This is the bionic debdiff. ** Description changed:
- Patches and description coming soon ! I need this to generate a LP bug - number :-) + [Links] + https://github.com/flatpak/flatpak/security/advisories/GHSA-xgh4-387p-hqpp + https://github.com/flatpak/flatpak/pull/4156 + + [Impact] + Versions in Ubuntu right now: + Hirsute: 1.10.1-4 + Groovy: 1.8.2-1ubuntu0.1 + Focal: 1.6.5-0ubuntu0.2 + Bionic: 1.0.9-0ubuntu0.2 + + Affected versions: + >= 0.9.4 + + Patched versions: + >= 1.10.2 + + [Test Case] + + No test case has been mentioned yet, but in the patches there are + changes/additions to the unit tests. + + [Regression Potential] + + Flatpak has a test suite, which is run on build across all relevant + architectures and passes. + + There is also a manual test plan + https://wiki.ubuntu.com/Process/Merges/TestPlan/flatpak . + + Flatpak has autopkgtests enabled + http://autopkgtest.ubuntu.com/packages/f/flatpak . + + Regression potential is low, and upstream is very responsive to any + issues raised. + + [Other information] + + Flatpak since 0.9.4 has a vulnerability in the "file forwarding" feature which can be used by an attacker to gain access to files that would not ordinarily be allowed by the app's permissions. + Impact + + By putting the special tokens @@ and/or @@u in the Exec field of a + Flatpak app's .desktop file, a malicious app publisher can trick flatpak + into behaving as though the user had chosen to open a target file with + their Flatpak app, which automatically makes that file available to the + Flatpak app. + + A minimal solution is the first commit "Disallow @@ and @@U usage in desktop files". The follow-up commits "dir: Reserve the whole @@ prefix" and "dir: Refuse to export .desktop files with suspicious uses of @@ tokens" are recommended, but not strictly required. + Workarounds + + Avoid installing Flatpak apps from untrusted sources, or check the contents of the exported .desktop files in exports/share/applications/*.desktop (typically ~/.local/share/flatpak/exports/share/applications/*.desktop and /var/lib/flatpak/exports/share/applications/*.desktop) to make sure that literal filenames do not follow @@ or @@u. + References + + Acknowledgements + + Thanks to @AntonLydike for reporting this issue, and @refi64 for + providing the initial solution. ** Summary changed: - Placeholder for GHSA-xgh4-387p-hqpp + Update for GHSA-xgh4-387p-hqpp ** Description changed: [Links] https://github.com/flatpak/flatpak/security/advisories/GHSA-xgh4-387p-hqpp https://github.com/flatpak/flatpak/pull/4156 [Impact] Versions in Ubuntu right now: Hirsute: 1.10.1-4 Groovy: 1.8.2-1ubuntu0.1 Focal: 1.6.5-0ubuntu0.2 Bionic: 1.0.9-0ubuntu0.2 Affected versions: - >= 0.9.4 + >= 0.9.4 Patched versions: - >= 1.10.2 + >= 1.10.2 [Test Case] No test case has been mentioned yet, but in the patches there are changes/additions to the unit tests. [Regression Potential] Flatpak has a test suite, which is run on build across all relevant architectures and passes. There is also a manual test plan https://wiki.ubuntu.com/Process/Merges/TestPlan/flatpak . Flatpak has autopkgtests enabled http://autopkgtest.ubuntu.com/packages/f/flatpak . Regression potential is low, and upstream is very responsive to any issues raised. [Other information] + Sandbox escape via special tokens in .desktop file (flatpak#4146) + Flatpak since 0.9.4 has a vulnerability in the "file forwarding" feature which can be used by an attacker to gain access to files that would not ordinarily be allowed by the app's permissions. Impact By putting the special tokens @@ and/or @@u in the Exec field of a Flatpak app's .desktop file, a malicious app publisher can trick flatpak into behaving as though the user had chosen to open a target file with their Flatpak app, which automatically makes that file available to the Flatpak app. A minimal solution is the first commit "Disallow @@ and @@U usage in desktop files". The follow-up commits "dir: Reserve the whole @@ prefix" and "dir: Refuse to export .desktop files with suspicious uses of @@ tokens" are recommended, but not strictly required. Workarounds Avoid installing Flatpak apps from untrusted sources, or check the contents of the exported .desktop files in exports/share/applications/*.desktop (typically ~/.local/share/flatpak/exports/share/applications/*.desktop and /var/lib/flatpak/exports/share/applications/*.desktop) to make sure that literal filenames do not follow @@ or @@u. References Acknowledgements Thanks to @AntonLydike for reporting this issue, and @refi64 for providing the initial solution. ** Information type changed from Public to Public Security ** Attachment added: "[bionic] flatpak_1.0.9-0ubuntu0.2_to_flatpak_1.0.9-0ubuntu0.3.debdiff.gz" https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/1918482/+attachment/5475502/+files/flatpak_1.0.9-0ubuntu0.2_to_flatpak_1.0.9-0ubuntu0.3.debdiff.gz -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1918482 Title: Update for GHSA-xgh4-387p-hqpp To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/1918482/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
