Thanks Paulo, I'm afk on holiday at the moment, so will test this when I'm back towards the end of the week, thanks!
On Fri, 3 May 2019, 01:35 Paulo Flabiano Smorigo, < [email protected]> wrote: > Hello Andrew, can you check/test if the packages bellow are working > properly? > > https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/+packages?field.name_filter=flatpak > > -- > You received this bug notification because you are subscribed to the bug > report. > https://bugs.launchpad.net/bugs/1821811 > > Title: > New upstream microrelease flatpak 1.0.8 > > Status in flatpak package in Ubuntu: > Fix Released > Status in flatpak source package in Bionic: > New > Status in flatpak source package in Cosmic: > New > > Bug description: > This is a request to SRU the latest microrelease of flatpak into > bionic and cosmic. Which is also a security update for CVE-2019-10063. > > Debian bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=925541 > Upstream bug https://github.com/flatpak/flatpak/issues/2782 > > [Impact] > > New upstream microrelease of flatpak, which brings a security fix for > CVE-2019-10063. > > Bionic is currently at 1.0.7, whereas 1.0.8 is available upstream. > Cosmic is currently at 1.0.7, whereas 1.0.8 is available upstream. > > Disco needs to be synced to >= 1.2.3-2 (is someone able to sync > 1.2.4-1 from unstable ? ) bug 1822024 has this request. > > [Test Case] > > No test case has been mentioned in the Debian bug, in the upstream > pull request it looks like the snapd exploit might be able to be used > https://www.exploit-db.com/exploits/46594 but the code change is > minimal so I have not tried this yet. > > [Regression Potential] > > Flatpak has a test suite, which is run on build across all > architectures and passes. > > There is also a manual test plan > https://wiki.ubuntu.com/Process/Merges/TestPlan/flatpak. I have > confirmed that 1.0.8 passes with this test plan on both bionic and > cosmic. > > Flatpak has autopkgtests enabled > http://autopkgtest.ubuntu.com/packages/f/flatpak which is passing on > bionic and cosmic. > > Regression potential is low, and upstream is very responsive to any > issues raised. > > [Other information] > > Debian and upstream comments about the vulnerability. > > "flatpak versions since 0.8.1 (and Debian's 0.8.0-2, which has backports > of the upstream changes that became 0.8.1) attempt to prevent malicious > apps from escalating their privileges by injecting commands into the > controlling terminal with the TIOCSTI ioctl (CVE-2017-5226). > > This fix was incomplete: on 64-bit platforms, seccomp looks at the whole > 64-bit word, but the kernel only looks at the low 32 bits. This means we > also have to block commands like (0x1234567800000000 | TIOCSTI). > CVE-2019-10063 has been allocated for this vulnerability, which closely > resembles CVE-2019-7303 in snapd. > > Mitigation: as usual with Flatpak sandbox bypasses, this can only be > exploited if you install a malicious app from a trusted source. The > sandbox parameters used for most apps are currently sufficiently weak > that a malicious app could do other equally bad things that we cannot > prevent, for example by abusing the X11 protocol." > > Debian security tracker https://security- > tracker.debian.org/tracker/CVE-2019-10063 > > To manage notifications about this bug go to: > > https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/1821811/+subscriptions > ** Bug watch added: Debian Bug tracker #925541 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=925541 ** Bug watch added: github.com/flatpak/flatpak/issues #2782 https://github.com/flatpak/flatpak/issues/2782 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-5226 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-7303 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1821811 Title: New upstream microrelease flatpak 1.0.8 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/1821811/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
