not boot long enough for full test) v5.8.18/FAIL Note that 5.9.2, 5.9.7, 5.9.8 all crashed during either boot or logging in (but after performing REISUB they all entered the Dell BIOS/recovery stating that the hard disk could not be found, so I assume this is the same failure). >From these results it appears that between 5.9.8 and 5.9.10 it was fixed. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1910866 Title: nvme drive fails after some time To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1910866/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1910866] Re: nvme drive fails after some time
OK, so using https://people.canonical.com/~kernel/info/kernel-version- map.html that states that Ubuntu kernel 5.8.0-36.40~20.04.1 matches mainline version 5.8.18. I have installed 5.8.18 and it fails ! So it is not the Ubuntu patches. Ubuntu Kernels: linux-image-5.4.0-59-generic: PASS linux-image-5.8.0-36-generic: FAIL Mainline Kernels: linux-image-unsigned-5.8.18-050818-generic: FAIL linux-image-unsigned-5.11.0-051100rc3-generic: PASS I'll see if I can find where it changes from FAIL to PASS between 5.8.18 in the mainline kernels. Please advise if should also/instead compare between 5.4 and 5.8.18 :-) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1910866 Title: nvme drive fails after some time To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1910866/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1910866] Re: nvme drive fails after some time
@kaihengfeng I have found that running the command "fio --name=basic --directory=/path/to/empty/directory --size=1G --rw=randrw --numjobs=4 --loops=5" runs fine on linux-image-5.4.0-59-generic but when trying with linux-image-5.8.0-36-generic it would freeze the system in the "Laying out IO file" stage. I checked with two subsequent boots that the 5.8 does fail like this on an empty directory and will now use this as my "test" if a kernel works or not. I have installed the 5.11 rc3 mainline kernel you linked, note I have had to disable secure boot to be able to use it. But this kernel worked successfully on two boots with the fio test above. So in summary so far on my system with the fio test: linux-image-5.4.0-59-generic: PASS linux-image-5.8.0-36-generic: FAIL linux-image-unsigned-5.11.0-051100rc3-generic: PASS Please advise how to proceed here, should I start manually picking (by bisecting) kernels between 5.8 and 5.11 or between 5.4 and 5.8 ? Also I guess I should also try 5.8 mainline to ensure that any Ubuntu patches aren't causing an issue? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1910866 Title: nvme drive fails after some time To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1910866/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1910866] Re: nvme drive fails after some time
FYI I have captured the `sudo lspci -vv` output on the kernel 5.8 *before* the issue here https://pastebin.ubuntu.com/p/GtZyTWzKTd/ it is subtly different to the 5.4 kernel (which has not had the issue) in case that mattered. I was also able to reproduce the issue again by causing high disk I/O, specifically I needed to have writes occurring for it to happen (I was recursive grep'ing the whole filesystem while installing apt/pip packages inside a docker container). This then froze the system for 120 seconds until write timeouts occurred, then the disk was remounted as read-only. After this point commands on the system would fail with I/O errors (even basic ones such as "top", although some such as "mount" still work). However our plan was to try to retrieve more information by copying the lspci binary and libs into a tmpfs system in RAM, so it'd still be accessible when the disk stopped. This almost worked, but it appears a few more configuration files would need to be placed in RAM (I could run "lspci --help" but not "lspci" or "lspci -vv"). Instead popey has suggested maybe using a USB key with debootstrap/chroot. (Any suggestions of how we can retrieve more information at this point are welcome and any commands that would be useful to run). Also as a note, if I use REISUB ( https://en.m.wikipedia.org/wiki/Magic_SysRq_key#Uses ) to reboot the machine it enters a Dell BIOS/recovery thing that states that "No Hard Disk is found". Then after a full power off the machine works again. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1910866 Title: nvme drive fails after some time To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1910866/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1910866] Re: nvme drive fails after some time
Note for me it is happening quite rapidly (sometimes after 5-10 minutes) of high disk load. Eg the first times it happened when apt was running update-grub and then when pip3 install was running. Then to capture the logs above i started a `find /` and `find ~` at the same time and this was enough to break it. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1910866 Title: nvme drive fails after some time To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1910866/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1910866] Re: nvme drive fails after some time
@kairhengfeng Yes this is a regression after the upgrade from 5.4 to 5.8. After the upgrade I had it multiple times and now I have switched back to 5.4 my machine is stable again. I do not think I can run `lspci -vv` *after* the issue happens, as my NVMe drive goes read-only, so all commands fail. This is the output of `sudo lspci -vv` on the kernel 5.4 and *before* it happens https://pastebin.ubuntu.com/p/tCshwbhpqs/ Let me know if also running this on 5.8 *before* it happens could be useful or not. @popey are you able to run this command before and after it happens with your dual disk system ? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1910866 Title: nvme drive fails after some time To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1910866/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1291429] Re: Missing dependencies libudev1:i386
Thank you for taking the time to report this bug and helping to make Ubuntu better. >From what I can see libudev1 has been a depends for a while in the Debian and Ubuntu Steam packaging and on my system Steam has correctly installed libudev1:i386. Therefore I am going to mark this bug as fixed released. ** Changed in: steam (Ubuntu) Status: Confirmed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1291429 Title: Missing dependencies libudev1:i386 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/steam/+bug/1291429/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1793613] Re: package steam:i386 1:1.0.0.48-1ubuntu4 failed to install/upgrade: o pacote steam:i386 não está pronto para configuração não pode configurar (status actual `half-installed')
*** This bug is a duplicate of bug 1584298 *** https://bugs.launchpad.net/bugs/1584298 Thank you for taking the time to report this bug and helping to make Ubuntu better. This particular bug has already been reported and is a duplicate of bug 1584298, so it is being marked as such. Please look at the other bug report to see if there is any missing information that you can provide, or to see if there is a workaround for the bug. Additionally, any further discussion regarding the bug should occur in the other report. Feel free to continue to report any other bugs you may find. ** This bug has been marked a duplicate of bug 1584298 package steam:i386 1:1.0.0.48-1ubuntu3 failed to install/upgrade: package steam:i386 is not ready for configuration cannot configure (current status 'half-installed') -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1793613 Title: package steam:i386 1:1.0.0.48-1ubuntu4 failed to install/upgrade: o pacote steam:i386 não está pronto para configuração não pode configurar (status actual `half-installed') To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/steam/+bug/1793613/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1726389] Re: Steam launcher keeps crashing
Thank you for taking the time to report this bug and helping to make Ubuntu better. This sounds like the steam binary itself has crashed and is not related to the packaging. I am going to mark the bug as incomplete, please provide more details to the crash and confirm that it still happens on recent versions of Ubuntu. ** Changed in: steam (Ubuntu) Status: New => Incomplete -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1726389 Title: Steam launcher keeps crashing To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-mate/+bug/1726389/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1734501] Re: Steam will not install. I tried purging it then re-installing... i get the license and accept but still says I declined
Thank you for taking the time to report this bug and helping to make Ubuntu better. I think this is likely to be due to the debconf question for the steam license question not being answered correctly, this was dropped in the steam package version 1:1.0.0.54+repack-2ubuntu4 as not all software centre's support it. (Which will likely solve your bug). Therefore I am marking this bug as fix released. ** Changed in: steam (Ubuntu) Status: New => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1734501 Title: Steam will not install. I tried purging it then re-installing... i get the license and accept but still says I declined To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/steam/+bug/1734501/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1648973] Re: Steam cannot connect to the internet.
*** This bug is a duplicate of bug 1631980 *** https://bugs.launchpad.net/bugs/1631980 Thank you for taking the time to report this bug and helping to make Ubuntu better. This particular bug has already been reported and is a duplicate of bug 1631980, so it is being marked as such. Please look at the other bug report to see if there is any missing information that you can provide, or to see if there is a workaround for the bug. Additionally, any further discussion regarding the bug should occur in the other report. Feel free to continue to report any other bugs you may find. ** This bug has been marked a duplicate of bug 1631980 Steam not able to see network -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1648973 Title: Steam cannot connect to the internet. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/steam/+bug/1648973/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1651025] Re: Steam says I'm offline when I'm not. Ubuntu 17.04 Daily
*** This bug is a duplicate of bug 1631980 *** https://bugs.launchpad.net/bugs/1631980 Thank you for taking the time to report this bug and helping to make Ubuntu better. This particular bug has already been reported and is a duplicate of bug 1631980, so it is being marked as such. Please look at the other bug report to see if there is any missing information that you can provide, or to see if there is a workaround for the bug. Additionally, any further discussion regarding the bug should occur in the other report. Feel free to continue to report any other bugs you may find. ** This bug has been marked a duplicate of bug 1631980 Steam not able to see network -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1651025 Title: Steam says I'm offline when I'm not. Ubuntu 17.04 Daily To manage notifications about this bug go to: https://bugs.launchpad.net/steam-login/+bug/1651025/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1374670] Re: package steam 1:1.0.0.45-1ubuntu1 [modified: usr/share/applications/steam.desktop usr/share/icons/hicolor/16x16/apps/steam.png usr/share/icons/hicolor/24x24/apps/steam.png usr/share/
*** This bug is a duplicate of bug 1255794 *** https://bugs.launchpad.net/bugs/1255794 Thank you for taking the time to report this bug and helping to make Ubuntu better. This particular bug has already been reported and is a duplicate of bug 1255794, so it is being marked as such. Please look at the other bug report to see if there is any missing information that you can provide, or to see if there is a workaround for the bug. Additionally, any further discussion regarding the bug should occur in the other report. Feel free to continue to report any other bugs you may find. ** This bug has been marked a duplicate of bug 1255794 package steam (not installed) failed to install/upgrade: subprocess new pre-installation script returned error exit status 128 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1374670 Title: package steam 1:1.0.0.45-1ubuntu1 [modified: usr/share/applications/steam.desktop usr/share/icons/hicolor/16x16/apps/steam.png usr/share/icons/hicolor/24x24/apps/steam.png usr/share/icons/hicolor/256x256/apps/steam.png usr/share/icons/hicolor/32x32/apps/steam.png usr/share/icons/hicolor/48x48/apps/steam.png] failed to install/upgrade: subprocess new pre-installation script returned error exit status 128 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/steam/+bug/1374670/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1273534] Re: package steam 1:1.0.0.39-2ubuntu1~ubuntu13.10.1 failed to install/upgrade: subprocess new pre-installation script returned error exit status 30
Thank you for taking the time to report this bug and helping to make Ubuntu better. This issue is likely similar to others which are related to the steam license question not being answered, this was dropped in the steam package version 1:1.0.0.54+repack-2ubuntu4 as not all software centre's support it. Therefore I am marking this bug as fix released. Please report a new bug if your problem persists. ** Changed in: steam (Ubuntu) Status: Confirmed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1273534 Title: package steam 1:1.0.0.39-2ubuntu1~ubuntu13.10.1 failed to install/upgrade: subprocess new pre-installation script returned error exit status 30 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/steam/+bug/1273534/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1679725] Re: s2tc dependency broken on zesty
Thank you for taking the time to report this bug and helping to make Ubuntu better. The libtxc-dxtn-s2tc0 has been removed from later versions of Ubuntu and it has been removed as a dependency in the Ubuntu steam packaging since 1:1.0.0.67-2ubuntu1 (Ubuntu 21.04). Therefore I am marking this bug as fixed released. ** Changed in: steam (Ubuntu) Status: New => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1679725 Title: s2tc dependency broken on zesty To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/steam/+bug/1679725/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1684755] Re: Missing dependency to libtxc-dxtn-s2tc:amd64
Thank you for taking the time to report this bug and helping to make Ubuntu better. The package libtxc-dxtn-s2tc has been removed from later versions of Ubuntu, therefore I am going to mark this bug as invalid for Steam. ** Changed in: steam (Ubuntu) Status: Confirmed => Invalid -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1684755 Title: Missing dependency to libtxc-dxtn-s2tc:amd64 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/mesa/+bug/1684755/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1873411] Re: steam installs generic Desktop icons for games that require an explicit 'Allow Launching'
Thank you for taking the time to report this bug and helping to make Ubuntu better. I can reproduce this issue, but I think that is potentially a security feature of the gnome-shell-extension-desktop-icons. As if you navigate to the folder in Nautilus, then select open, it allows for running the game and not opening gedit. And I can see that the permissions of the file has been set correctly by Steam. Therefore I am going to reassign this bug from the Steam package to gnome-shell-extension-desktop-icons as it doesn't appear that Steam is doing anything incorrectly and it is likely due to the desktop icons implementation (potentially even a security feature). ** Package changed: steam (Ubuntu) => gnome-shell-extension-desktop- icons (Ubuntu) ** Changed in: gnome-shell-extension-desktop-icons (Ubuntu) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1873411 Title: steam installs generic Desktop icons for games that require an explicit 'Allow Launching' To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gnome-shell-extension-desktop-icons/+bug/1873411/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1559749] Re: Steam package should add Vulkan compatible AMD or Nvidia as a Recommends package
Thank you for taking the time to report this bug and helping to make Ubuntu better. mesa-vulkan-drivers was added as a recommends for Debian packaging as of version 1.0.0.56-2 and therefore to the Ubuntu packaging as of version 1:1.0.0.61-2ubuntu1 (Ubuntu 20.04). For Nvidia the Ubuntu package suggests the libnvidia-gl-NNN package which I believe includes the required vulkan parts. Therefore I am going to mark this bug as fixed released. Please open a new bug if this does not work for you. ** Changed in: steam (Ubuntu) Status: Confirmed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1559749 Title: Steam package should add Vulkan compatible AMD or Nvidia as a Recommends package To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/steam/+bug/1559749/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1562645] Re: Steam Package out of date error message
Thank you for taking the time to report this bug and helping to make Ubuntu better. The Steam package has been updated in future releases of Ubuntu. The "steam-launcher" package and http://repo.steampowered.com/steam/presice repository you mention as having installed come from Valve themselves not the Ubuntu archives, so bugs are not tracked here (they are instead here https://github.com/ValveSoftware/steam-for-linux/issues ). Therefore I am marking this bug as invalid. As mentioned in the previous comment you could try removing Valve's steam and using the version from Ubuntu. But I would also recommend updating to at least Ubuntu 20.04 which has a newer Steam package. ** Changed in: steam (Ubuntu) Status: Confirmed => Invalid -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1562645 Title: Steam Package out of date error message To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/steam/+bug/1562645/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1497515] Re: Game platform "Steam" does not load
*** This bug is a duplicate of bug 1273027 *** https://bugs.launchpad.net/bugs/1273027 Thank you for taking the time to report this bug and helping to make Ubuntu better. The "subprocess new pre-installation script returned error exit status 30" that apport has reported here has been fixed in bug 1273027, the other issues you have had are likely also related to this, therefore I am going to mark this bug as a duplicate of it. If you still do have issues please open a new bug. This particular bug has already been reported and is a duplicate of bug 1273027, so it is being marked as such. Please look at the other bug report to see if there is any missing information that you can provide, or to see if there is a workaround for the bug. Additionally, any further discussion regarding the bug should occur in the other report. Feel free to continue to report any other bugs you may find. ** This bug has been marked a duplicate of bug 1273027 package steam 1:1.0.0.39-2ubuntu1~ubuntu13.10.1 failed to install/upgrade: subprocess new pre-installation script returned error exit status 1 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1497515 Title: Game platform "Steam" does not load To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/steam/+bug/1497515/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1409760] Re: steam start with wifi auto connect
Thank you for taking the time to report this bug and helping to make Ubuntu better. This bug appears that it is an issue with the steam binary itself and not with the Ubuntu packaging, I have not been able to locate anything that attempts to connect to the network. This issue would be better reported against the steam binary at https://github.com/ValveSoftware/steam-for-linux/issues . Once a resolution has been made there it will appear in either the next ubuntu update or steam binary update. For now I will mark this bug as opinion, as i don't think there is anything we can do in the Ubuntu packaging. ** Changed in: steam (Ubuntu) Status: Confirmed => Opinion -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1409760 Title: steam start with wifi auto connect To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/steam/+bug/1409760/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1363759] Re: package steam 1:1.0.0.48-1ubuntu1 failed to install/upgrade: package is in a very bad inconsistent state; you should reinstall it before attempting a removal
*** This bug is a duplicate of bug 1273027 *** https://bugs.launchpad.net/bugs/1273027 Thank you for taking the time to report this bug and helping to make Ubuntu better. Looking at dpkg terminal this appears to have failed due to the license agreement popup, which has been solved in bug 1273027, therefore I shall make this bug as a duplicate of it ... This particular bug has already been reported and is a duplicate of bug 1273027, so it is being marked as such. Please look at the other bug report to see if there is any missing information that you can provide, or to see if there is a workaround for the bug. Additionally, any further discussion regarding the bug should occur in the other report. Feel free to continue to report any other bugs you may find. ** This bug has been marked a duplicate of bug 1273027 package steam 1:1.0.0.39-2ubuntu1~ubuntu13.10.1 failed to install/upgrade: subprocess new pre-installation script returned error exit status 1 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1363759 Title: package steam 1:1.0.0.48-1ubuntu1 failed to install/upgrade: package is in a very bad inconsistent state; you should reinstall it before attempting a removal To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/steam/+bug/1363759/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1233973] Re: Several applications can't connect to the network in Saucy
Thank you for taking the time to report this bug and helping to make Ubuntu better. On Ubuntu 20.04 I am not able to reproduce this issue, therefore I am going to mark this as incomplete. Please comment if you are still having this issue. ** Changed in: steam (Ubuntu) Status: New => Incomplete -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1233973 Title: Several applications can't connect to the network in Saucy To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/steam/+bug/1233973/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1585712] Re: package steam 1:1.0.0.45-1ubuntu1.1 failed to install/upgrade: Unterprozess neues pre-installation-Skript gab den Fehlerwert 1 zurück
*** This bug is a duplicate of bug 1273027 *** https://bugs.launchpad.net/bugs/1273027 Thank you for taking the time to report this bug and helping to make Ubuntu better. This particular bug has already been reported and is a duplicate of bug 1273027, so it is being marked as such. Please look at the other bug report to see if there is any missing information that you can provide, or to see if there is a workaround for the bug. Additionally, any further discussion regarding the bug should occur in the other report. Feel free to continue to report any other bugs you may find. ** This bug has been marked a duplicate of bug 1273027 package steam 1:1.0.0.39-2ubuntu1~ubuntu13.10.1 failed to install/upgrade: subprocess new pre-installation script returned error exit status 1 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1585712 Title: package steam 1:1.0.0.45-1ubuntu1.1 failed to install/upgrade: Unterprozess neues pre-installation-Skript gab den Fehlerwert 1 zurück To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/steam/+bug/1585712/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1638463] Re: package steam-devices (not installed) failed to install/upgrade: trying to overwrite '/lib/udev/rules.d/99-steam-controller-perms.rules', which is also in package steam-launcher 1.0.
Thank you for taking the time to report this bug and helping to make Ubuntu better. As per the Debian changelog entry below this has been fixed in the upstream Debian packaging. And since Ubuntu package version 1:1.0.0.61-2ubuntu1 (Ubuntu 20.04) those changes have been present in the Ubuntu packaging as well. Therefore I am marking this bug as fixed released. "steam (1.0.0.59-3) unstable; urgency=medium * Add Conflicts/Replaces on steam-launcher. steam-launcher is a Valve-provided package containing the same launcher as Debian's steam package, and the same udev rules as Debian's steam-devices package. They are not co-installable: please install the steam and steam-devices packages from Debian non-free, *or* the steam and steam-launcher packages from Valve, but do not mix the two sources. ..." ** Changed in: steam (Ubuntu) Status: Triaged => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1638463 Title: package steam-devices (not installed) failed to install/upgrade: trying to overwrite '/lib/udev/rules.d/99-steam-controller- perms.rules', which is also in package steam-launcher 1.0.0.53 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/steam/+bug/1638463/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1581312] Re: package steam:i386 (not installed) failed to install/upgrade: subprocess installed post-removal script returned error exit status 10
Thank you for taking the time to report this bug and helping to make Ubuntu better. All of these bugs appear to happen when steam has failed to install correctly (due to the license agreement question being declined) and then the user attempting to remove/upgrade the broken package. As the steam license question was dropped in the steam package version 1:1.0.0.54+repack-2ubuntu4 (as not all software centre's support it), I am going to mark this bug as incomplete as I suspect with newer versions of the package this won't happen. Please comment if you have this issue on a fresh install with 1:1.0.0.54+repack-2ubuntu4 or newer. ** Changed in: steam (Ubuntu) Status: Confirmed => Incomplete -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1581312 Title: package steam:i386 (not installed) failed to install/upgrade: subprocess installed post-removal script returned error exit status 10 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/steam/+bug/1581312/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
