[Bug 1911473] Re: Update for ghsa-4ppf-fxf6-vxg2
This bug was fixed in the package flatpak - 1.8.2-1ubuntu0.1 --- flatpak (1.8.2-1ubuntu0.1) groovy-security; urgency=medium * SECURITY UPDATE: Flatpak sandbox escape via spawn portal (LP: #1911473) - debian/patches/CVE-2021-21261-1.patch: common: Add a backport of G_DBUS_METHOD_INVOCATION_HANDLED. - debian/patches/CVE-2021-21261-2.patch: run: Convert all environment variables into bwrap arguments. - debian/patches/CVE-2021-21261-3.patch: tests: Expand coverage for environment variable overrides. - debian/patches/CVE-2021-21261-4.patch: context: Add --env-fd option. - debian/patches/CVE-2021-21261-5.patch: portal: Convert --env in extra-args into --env-fd. - debian/patches/CVE-2021-21261-6.patch: tests: Exercise --env-fd. - debian/patches/CVE-2021-21261-7.patch: portal: Do not use caller-supplied variables in environment. - debian/patches/CVE-2021-21261-8.patch: tests: Assert that --env= does not go in `flatpak run` or bwrap environ. - CVE-2021-21261 -- Andrew Hayzen Fri, 22 Jan 2021 00:59:12 + ** Changed in: flatpak (Ubuntu Groovy) Status: In Progress => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1911473 Title: Update for ghsa-4ppf-fxf6-vxg2 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/1911473/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1911473] Re: Update for ghsa-4ppf-fxf6-vxg2
This bug was fixed in the package flatpak - 1.0.9-0ubuntu0.2 --- flatpak (1.0.9-0ubuntu0.2) bionic-security; urgency=medium * SECURITY UPDATE: Flatpak sandbox escape via spawn portal (LP: #1911473) - debian/patches/CVE-2021-21261-1.patch: run: Convert all environment variables into bwrap arguments. - debian/patches/CVE-2021-21261-2.patch: common: Move flatpak_buffer_to_sealed_memfd_or_tmpfile to its own file. - debian/patches/CVE-2021-21261-3.patch: context: Add --env-fd option. - debian/patches/CVE-2021-21261-4.patch: portal: Convert --env in extra-args into --env-fd. - debian/patches/CVE-2021-21261-5.patch: portal: Do not use caller-supplied variables in environment. - CVE-2021-21261 -- Paulo Flabiano Smorigo Tue, 19 Jan 2021 14:21:40 + -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1911473 Title: Update for ghsa-4ppf-fxf6-vxg2 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/1911473/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1911473] Re: Update for ghsa-4ppf-fxf6-vxg2
This bug was fixed in the package flatpak - 1.6.5-0ubuntu0.2 --- flatpak (1.6.5-0ubuntu0.2) focal-security; urgency=medium * SECURITY UPDATE: Flatpak sandbox escape via spawn portal (LP: #1911473) - debian/patches/CVE-2021-21261-1.patch: tests: Add minimal version of "ok" helper. - debian/patches/CVE-2021-21261-2.patch: common: Add a backport of G_DBUS_METHOD_INVOCATION_HANDLED. - debian/patches/CVE-2021-21261-3.patch: run: Convert all environment variables into bwrap arguments. - debian/patches/CVE-2021-21261-4.patch: tests: Expand coverage for environment variable overrides. - debian/patches/CVE-2021-21261-5.patch: context: Add --env-fd option. - debian/patches/CVE-2021-21261-6.patch: portal: Convert --env in extra-args into --env-fd. - debian/patches/CVE-2021-21261-7.patch: tests: Exercise --env-fd. - debian/patches/CVE-2021-21261-8.patch: portal: Do not use caller-supplied variables in environment. - debian/patches/CVE-2021-21261-9.patch: tests: Assert that --env= does not go in `flatpak run` or bwrap environ. - CVE-2021-21261 -- Andrew Hayzen Wed, 13 Jan 2021 21:09:15 + ** Changed in: flatpak (Ubuntu Focal) Status: In Progress => Fix Released ** Changed in: flatpak (Ubuntu Bionic) Status: New => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1911473 Title: Update for ghsa-4ppf-fxf6-vxg2 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/1911473/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1911473] Re: Update for ghsa-4ppf-fxf6-vxg2
@Andrew, hello. Focal and Groovy with your backports are fine and ready to go. I still resistant about Bionic since I couldn't import the tests. I'll try to manually test it a little more tomorrow and if everything goes well I'll publish it on Monday. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1911473 Title: Update for ghsa-4ppf-fxf6-vxg2 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/1911473/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1911473] Re: Update for ghsa-4ppf-fxf6-vxg2
@Paulo, was there any progress on this or anything you need help with ? I've posted debdiffs for focal and groovy. Sounds like you have a diff for bionic. Let me know if there is anything I can do to help this move to the next step :-) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1911473 Title: Update for ghsa-4ppf-fxf6-vxg2 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/1911473/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1911473] Re: Update for ghsa-4ppf-fxf6-vxg2
Thanks. I managed to backport version 1.2 to bionic (1.0.9). I had to exclude the tests because the framework is very different between both versions. I'll test in on Monday. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1911473 Title: Update for ghsa-4ppf-fxf6-vxg2 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/1911473/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1911473] Re: Update for ghsa-4ppf-fxf6-vxg2
** Tags added: patch -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1911473 Title: Update for ghsa-4ppf-fxf6-vxg2 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/1911473/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1911473] Re: Update for ghsa-4ppf-fxf6-vxg2
Please find attached the debdiff for Ubuntu 20.10 groovy. This includes a similar set of patches to the focal set and has been picked from between the 1.8.4 and 1.8.5 tags. Let me know if anything has been done incorrectly or missed any commits. I will leave it up to the security team to decide if Ubuntu should also include the extra setuid patches provides by upstream in any of these debdiffs. ** Attachment added: "flatpak_1.8.2-1_to_1.8.2-1ubuntu0.1.debdiff.gz" https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/1911473/+attachment/5455341/+files/flatpak_1.8.2-1_to_1.8.2-1ubuntu0.1.debdiff.gz ** Changed in: flatpak (Ubuntu Groovy) Status: New => In Progress -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1911473 Title: Update for ghsa-4ppf-fxf6-vxg2 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/1911473/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1911473] Re: Update for ghsa-4ppf-fxf6-vxg2
@Paulo, Thanks ! BTW smcv just pointed out two more potential patches that could be included in the focal 1.6 patch, these are only for users that use setuid on the bubblewrap binary though (users who disable user namespaces - like Debian). It would be up to us if we want to include them. See https://github.com/flatpak/flatpak/pull/4070#issuecomment-764664659 I can try and include these extra two commits if you think it is useful, but not sure how many users would do this or if it would be considered "supported" ? For bionic note that the flatpak-1.2.x branch has the fixes applied (with extra setuid patches here https://github.com/flatpak/flatpak/pull/4087 ) these may help for figuring out 1.0.x And what would the security team prefer to do for groovy ? We could either sync 1.8.5 from hirsute or apply the patches to 1.8.2 ? (although looks like 1.10.0-2 is in hirsute-proposed, so might have to be quick :') unless we can sync an older version somehow ) Please advise if you want me to attempt any other areas :-) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1911473 Title: Update for ghsa-4ppf-fxf6-vxg2 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/1911473/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1911473] Re: Update for ghsa-4ppf-fxf6-vxg2
Just a heads up. Your focal backport seems fine, no problems there. I'm working on the bionic version but, since it's based on 1.0.9, it's not straightforward. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1911473 Title: Update for ghsa-4ppf-fxf6-vxg2 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/1911473/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1911473] Re: Update for ghsa-4ppf-fxf6-vxg2
** Changed in: flatpak (Ubuntu Groovy) Assignee: (unassigned) => Andrew Hayzen (ahayzen) ** Changed in: flatpak (Ubuntu Bionic) Assignee: (unassigned) => Andrew Hayzen (ahayzen) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1911473 Title: Update for ghsa-4ppf-fxf6-vxg2 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/1911473/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1911473] Re: Update for ghsa-4ppf-fxf6-vxg2
** Changed in: flatpak (Ubuntu Bionic) Importance: Undecided => Medium ** Changed in: flatpak (Ubuntu Focal) Importance: Undecided => Medium ** Changed in: flatpak (Ubuntu Hirsute) Importance: Undecided => Medium ** Changed in: flatpak (Ubuntu Groovy) Importance: Undecided => Medium -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1911473 Title: Update for ghsa-4ppf-fxf6-vxg2 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/1911473/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1911473] Re: Update for ghsa-4ppf-fxf6-vxg2
1.8.5 has landed in hirsute now, so marking hirsute as fixed released. ** Changed in: flatpak (Ubuntu Hirsute) Status: In Progress => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1911473 Title: Update for ghsa-4ppf-fxf6-vxg2 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/1911473/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1911473] Re: Update for ghsa-4ppf-fxf6-vxg2
** Changed in: flatpak (Ubuntu Focal) Status: New => In Progress ** Changed in: flatpak (Ubuntu Focal) Assignee: (unassigned) => Andrew Hayzen (ahayzen) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1911473 Title: Update for ghsa-4ppf-fxf6-vxg2 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/1911473/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1911473] Re: Update for ghsa-4ppf-fxf6-vxg2
** Also affects: flatpak (Ubuntu Focal) Importance: Undecided Status: New ** Also affects: flatpak (Ubuntu Bionic) Importance: Undecided Status: New ** Also affects: flatpak (Ubuntu Groovy) Importance: Undecided Status: New ** Also affects: flatpak (Ubuntu Hirsute) Importance: Undecided Assignee: Andrew Hayzen (ahayzen) Status: In Progress -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1911473 Title: Update for ghsa-4ppf-fxf6-vxg2 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/1911473/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1911473] Re: Update for ghsa-4ppf-fxf6-vxg2
If anyone has the permission to propose this bug for the series, bionic, focal, and groovy that would be useful :-) ** Description changed: + [Links] + + Upstream Advisory: https://github.com/flatpak/flatpak/security/advisories/GHSA-4ppf-fxf6-vxg2 + Debian: https://security-tracker.debian.org/tracker/CVE-2021-21261 + DSA: https://security-tracker.debian.org/tracker/DSA-4830-1 + [Impact] Versions in Ubuntu right now: Hirsute: 1.8.4-2 Groovy: 1.8.2-1 Focal: 1.6.5-0ubuntu0.1 Bionic: 1.0.9-0ubuntu0.1 Affected versions: >= 0.11.4 and < 1.9.4, except for 1.8.x >= 1.8.5 Patched versions: Expected to be >= 1.9.4, 1.8.x >= 1.8.5 There are also branches with patches for 1.6.x (Ubuntu 20.04), but nothing available yet for 1.0.x (Ubuntu 18.04). [Test Case] No test case has been mentioned yet, but in the patches there are changes/additions to the unit tests. [Regression Potential] Flatpak has a test suite, which is run on build across all architectures and passes. There is also a manual test plan https://wiki.ubuntu.com/Process/Merges/TestPlan/flatpak . Flatpak has autopkgtests enabled http://autopkgtest.ubuntu.com/packages/f/flatpak . Regression potential is low, and upstream is very responsive to any issues raised. [Other information] Simon McVittie discovered a bug in the flatpak-portal service that can allow sandboxed applications to execute arbitrary code on the host system (a sandbox escape). The Flatpak portal D-Bus service (flatpak-portal, also known by its D-Bus service name org.freedesktop.portal.Flatpak) allows apps in a Flatpak sandbox to launch their own subprocesses in a new sandbox instance, either with the same security settings as the caller or with more restrictive security settings. For example, this is used in Flatpak-packaged web browsers such as Chromium to launch subprocesses that will process untrusted web content, and give those subprocesses a more restrictive sandbox than the browser itself. In vulnerable versions, the Flatpak portal service passes caller- specified environment variables to non-sandboxed processes on the host system, and in particular to the flatpak run command that is used to launch the new sandbox instance. A malicious or compromised Flatpak app could set environment variables that are trusted by the flatpak run command, and use them to execute arbitrary code that is not in a sandbox. - - https://github.com/flatpak/flatpak/security/advisories/GHSA-4ppf- - fxf6-vxg2 - - Debian: https://security-tracker.debian.org/tracker/CVE-2021-21261 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1911473 Title: Update for ghsa-4ppf-fxf6-vxg2 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/1911473/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1911473] Re: Update for ghsa-4ppf-fxf6-vxg2
Please find attached the debdiff for Ubuntu 20.04 focal. I have tested this using the manual test plan in a VM and built in a PPA. Let me know if anything has been done incorrectly. ** Summary changed: - Placeholder for ghsa-4ppf-fxf6-vxg2 + Update for ghsa-4ppf-fxf6-vxg2 ** Description changed: - Placeholder for ghsa-4ppf-fxf6-vxg2 as I prepare the debdiffs. - [Impact] Versions in Ubuntu right now: Hirsute: 1.8.4-2 Groovy: 1.8.2-1 Focal: 1.6.5-0ubuntu0.1 Bionic: 1.0.9-0ubuntu0.1 Affected versions: >= 0.11.4 and < 1.9.4, except for 1.8.x >= 1.8.5 Patched versions: Expected to be >= 1.9.4, 1.8.x >= 1.8.5 There are also branches with patches for 1.6.x (Ubuntu 20.04), but nothing available yet for 1.0.x (Ubuntu 18.04). [Test Case] No test case has been mentioned yet, but in the patches there are changes/additions to the unit tests. [Regression Potential] Flatpak has a test suite, which is run on build across all architectures and passes. There is also a manual test plan https://wiki.ubuntu.com/Process/Merges/TestPlan/flatpak . Flatpak has autopkgtests enabled http://autopkgtest.ubuntu.com/packages/f/flatpak . Regression potential is low, and upstream is very responsive to any issues raised. [Other information] Simon McVittie discovered a bug in the flatpak-portal service that can allow sandboxed applications to execute arbitrary code on the host system (a sandbox escape). The Flatpak portal D-Bus service (flatpak-portal, also known by its D-Bus service name org.freedesktop.portal.Flatpak) allows apps in a Flatpak sandbox to launch their own subprocesses in a new sandbox instance, either with the same security settings as the caller or with more restrictive security settings. For example, this is used in Flatpak-packaged web browsers such as Chromium to launch subprocesses that will process untrusted web content, and give those subprocesses a more restrictive sandbox than the browser itself. In vulnerable versions, the Flatpak portal service passes caller- specified environment variables to non-sandboxed processes on the host system, and in particular to the flatpak run command that is used to launch the new sandbox instance. A malicious or compromised Flatpak app could set environment variables that are trusted by the flatpak run command, and use them to execute arbitrary code that is not in a sandbox. https://github.com/flatpak/flatpak/security/advisories/GHSA-4ppf- fxf6-vxg2 - Debian: https://security-tracker.debian.org/tracker/TEMP-000-73A644 - (temporary) + Debian: https://security-tracker.debian.org/tracker/CVE-2021-21261 ** Attachment added: "flatpak_1.6.5-0ubuntu0.1_to_1.6.5-0ubuntu0.2.debdiff.gz" https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/1911473/+attachment/5453101/+files/flatpak_1.6.5-0ubuntu0.1_to_1.6.5-0ubuntu0.2.debdiff.gz -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1911473 Title: Update for ghsa-4ppf-fxf6-vxg2 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/1911473/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1911473] Re: Update for ghsa-4ppf-fxf6-vxg2
Also note that hirsute now has 1.8.5 in hirsute-proposed (which contains the fix), although it looks like s390x has failed in the tests - I wonder if a retest will make it pass or if it is a genuine failure. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1911473 Title: Update for ghsa-4ppf-fxf6-vxg2 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/1911473/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs