| 2019-03-26 21:45:30 |
Andrew Hayzen |
bug |
|
|
added bug |
| 2019-03-26 21:47:21 |
Andrew Hayzen |
flatpak (Ubuntu): assignee |
|
Andrew Hayzen (ahayzen) |
|
| 2019-03-26 21:47:31 |
Andrew Hayzen |
information type |
Public |
Public Security |
|
| 2019-03-26 21:47:58 |
Andrew Hayzen |
flatpak (Ubuntu): status |
New |
In Progress |
|
| 2019-03-28 23:17:22 |
Andrew Hayzen |
description |
Placeholder for a future flatpak 1.0.X release for bionic and cosmic. |
This is a request to SRU the latest microrelease of flatpak into bionic and cosmic. Which is also a security update for CVE-2019-10063.
Debian bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=925541
Upstream bug https://github.com/flatpak/flatpak/issues/2782
[Impact]
New upstream microrelease of flatpak, which brings a security fix for CVE-2019-10063.
Bionic is currently at 1.0.7, whereas 1.0.8 is available upstream.
Cosmic is currently at 1.0.7, whereas 1.0.8 is available upstream.
Disco needs to be synced to >= 1.2.3-2 (is someone able to sync 1.2.4-1 from unstable ? ) bug 1822024 has this request.
[Test Case]
No test case has been mentioned in the Debian bug, in the upstream pull request it looks like the snapd exploit might be able to be used https://www.exploit-db.com/exploits/46594 but the code change is minimal so I have not tried this yet.
[Regression Potential]
Flatpak has a test suite, which is run on build across all architectures and passes.
There is also a manual test plan https://wiki.ubuntu.com/Process/Merges/TestPlan/flatpak. I have confirmed that 1.0.8 passes with this test plan on both bionic and cosmic.
Flatpak has autopkgtests enabled http://autopkgtest.ubuntu.com/packages/f/flatpak which is passing on bionic and cosmic.
Regression potential is low, and upstream is very responsive to any issues raised.
[Other information]
Debian and upstream comments about the vulnerability.
"flatpak versions since 0.8.1 (and Debian's 0.8.0-2, which has backports
of the upstream changes that became 0.8.1) attempt to prevent malicious
apps from escalating their privileges by injecting commands into the
controlling terminal with the TIOCSTI ioctl (CVE-2017-5226).
This fix was incomplete: on 64-bit platforms, seccomp looks at the whole
64-bit word, but the kernel only looks at the low 32 bits. This means we
also have to block commands like (0x1234567800000000 | TIOCSTI).
CVE-2019-10063 has been allocated for this vulnerability, which closely
resembles CVE-2019-7303 in snapd.
Mitigation: as usual with Flatpak sandbox bypasses, this can only be
exploited if you install a malicious app from a trusted source. The
sandbox parameters used for most apps are currently sufficiently weak
that a malicious app could do other equally bad things that we cannot
prevent, for example by abusing the X11 protocol."
Debian security tracker https://security-tracker.debian.org/tracker/CVE-2019-10063 |
|
| 2019-03-28 23:21:26 |
Andrew Hayzen |
attachment added |
|
Flatpak bionic 1.0.7-0ubuntu0.18.04.1 to 1.0.8-0ubuntu0.18.04.1 debdiff.gz https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/1821811/+attachment/5250333/+files/flatpak_1.0.7-0ubuntu0.18.04.1_to_flatpak_1.0.8-0ubuntu0.18.04.1.debdiff.gz |
|
| 2019-03-28 23:22:36 |
Andrew Hayzen |
attachment added |
|
Flatpak cosmic 1.0.7-0ubuntu0.18.10.1 to 1.0.8-0ubuntu0.18.10.1 debdiff.gz https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/1821811/+attachment/5250334/+files/flatpak_1.0.7-0ubuntu0.18.10.1_to_flatpak_1.0.8-0ubuntu0.18.10.1.debdiff.gz |
|
| 2019-03-28 23:23:14 |
Andrew Hayzen |
bug |
|
|
added subscriber Ubuntu Security Sponsors Team |
| 2019-03-28 23:23:29 |
Andrew Hayzen |
flatpak (Ubuntu): status |
In Progress |
Confirmed |
|
| 2019-03-31 14:16:43 |
Andrew Hayzen |
summary |
New upstream microrelease flatpak 1.0.X |
New upstream microrelease flatpak 1.0.8 |
|
| 2019-03-31 14:16:50 |
Andrew Hayzen |
cve linked |
|
2019-10063 |
|
| 2019-03-31 20:38:33 |
Mathew Hodson |
nominated for series |
|
Ubuntu Cosmic |
|
| 2019-03-31 20:38:33 |
Mathew Hodson |
bug task added |
|
flatpak (Ubuntu Cosmic) |
|
| 2019-03-31 20:38:33 |
Mathew Hodson |
nominated for series |
|
Ubuntu Bionic |
|
| 2019-03-31 20:38:33 |
Mathew Hodson |
bug task added |
|
flatpak (Ubuntu Bionic) |
|
| 2019-03-31 20:39:20 |
Mathew Hodson |
flatpak (Ubuntu): status |
Confirmed |
Fix Released |
|
| 2019-03-31 20:40:14 |
Mathew Hodson |
tags |
|
upgrade-software-version |
|
| 2019-03-31 20:43:33 |
Mathew Hodson |
flatpak (Ubuntu): importance |
Undecided |
Low |
|
| 2019-03-31 20:43:36 |
Mathew Hodson |
flatpak (Ubuntu Bionic): importance |
Undecided |
Low |
|
| 2019-03-31 20:43:39 |
Mathew Hodson |
flatpak (Ubuntu Cosmic): importance |
Undecided |
Low |
|
| 2019-05-05 07:24:29 |
Andrew Hayzen |
bug watch added |
|
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=925541 |
|
| 2019-05-05 07:24:29 |
Andrew Hayzen |
bug watch added |
|
https://github.com/flatpak/flatpak/issues/2782 |
|
| 2019-05-05 07:24:29 |
Andrew Hayzen |
cve linked |
|
2017-5226 |
|
| 2019-05-05 07:24:29 |
Andrew Hayzen |
cve linked |
|
2019-7303 |
|
| 2019-05-09 17:51:42 |
Launchpad Janitor |
flatpak (Ubuntu Cosmic): status |
New |
Fix Released |
|
| 2019-05-09 18:01:47 |
Launchpad Janitor |
flatpak (Ubuntu Bionic): status |
New |
Fix Released |
|
