Ubuntu
flatpak package

New upstream microrelease flatpak 1.0.7

Bug #1815528 reported by Andrew Hayzen
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
flatpak (Ubuntu)
Fix Released
Undecided
Unassigned
Bionic
Fix Released
Undecided
Unassigned
Cosmic
Fix Released
Undecided
Unassigned

Bug Description

This is a request to SRU the latest microrelease of flatpak into bionic and cosmic. Which is also a security update similar to the runc CVE-2019-5736.

Debian bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=922059

[Impact]

New upstream microrelease of flatpak, which brings security fixes similar to the runc CVE-2019-5736.

Bionic is currently at 1.0.6, whereas 1.0.7 is available upstream.
Cosmic is currently at 1.0.6, whereas 1.0.7 is available upstream.

[Test Case]

As stated in the debian bug there isn't yet an exploit to demonstration the vulnerability, see the test plan below for testing flatpak itself.

[Regression Potential]

Flatpak has a test suite, which is run on build across all architectures and passes.

There is also a manual test plan https://wiki.ubuntu.com/Process/Merges/TestPlan/flatpak. I have confirmed that 1.0.7 passes with this test plan on both bionic and cosmic. I have also checked that installing and running an app that uses the apply_extra still functions (and will add this to the test plan in the future).

Flatpak has autopkgtests enabled http://autopkgtest.ubuntu.com/packages/f/flatpak which is passing on bionic and cosmic.

Regression potential is low, and upstream is very responsive to any issues raised.

[Other information]

Debian and upstream comments about the vulnerability.

If a user installs a system-wide Flatpak app or runtime that has an 'apply_extra' script, then the apply_extra script is run in a sandbox, as root, with /proc mounted. A malicious app or runtime could traverse /proc/self/exe to modify a host-side executable.

The app or runtime would have to come from a trusted Flatpak
repository (such as Flathub) that was previously added as a system-wide
source of Flatpak apps by a root-equivalent user.

(Non-malicious apply_extra scripts are normally used to process "extra
data" files that had to be downloaded out-of-band, such as the archives
containing the proprietary Nvidia graphics drivers, which the Flathub
maintainers do not believe they are allowed to redistribute directly.)

The fix is to "Don't expose /proc in apply_extra script sandbox."

See original description

CVE References

Andrew Hayzen (ahayzen)
Changed in flatpak (Ubuntu):
assignee: nobody → Andrew Hayzen (ahayzen)
status: New → In Progress
Andrew Hayzen (ahayzen)
description: updated
summary: - New upstream microrelease flatpak 1.0.X
+ New upstream microrelease flatpak 1.0.7
Andrew Hayzen (ahayzen)
description: updated
Andrew Hayzen (ahayzen)
description: updated
Jeremy Bícha (jbicha)
Changed in flatpak (Ubuntu):
status: In Progress → Fix Released
Changed in flatpak (Ubuntu Bionic):
status: New → Confirmed
Changed in flatpak (Ubuntu Cosmic):
status: New → Confirmed
Changed in flatpak (Ubuntu Bionic):
assignee: nobody → Andrew Hayzen (ahayzen)
Changed in flatpak (Ubuntu Cosmic):
assignee: nobody → Andrew Hayzen (ahayzen)
Changed in flatpak (Ubuntu Bionic):
assignee: Andrew Hayzen (ahayzen) → nobody
Changed in flatpak (Ubuntu Cosmic):
assignee: Andrew Hayzen (ahayzen) → nobody
Changed in flatpak (Ubuntu):
assignee: Andrew Hayzen (ahayzen) → nobody
Andrew Hayzen (ahayzen)
information type: Public → Public Security
Revision history for this message
Andrew Hayzen (ahayzen) wrote :

FYI DSA 4390-1 now tracks the security issue in Debian https://lists.debian.org/debian-security-announce/2019/msg00030.html

Revision history for this message
Andrew Hayzen (ahayzen) wrote :

DSA-4390-1 now uses CVE-2019-8308 to track the vulnerability, I guess I need to update the changelog of the debdiff to mention this CVE now ? (I will do this later today)

Revision history for this message
Andrew Hayzen (ahayzen) wrote :
Revision history for this message
Andrew Hayzen (ahayzen) wrote :
Revision history for this message
Steve Beattie (sbeattie) wrote :

Thanks, I'm looking at these now.

Revision history for this message
Steve Beattie (sbeattie) wrote :

Hi Andrew,

I'll be releasing these in a moment. A couple of things to note:

  - I touched up the versions, since there is no difference besides which release they are for (https://wiki.ubuntu.com/SecurityTeam/UpdatePreparation#Update_the_packaging contains details on how packages are typically versioned)

  - Because of the dependency on the version of ostree in bionic-updates, I had to do a no-change rebuild of ostree for the bionic-security pocket (otherwise, flatpak would be uninstallable for a system that only has bionic-security and not bionic-updates enabled).

  - It's not blocking this update, but when poking through the test plan wiki page above, gnome-software-plugin-flatpak is uninstallable on bionic:
    The following packages have unmet dependencies:
 gnome-software-plugin-flatpak : Depends: gnome-software (= 3.28.1-0ubuntu4) but 3.28.1-0ubuntu4.18.04.8 is to be installed

Thanks!

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package flatpak - 1.0.7-0ubuntu0.18.10.1

---------------
flatpak (1.0.7-0ubuntu0.18.10.1) cosmic-security; urgency=medium

  * Update to 1.0.7 (LP: #1815528)
  * New upstream release
    - SECURITY UPDATE: do not let the apply_extra script for a system
      installation modify the host-side executable via /proc/self/exe,
      similar to CVE-2019-5736 in runc
    - CVE-2019-8308

 -- Andrew Hayzen <email address hidden> Wed, 13 Feb 2019 21:31:52 +0000

Changed in flatpak (Ubuntu Cosmic):
status: Confirmed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package flatpak - 1.0.7-0ubuntu0.18.04.1

---------------
flatpak (1.0.7-0ubuntu0.18.04.1) bionic-security; urgency=medium

  * Update to 1.0.7 (LP: #1815528)
  * New upstream release
    - SECURITY UPDATE: do not let the apply_extra script for a system
      installation modify the host-side executable via /proc/self/exe,
      similar to CVE-2019-5736 in runc
    - CVE-2019-8308

 -- Andrew Hayzen <email address hidden> Wed, 13 Feb 2019 21:24:42 +0000

Changed in flatpak (Ubuntu Bionic):
status: Confirmed → Fix Released
Revision history for this message
Andrew Hayzen (ahayzen) wrote :

@Steve Beattie

Awesome thanks for doing this so promptly :-)

> - I touched up the versions, since there is no difference besides which release they are for (https://wiki.ubuntu.com/SecurityTeam/UpdatePreparation#Update_the_packaging contains details on how packages are typically versioned)

Thanks! I'll note this for any future security uploads.

> - Because of the dependency on the version of ostree in bionic-updates, I had to do a no-change rebuild of ostree for the bionic-security pocket (otherwise, flatpak would be uninstallable for a system that only has bionic-security and not bionic-updates enabled).

Ah yes that makes sense, I'll make sure to note any dependencies that would need moving in the bug description next time.

> - It's not blocking this update, but when poking through the test plan wiki page above, gnome-software-plugin-flatpak is uninstallable on bionic:
> The following packages have unmet dependencies:
> gnome-software-plugin-flatpak : Depends: gnome-software (= 3.28.1-0ubuntu4) but 3.28.1-0ubuntu4.18.04.8 is to be installed

Hmm this seems strange, as gnome-software and gnome-software-plugin-flatpak has version 3.28.1-0ubuntu4 in bionic and version 3.28.1-0ubuntu4.18.04.8 is in bionic-updates (both of the binary packages are from the same source package so they should match? https://launchpad.net/ubuntu/bionic/+source/gnome-software ).

I wonder had you previously updated your machine to have a newer gnome-software, then disabled bionic-updates to test this ? As then this message may make sense.

Or do you have any other ideas or suggestions as to what has happened ? (I have multiple machines and VMs with bionic-updates enabled that have gnome-software-plugin-flatpak installed successfully).

Revision history for this message
Steve Beattie (sbeattie) wrote :

> I wonder had you previously updated your machine to have a newer gnome-software,
> then disabled bionic-updates to test this ? As then this message may make sense.

Ah yes, this is exactly what happened, I had disabled updates in my test vm to ensure there wasn't any other dependency of flatpak that needed to be pulled in to the security pocket. Thanks for checking, and thanks for the update!

To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.