[Bug 1918482] Re: Update for CVE-2021-21381
This bug was fixed in the package flatpak - 1.0.9-0ubuntu0.3 --- flatpak (1.0.9-0ubuntu0.3) bionic-security; urgency=medium * SECURITY UPDATE: Flatpak sandbox escape via crafted .desktop file (LP: #1918482) - debian/patches/CVE-2021-21381-1.patch: Disallow @@ and @@u usage in desktop files. - debian/patches/CVE-2021-21381-2.patch: dir: Reserve the whole @@ prefix. - debian/patches/CVE-2021-21381-3.patch: dir: Refuse to export .desktop files with suspicious uses. - CVE-2021-21381 -- Andrew Hayzen Wed, 10 Mar 2021 20:51:04 + -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1918482 Title: Update for CVE-2021-21381 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/1918482/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1918482] Re: Update for CVE-2021-21381
This bug was fixed in the package flatpak - 1.6.5-0ubuntu0.3 --- flatpak (1.6.5-0ubuntu0.3) focal-security; urgency=medium * SECURITY UPDATE: Flatpak sandbox escape via crafted .desktop file (LP: #1918482) - debian/patches/CVE-2021-21381-1.patch: Disallow @@ and @@u usage in desktop files. - debian/patches/CVE-2021-21381-2.patch: dir: Reserve the whole @@ prefix. - debian/patches/CVE-2021-21381-3.patch: dir: Refuse to export .desktop files with suspicious uses. - CVE-2021-21381 -- Andrew Hayzen Fri, 05 Mar 2021 22:21:25 + ** Changed in: flatpak (Ubuntu Bionic) Status: In Progress => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1918482 Title: Update for CVE-2021-21381 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/1918482/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1918482] Re: Update for CVE-2021-21381
This bug was fixed in the package flatpak - 1.8.2-1ubuntu0.2 --- flatpak (1.8.2-1ubuntu0.2) groovy-security; urgency=medium * SECURITY UPDATE: Flatpak sandbox escape via crafted .desktop file (LP: #1918482) - debian/patches/CVE-2021-21381-1.patch: Disallow @@ and @@u usage in desktop files. - debian/patches/CVE-2021-21381-2.patch: dir: Reserve the whole @@ prefix. - debian/patches/CVE-2021-21381-3.patch: dir: Refuse to export .desktop files with suspicious uses. - CVE-2021-21381 -- Andrew Hayzen Wed, 10 Mar 2021 20:54:38 + ** Changed in: flatpak (Ubuntu Groovy) Status: In Progress => Fix Released ** Changed in: flatpak (Ubuntu Focal) Status: In Progress => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1918482 Title: Update for CVE-2021-21381 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/1918482/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1918482] Re: Update for CVE-2021-21381
I've also done some exploratory testing of .desktop icon related tests from the test plan on a Bionic VM and things are working normally. $ apt policy flatpak flatpak: Installed: 1.0.9-0ubuntu0.3 Candidate: 1.0.9-0ubuntu0.3 Version table: *** 1.0.9-0ubuntu0.3 500 500 http://ppa.launchpad.net/ubuntu-security-proposed/ppa/ubuntu bionic/main amd64 Packages 100 /var/lib/dpkg/status 1.0.9-0ubuntu0.2 500 500 http://gb.archive.ubuntu.com/ubuntu bionic-updates/universe amd64 Packages 500 http://security.ubuntu.com/ubuntu bionic-security/universe amd64 Packages 0.11.3-3 500 500 http://gb.archive.ubuntu.com/ubuntu bionic/universe amd64 Packages -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1918482 Title: Update for CVE-2021-21381 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/1918482/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1918482] Re: Update for CVE-2021-21381
@Steve Beattie, was there any progress on this or anything I can do to help ? Or is it just stuck in a queue of items to be reviewed? :-) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1918482 Title: Update for CVE-2021-21381 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/1918482/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1918482] Re: Update for CVE-2021-21381
Thanks for reviewing these updates! I've done some exploratory testing of .desktop icon related tests from the test plan on a Focal VM and things are working normally. $ apt policy flatpak flatpak: Installed: 1.6.5-0ubuntu0.3 Candidate: 1.6.5-0ubuntu0.3 Version table: *** 1.6.5-0ubuntu0.3 500 500 http://ppa.launchpad.net/ubuntu-security-proposed/ppa/ubuntu focal/main amd64 Packages 100 /var/lib/dpkg/status 1.6.5-0ubuntu0.2 500 500 http://gb.archive.ubuntu.com/ubuntu focal-updates/universe amd64 Packages 500 http://security.ubuntu.com/ubuntu focal-security/universe amd64 Packages 1.6.3-1 500 500 http://gb.archive.ubuntu.com/ubuntu focal/universe amd64 Packages -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1918482 Title: Update for CVE-2021-21381 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/1918482/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1918482] Re: Update for CVE-2021-21381
** Summary changed: - Update for GHSA-xgh4-387p-hqpp + Update for CVE-2021-21381 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1918482 Title: Update for CVE-2021-21381 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/1918482/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs