Ubuntu
flatpak package

Update for CVE-2021-21381

Bug #1918482 reported by Andrew Hayzen
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
flatpak (Debian)
Fix Released
Unknown
flatpak (Ubuntu)
Fix Released
Medium
Andrew Hayzen
Bionic
Fix Released
Medium
Steve Beattie
Focal
Fix Released
Medium
Steve Beattie
Groovy
Fix Released
Medium
Steve Beattie

Bug Description

[Links]
https://github.com/flatpak/flatpak/security/advisories/GHSA-xgh4-387p-hqpp
https://github.com/flatpak/flatpak/pull/4156
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=984859
https://security-tracker.debian.org/tracker/CVE-2021-21381

[Impact]
Versions in Ubuntu right now:
Hirsute: 1.10.1-4
Groovy: 1.8.2-1ubuntu0.1
Focal: 1.6.5-0ubuntu0.2
Bionic: 1.0.9-0ubuntu0.2

Affected versions:
    >= 0.9.4

Patched versions:
    >= 1.10.2

[Test Case]

No test case has been mentioned yet, but in the patches there are changes/additions to the unit tests.

[Regression Potential]

Flatpak has a test suite, which is run on build across all relevant architectures and passes.

There is also a manual test plan https://wiki.ubuntu.com/Process/Merges/TestPlan/flatpak .

Flatpak has autopkgtests enabled http://autopkgtest.ubuntu.com/packages/f/flatpak .

Regression potential is low, and upstream is very responsive to any issues raised.

[Other information]

Sandbox escape via special tokens in .desktop file (flatpak#4146)

Flatpak since 0.9.4 has a vulnerability in the "file forwarding" feature which can be used by an attacker to gain access to files that would not ordinarily be allowed by the app's permissions.
Impact

By putting the special tokens @@ and/or @@u in the Exec field of a Flatpak app's .desktop file, a malicious app publisher can trick flatpak into behaving as though the user had chosen to open a target file with their Flatpak app, which automatically makes that file available to the Flatpak app.

A minimal solution is the first commit "Disallow @@ and @@U usage in desktop files". The follow-up commits "dir: Reserve the whole @@ prefix" and "dir: Refuse to export .desktop files with suspicious uses of @@ tokens" are recommended, but not strictly required.
Workarounds

Avoid installing Flatpak apps from untrusted sources, or check the contents of the exported .desktop files in exports/share/applications/*.desktop (typically ~/.local/share/flatpak/exports/share/applications/*.desktop and /var/lib/flatpak/exports/share/applications/*.desktop) to make sure that literal filenames do not follow @@ or @@u.
References

Acknowledgements

Thanks to @AntonLydike for reporting this issue, and @refi64 for providing the initial solution.

See original description

CVE References

Andrew Hayzen (ahayzen)
Changed in flatpak (Ubuntu):
assignee: nobody → Andrew Hayzen (ahayzen)
status: New → In Progress
Revision history for this message
Andrew Hayzen (ahayzen) wrote : Re: Update for GHSA-xgh4-387p-hqpp

This is the bionic debdiff.

description: updated
summary: - Placeholder for GHSA-xgh4-387p-hqpp
+ Update for GHSA-xgh4-387p-hqpp
description: updated
information type: Public → Public Security
Revision history for this message
Andrew Hayzen (ahayzen) wrote :

This is the focal debdiff.

Revision history for this message
Andrew Hayzen (ahayzen) wrote :

This is the groovy debdiff.

Revision history for this message
Andrew Hayzen (ahayzen) wrote :

So we do not have a CVE yet, I believe one will be auto assigned via github at some point (I don't know how long this takes :-) ).

I realised there is a typo in the bionic changelog "- GHSA-xgh4-387p-hqpp-1" should be "- GHSA-xgh4-387p-hqpp". But once a CVE is available this line will need to be replaced anyway ?

For hirsute, 1.10.1-4 has the first commit from https://github.com/flatpak/flatpak/pull/4156/commits but 1.10.2-1 has just been submitted to debian sid with the full fixes, so should be syncing shortly ( https://tracker.debian.org/news/1235768/accepted-flatpak-1102-1-source-into-unstable/ ).

I have not performed any deep testing yet, I have only built the bionic and focal debdiffs in a PPA (I was surprised that the patches still applied cleanly for bionic so wanted to check that, as the line numbers are quite different).

Revision history for this message
Andrew Hayzen (ahayzen) wrote :

If someone has the permissions could they add bionic, focal, and groovy as affected series ?

Andrew Hayzen (ahayzen)
description: updated
Revision history for this message
Andrew Hayzen (ahayzen) wrote :

This is now CVE-2021-21381, whoever comes to upload the debdiffs please consider the following:

  * Please rename "- GHSA-xgh4-387p-hqpp" in the debian/changelog to "- CVE-2021-21381"
  * Please consider renaming the debian/patches from (for example) "GHSA-xgh4-387p-hqpp-1.patch" to "CVE-2021-21381-1.patch"

Changed in flatpak (Ubuntu Bionic):
assignee: nobody → Andrew Hayzen (ahayzen)
Changed in flatpak (Ubuntu Focal):
assignee: nobody → Andrew Hayzen (ahayzen)
Changed in flatpak (Ubuntu Groovy):
assignee: nobody → Andrew Hayzen (ahayzen)
Changed in flatpak (Ubuntu Bionic):
status: New → In Progress
Changed in flatpak (Ubuntu Focal):
status: New → In Progress
Changed in flatpak (Ubuntu Groovy):
status: New → In Progress
Revision history for this message
Andrew Hayzen (ahayzen) wrote :

Hirsute now contains 1.10.2-1 with the fix, so I am marking it as fixed released.

Changed in flatpak (Ubuntu):
status: In Progress → Fix Released
description: updated
Mathew Hodson (mhodson)
Changed in flatpak (Ubuntu):
importance: Undecided → High
Changed in flatpak (Ubuntu Bionic):
importance: Undecided → High
Changed in flatpak (Ubuntu Focal):
importance: Undecided → High
Changed in flatpak (Ubuntu Groovy):
importance: Undecided → High
Bug Watch Updater (bug-watch-updater)
Changed in flatpak (Debian):
status: Unknown → Fix Released
Mathew Hodson (mhodson)
Changed in flatpak (Ubuntu Bionic):
importance: High → Medium
Changed in flatpak (Ubuntu Focal):
importance: High → Medium
Changed in flatpak (Ubuntu Groovy):
importance: High → Medium
Mathew Hodson (mhodson)
Changed in flatpak (Ubuntu):
importance: High → Medium
Revision history for this message
Steve Beattie (sbeattie) wrote :

Hey Andrew, thanks for preparing these updates. I have reviewed them, adjusted the patch names and the changelogs to refer to CVE-2021-21381, and have packages available for testing in the ubuntu-security-proposed ppa https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/+packages .

Any feedback on them would be greatly appreciated. Thanks

Changed in flatpak (Ubuntu Bionic):
assignee: Andrew Hayzen (ahayzen) → Steve Beattie (sbeattie)
Changed in flatpak (Ubuntu Focal):
assignee: Andrew Hayzen (ahayzen) → Steve Beattie (sbeattie)
Changed in flatpak (Ubuntu Groovy):
assignee: Andrew Hayzen (ahayzen) → Steve Beattie (sbeattie)
Steve Beattie (sbeattie)
summary: - Update for GHSA-xgh4-387p-hqpp
+ Update for CVE-2021-21381
Revision history for this message
Andrew Hayzen (ahayzen) wrote :

Thanks for reviewing these updates!

I've done some exploratory testing of .desktop icon related tests from the test plan on a Focal VM and things are working normally.

$ apt policy flatpak
flatpak:
  Installed: 1.6.5-0ubuntu0.3
  Candidate: 1.6.5-0ubuntu0.3
  Version table:
 *** 1.6.5-0ubuntu0.3 500
        500 http://ppa.launchpad.net/ubuntu-security-proposed/ppa/ubuntu focal/main amd64 Packages
        100 /var/lib/dpkg/status
     1.6.5-0ubuntu0.2 500
        500 http://gb.archive.ubuntu.com/ubuntu focal-updates/universe amd64 Packages
        500 http://security.ubuntu.com/ubuntu focal-security/universe amd64 Packages
     1.6.3-1 500
        500 http://gb.archive.ubuntu.com/ubuntu focal/universe amd64 Packages

Revision history for this message
Andrew Hayzen (ahayzen) wrote :

@Steve Beattie, was there any progress on this or anything I can do to help ? Or is it just stuck in a queue of items to be reviewed? :-)

Revision history for this message
Andrew Hayzen (ahayzen) wrote :

I've also done some exploratory testing of .desktop icon related tests from the test plan on a Bionic VM and things are working normally.

$ apt policy flatpak
flatpak:
  Installed: 1.0.9-0ubuntu0.3
  Candidate: 1.0.9-0ubuntu0.3
  Version table:
 *** 1.0.9-0ubuntu0.3 500
        500 http://ppa.launchpad.net/ubuntu-security-proposed/ppa/ubuntu bionic/main amd64 Packages
        100 /var/lib/dpkg/status
     1.0.9-0ubuntu0.2 500
        500 http://gb.archive.ubuntu.com/ubuntu bionic-updates/universe amd64 Packages
        500 http://security.ubuntu.com/ubuntu bionic-security/universe amd64 Packages
     0.11.3-3 500
        500 http://gb.archive.ubuntu.com/ubuntu bionic/universe amd64 Packages

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package flatpak - 1.8.2-1ubuntu0.2

---------------
flatpak (1.8.2-1ubuntu0.2) groovy-security; urgency=medium

  * SECURITY UPDATE: Flatpak sandbox escape via crafted .desktop file
    (LP: #1918482)
   - debian/patches/CVE-2021-21381-1.patch: Disallow @@ and @@u usage in
     desktop files.
   - debian/patches/CVE-2021-21381-2.patch: dir: Reserve the whole @@
     prefix.
   - debian/patches/CVE-2021-21381-3.patch: dir: Refuse to export
     .desktop files with suspicious uses.
   - CVE-2021-21381

 -- Andrew Hayzen <email address hidden> Wed, 10 Mar 2021 20:54:38 +0000

Changed in flatpak (Ubuntu Groovy):
status: In Progress → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package flatpak - 1.6.5-0ubuntu0.3

---------------
flatpak (1.6.5-0ubuntu0.3) focal-security; urgency=medium

  * SECURITY UPDATE: Flatpak sandbox escape via crafted .desktop file
    (LP: #1918482)
   - debian/patches/CVE-2021-21381-1.patch: Disallow @@ and @@u usage in
     desktop files.
   - debian/patches/CVE-2021-21381-2.patch: dir: Reserve the whole @@
     prefix.
   - debian/patches/CVE-2021-21381-3.patch: dir: Refuse to export
     .desktop files with suspicious uses.
   - CVE-2021-21381

 -- Andrew Hayzen <email address hidden> Fri, 05 Mar 2021 22:21:25 +0000

Changed in flatpak (Ubuntu Focal):
status: In Progress → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package flatpak - 1.0.9-0ubuntu0.3

---------------
flatpak (1.0.9-0ubuntu0.3) bionic-security; urgency=medium

  * SECURITY UPDATE: Flatpak sandbox escape via crafted .desktop file
    (LP: #1918482)
   - debian/patches/CVE-2021-21381-1.patch: Disallow @@ and @@u usage in
     desktop files.
   - debian/patches/CVE-2021-21381-2.patch: dir: Reserve the whole @@
     prefix.
   - debian/patches/CVE-2021-21381-3.patch: dir: Refuse to export
     .desktop files with suspicious uses.
   - CVE-2021-21381

 -- Andrew Hayzen <email address hidden> Wed, 10 Mar 2021 20:51:04 +0000

Changed in flatpak (Ubuntu Bionic):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.