This is now public. ** Information type changed from Private Security to Public Security
** Description changed: Placeholder for ghsa-4ppf-fxf6-vxg2 as I prepare the debdiffs. This issue will be made public I believe on 14/01/2021 daytime CET. - [Impact] Versions in Ubuntu right now: Hirsute: 1.8.4-2 Groovy: 1.8.2-1 Focal: 1.6.5-0ubuntu0.1 Bionic: 1.0.9-0ubuntu0.1 Affected versions: - >= 0.11.4 and < 1.9.4, except for 1.8.x >= 1.8.5 + >= 0.11.4 and < 1.9.4, except for 1.8.x >= 1.8.5 Patched versions: - Expected to be >= 1.9.4, 1.8.x >= 1.8.5 + Expected to be >= 1.9.4, 1.8.x >= 1.8.5 There are also branches with patches for 1.6.x (Ubuntu 20.04), but nothing available yet for 1.0.x (Ubuntu 18.04). [Test Case] No test case has been mentioned yet, but in the patches there are changes/additions to the unit tests. [Regression Potential] Flatpak has a test suite, which is run on build across all architectures and passes. There is also a manual test plan https://wiki.ubuntu.com/Process/Merges/TestPlan/flatpak . Flatpak has autopkgtests enabled http://autopkgtest.ubuntu.com/packages/f/flatpak . Regression potential is low, and upstream is very responsive to any issues raised. [Other information] Simon McVittie discovered a bug in the flatpak-portal service that can allow sandboxed applications to execute arbitrary code on the host system (a sandbox escape). The Flatpak portal D-Bus service (flatpak-portal, also known by its D-Bus service name org.freedesktop.portal.Flatpak) allows apps in a Flatpak sandbox to launch their own subprocesses in a new sandbox instance, either with the same security settings as the caller or with more restrictive security settings. For example, this is used in Flatpak-packaged web browsers such as Chromium to launch subprocesses that will process untrusted web content, and give those subprocesses a more restrictive sandbox than the browser itself. In vulnerable versions, the Flatpak portal service passes caller- specified environment variables to non-sandboxed processes on the host system, and in particular to the flatpak run command that is used to launch the new sandbox instance. A malicious or compromised Flatpak app could set environment variables that are trusted by the flatpak run command, and use them to execute arbitrary code that is not in a sandbox. https://github.com/flatpak/flatpak/security/advisories/GHSA-4ppf- fxf6-vxg2 + + Debian: https://security-tracker.debian.org/tracker/TEMP-0000000-73A644 + (temporary) ** Description changed: Placeholder for ghsa-4ppf-fxf6-vxg2 as I prepare the debdiffs. - - This issue will be made public I believe on 14/01/2021 daytime CET. [Impact] Versions in Ubuntu right now: Hirsute: 1.8.4-2 Groovy: 1.8.2-1 Focal: 1.6.5-0ubuntu0.1 Bionic: 1.0.9-0ubuntu0.1 Affected versions: >= 0.11.4 and < 1.9.4, except for 1.8.x >= 1.8.5 Patched versions: Expected to be >= 1.9.4, 1.8.x >= 1.8.5 There are also branches with patches for 1.6.x (Ubuntu 20.04), but nothing available yet for 1.0.x (Ubuntu 18.04). [Test Case] No test case has been mentioned yet, but in the patches there are changes/additions to the unit tests. [Regression Potential] Flatpak has a test suite, which is run on build across all architectures and passes. There is also a manual test plan https://wiki.ubuntu.com/Process/Merges/TestPlan/flatpak . Flatpak has autopkgtests enabled http://autopkgtest.ubuntu.com/packages/f/flatpak . Regression potential is low, and upstream is very responsive to any issues raised. [Other information] Simon McVittie discovered a bug in the flatpak-portal service that can allow sandboxed applications to execute arbitrary code on the host system (a sandbox escape). The Flatpak portal D-Bus service (flatpak-portal, also known by its D-Bus service name org.freedesktop.portal.Flatpak) allows apps in a Flatpak sandbox to launch their own subprocesses in a new sandbox instance, either with the same security settings as the caller or with more restrictive security settings. For example, this is used in Flatpak-packaged web browsers such as Chromium to launch subprocesses that will process untrusted web content, and give those subprocesses a more restrictive sandbox than the browser itself. In vulnerable versions, the Flatpak portal service passes caller- specified environment variables to non-sandboxed processes on the host system, and in particular to the flatpak run command that is used to launch the new sandbox instance. A malicious or compromised Flatpak app could set environment variables that are trusted by the flatpak run command, and use them to execute arbitrary code that is not in a sandbox. https://github.com/flatpak/flatpak/security/advisories/GHSA-4ppf- fxf6-vxg2 Debian: https://security-tracker.debian.org/tracker/TEMP-0000000-73A644 (temporary) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1911473 Title: Placeholder for ghsa-4ppf-fxf6-vxg2 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/1911473/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
