** Description changed: + *** Placeholder until regressions are fixed upstream *** + [Links] https://github.com/flatpak/flatpak/security/advisories/GHSA-67h7-w3jq-vh4q https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=995935 https://security-tracker.debian.org/tracker/CVE-2021-41133 + + + [Impact] + Versions in Ubuntu right now: + Impish: 1.10.2-3 + Hirsute: 1.10.2-1ubuntu1 + Focal: 1.6.5-0ubuntu0.3 + Bionic: 1.0.9-0ubuntu0.3 + + Affected versions: + 1.11.x, 1.10.x <= 1.10.3, all <= 1.8.2 + + Patched versions: + 1.10.5, 1.12.1, also expected in 1.8.2 + + + [Test Case] + Unknown + + + [Regression Potential] + Flatpak has a test suite, which is run on build across all relevant architectures and passes. + + There is also a manual test plan + https://wiki.ubuntu.com/Process/Merges/TestPlan/flatpak . + + Flatpak has autopkgtests enabled + http://autopkgtest.ubuntu.com/packages/f/flatpak . + + Regression potential is low, and upstream is very responsive to any + issues raised. + + + [Patches] + There were 8 initial patches, then some regressions have been found, one has been patched, but a second has a pending pull request (see the github advisory for links). As noted in the debian bug as well there might be further changes to bubblewrap, so guess it makes sense to wait until this has settled. + + + [Other Information] + An anonymous reporter discovered that Flatpak apps with direct access to AF_UNIX sockets such as those used by Wayland, Pipewire or pipewire-pulse can trick portals and other host-OS services into treating the Flatpak app as though it was an ordinary, non-sandboxed host-OS process, by manipulating the VFS using recent mount-related syscalls that are not blocked by Flatpak's denylist seccomp filter, in order to substitute a crafted /.flatpak-info or make that file disappear entirely. + Impact + + Flatpak apps that act as clients for AF_UNIX sockets such as those used + by Wayland, Pipewire or pipewire-pulse can escalate the privileges that + the corresponding services will believe the Flatpak app has. + + Mitigation: Note that protocols that operate entirely over the D-Bus + session bus (user bus), system bus or accessibility bus are not affected + by this. This is due to the use of a proxy process xdg-dbus-proxy, whose + VFS cannot be manipulated by the Flatpak app, when interacting with + these buses.
** Information type changed from Public to Public Security ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-41133 ** Changed in: flatpak (Ubuntu) Assignee: (unassigned) => Andrew Hayzen (ahayzen) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1946578 Title: Placeholder for CVE-2021-41133 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/1946578/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
