Ubuntu
flatpak package

Update for ghsa-4ppf-fxf6-vxg2

Bug #1911473 reported by Andrew Hayzen
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
flatpak (Ubuntu)
Fix Released
Medium
Andrew Hayzen
Bionic
Fix Released
Medium
Andrew Hayzen
Focal
Fix Released
Medium
Andrew Hayzen
Groovy
Fix Released
Medium
Andrew Hayzen
Hirsute
Fix Released
Medium
Andrew Hayzen

Bug Description

[Links]

Upstream Advisory: https://github.com/flatpak/flatpak/security/advisories/GHSA-4ppf-fxf6-vxg2
Debian: https://security-tracker.debian.org/tracker/CVE-2021-21261
DSA: https://security-tracker.debian.org/tracker/DSA-4830-1

[Impact]

Versions in Ubuntu right now:
Hirsute: 1.8.4-2
Groovy: 1.8.2-1
Focal: 1.6.5-0ubuntu0.1
Bionic: 1.0.9-0ubuntu0.1

Affected versions:
    >= 0.11.4 and < 1.9.4, except for 1.8.x >= 1.8.5

Patched versions:
    Expected to be >= 1.9.4, 1.8.x >= 1.8.5

There are also branches with patches for 1.6.x (Ubuntu 20.04), but nothing available yet for 1.0.x (Ubuntu 18.04).

[Test Case]

No test case has been mentioned yet, but in the patches there are changes/additions to the unit tests.

[Regression Potential]

Flatpak has a test suite, which is run on build across all architectures and passes.

There is also a manual test plan https://wiki.ubuntu.com/Process/Merges/TestPlan/flatpak .

Flatpak has autopkgtests enabled http://autopkgtest.ubuntu.com/packages/f/flatpak .

Regression potential is low, and upstream is very responsive to any issues raised.

[Other information]

Simon McVittie discovered a bug in the flatpak-portal service that can allow sandboxed applications to execute arbitrary code on the host system (a sandbox escape).

The Flatpak portal D-Bus service (flatpak-portal, also known by its D-Bus service name org.freedesktop.portal.Flatpak) allows apps in a Flatpak sandbox to launch their own subprocesses in a new sandbox instance, either with the same security settings as the caller or with
more restrictive security settings. For example, this is used in Flatpak-packaged web browsers such as Chromium to launch subprocesses
that will process untrusted web content, and give those subprocesses a more restrictive sandbox than the browser itself.

In vulnerable versions, the Flatpak portal service passes caller-specified environment variables to non-sandboxed processes on the host system, and in particular to the flatpak run command that is used to launch the new sandbox instance. A malicious or compromised Flatpak app could set environment variables that are trusted by the flatpak run command, and use them to execute arbitrary code that is not in a sandbox.

See original description
Tags: patch

CVE References

Andrew Hayzen (ahayzen)
Changed in flatpak (Ubuntu):
status: New → In Progress
assignee: nobody → Andrew Hayzen (ahayzen)
Andrew Hayzen (ahayzen)
description: updated
Andrew Hayzen (ahayzen)
description: updated
Revision history for this message
Andrew Hayzen (ahayzen) wrote :

This is now public.

information type: Private Security → Public Security
description: updated
description: updated
Revision history for this message
Paulo Flabiano Smorigo (pfsmorigo) wrote :

Hello Andrew, it seems that there is no CVE assigned to it, right?

Revision history for this message
Andrew Hayzen (ahayzen) wrote :

@Paulo, Hi yes there is no CVE yet, but I believe upstream have requested one via github (I can see it says one has been requested). I will also try to submit debdiffs for Ubuntu 20.04 shortly (hopefully later tonight if testing goes well).

Revision history for this message
Paulo Flabiano Smorigo (pfsmorigo) wrote :

Ok thanks. I've tried to backport all commits with "Part-of: GHSA-4ppf-fxf6-vxg2" for hirsute but it fails to build. More commits are required in order to work.

Revision history for this message
Andrew Hayzen (ahayzen) wrote :

@Paulo

hirsute - can sync 1.8.5 from debian sid which contains the fix.
groovy - is a tricky one as it is one step behind in terms of microreleases (1.8.3) so either needs backporting or bumping to 1.8.5
focal - upstream have created a branch for me with relevant patches that allow it to build, but is untested (i plan on doing this later tonight)
bionic - there is no branch upstream for this series yet, we would need to figure out patches

Revision history for this message
Andrew Hayzen (ahayzen) wrote :

Please find attached the debdiff for Ubuntu 20.04 focal. I have tested this using the manual test plan in a VM and built in a PPA.

Let me know if anything has been done incorrectly.

summary: - Placeholder for ghsa-4ppf-fxf6-vxg2
+ Update for ghsa-4ppf-fxf6-vxg2
description: updated
Revision history for this message
Andrew Hayzen (ahayzen) wrote :

Also note that hirsute now has 1.8.5 in hirsute-proposed (which contains the fix), although it looks like s390x has failed in the tests - I wonder if a retest will make it pass or if it is a genuine failure.

Revision history for this message
Andrew Hayzen (ahayzen) wrote :

If anyone has the permission to propose this bug for the series, bionic, focal, and groovy that would be useful :-)

description: updated
Andrew Hayzen (ahayzen)
Changed in flatpak (Ubuntu Focal):
status: New → In Progress
assignee: nobody → Andrew Hayzen (ahayzen)
Revision history for this message
Andrew Hayzen (ahayzen) wrote :

1.8.5 has landed in hirsute now, so marking hirsute as fixed released.

Changed in flatpak (Ubuntu Hirsute):
status: In Progress → Fix Released
Mathew Hodson (mhodson)
Changed in flatpak (Ubuntu Bionic):
importance: Undecided → Medium
Changed in flatpak (Ubuntu Focal):
importance: Undecided → Medium
Changed in flatpak (Ubuntu Hirsute):
importance: Undecided → Medium
Changed in flatpak (Ubuntu Groovy):
importance: Undecided → Medium
Sebastien Bacher (seb128)
Changed in flatpak (Ubuntu Groovy):
assignee: nobody → Andrew Hayzen (ahayzen)
Changed in flatpak (Ubuntu Bionic):
assignee: nobody → Andrew Hayzen (ahayzen)
Revision history for this message
Paulo Flabiano Smorigo (pfsmorigo) wrote :

Just a heads up. Your focal backport seems fine, no problems there. I'm working on the bionic version but, since it's based on 1.0.9, it's not straightforward.

Revision history for this message
Andrew Hayzen (ahayzen) wrote :

@Paulo, Thanks !

BTW smcv just pointed out two more potential patches that could be included in the focal 1.6 patch, these are only for users that use setuid on the bubblewrap binary though (users who disable user namespaces - like Debian). It would be up to us if we want to include them. See https://github.com/flatpak/flatpak/pull/4070#issuecomment-764664659 I can try and include these extra two commits if you think it is useful, but not sure how many users would do this or if it would be considered "supported" ?

For bionic note that the flatpak-1.2.x branch has the fixes applied (with extra setuid patches here https://github.com/flatpak/flatpak/pull/4087 ) these may help for figuring out 1.0.x

And what would the security team prefer to do for groovy ? We could either sync 1.8.5 from hirsute or apply the patches to 1.8.2 ? (although looks like 1.10.0-2 is in hirsute-proposed, so might have to be quick :') unless we can sync an older version somehow )

Please advise if you want me to attempt any other areas :-)

Revision history for this message
Andrew Hayzen (ahayzen) wrote :

Please find attached the debdiff for Ubuntu 20.10 groovy. This includes a similar set of patches to the focal set and has been picked from between the 1.8.4 and 1.8.5 tags.

Let me know if anything has been done incorrectly or missed any commits.

I will leave it up to the security team to decide if Ubuntu should also include the extra setuid patches provides by upstream in any of these debdiffs.

Changed in flatpak (Ubuntu Groovy):
status: New → In Progress
Mathew Hodson (mhodson)
tags: added: patch
Revision history for this message
Paulo Flabiano Smorigo (pfsmorigo) wrote :

Thanks. I managed to backport version 1.2 to bionic (1.0.9). I had to exclude the tests because the framework is very different between both versions. I'll test in on Monday.

Revision history for this message
Andrew Hayzen (ahayzen) wrote :

@Paulo, was there any progress on this or anything you need help with ? I've posted debdiffs for focal and groovy. Sounds like you have a diff for bionic.

Let me know if there is anything I can do to help this move to the next step :-)

Revision history for this message
Paulo Flabiano Smorigo (pfsmorigo) wrote :

@Andrew, hello. Focal and Groovy with your backports are fine and ready to go. I still resistant about Bionic since I couldn't import the tests. I'll try to manually test it a little more tomorrow and if everything goes well I'll publish it on Monday.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package flatpak - 1.6.5-0ubuntu0.2

---------------
flatpak (1.6.5-0ubuntu0.2) focal-security; urgency=medium

  * SECURITY UPDATE: Flatpak sandbox escape via spawn portal (LP: #1911473)
    - debian/patches/CVE-2021-21261-1.patch: tests: Add minimal version
      of "ok" helper.
    - debian/patches/CVE-2021-21261-2.patch: common: Add a backport of
      G_DBUS_METHOD_INVOCATION_HANDLED.
    - debian/patches/CVE-2021-21261-3.patch: run: Convert all environment
      variables into bwrap arguments.
    - debian/patches/CVE-2021-21261-4.patch: tests: Expand coverage for
      environment variable overrides.
    - debian/patches/CVE-2021-21261-5.patch: context: Add --env-fd option.
    - debian/patches/CVE-2021-21261-6.patch: portal: Convert --env in
      extra-args into --env-fd.
    - debian/patches/CVE-2021-21261-7.patch: tests: Exercise --env-fd.
    - debian/patches/CVE-2021-21261-8.patch: portal: Do not use
      caller-supplied variables in environment.
    - debian/patches/CVE-2021-21261-9.patch: tests: Assert that --env= does
      not go in `flatpak run` or bwrap environ.
    - CVE-2021-21261

 -- Andrew Hayzen <email address hidden> Wed, 13 Jan 2021 21:09:15 +0000

Changed in flatpak (Ubuntu Focal):
status: In Progress → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package flatpak - 1.0.9-0ubuntu0.2

---------------
flatpak (1.0.9-0ubuntu0.2) bionic-security; urgency=medium

  * SECURITY UPDATE: Flatpak sandbox escape via spawn portal (LP: #1911473)
    - debian/patches/CVE-2021-21261-1.patch: run: Convert all environment
      variables into bwrap arguments.
    - debian/patches/CVE-2021-21261-2.patch: common: Move
      flatpak_buffer_to_sealed_memfd_or_tmpfile to its own file.
    - debian/patches/CVE-2021-21261-3.patch: context: Add --env-fd option.
    - debian/patches/CVE-2021-21261-4.patch: portal: Convert --env in
      extra-args into --env-fd.
    - debian/patches/CVE-2021-21261-5.patch: portal: Do not use caller-supplied
      variables in environment.
    - CVE-2021-21261

 -- Paulo Flabiano Smorigo <email address hidden> Tue, 19 Jan 2021 14:21:40 +0000

Changed in flatpak (Ubuntu Bionic):
status: New → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package flatpak - 1.8.2-1ubuntu0.1

---------------
flatpak (1.8.2-1ubuntu0.1) groovy-security; urgency=medium

  * SECURITY UPDATE: Flatpak sandbox escape via spawn portal (LP: #1911473)
    - debian/patches/CVE-2021-21261-1.patch: common: Add a backport of
      G_DBUS_METHOD_INVOCATION_HANDLED.
    - debian/patches/CVE-2021-21261-2.patch: run: Convert all environment
      variables into bwrap arguments.
    - debian/patches/CVE-2021-21261-3.patch: tests: Expand coverage for
      environment variable overrides.
    - debian/patches/CVE-2021-21261-4.patch: context: Add --env-fd option.
    - debian/patches/CVE-2021-21261-5.patch: portal: Convert --env in
      extra-args into --env-fd.
    - debian/patches/CVE-2021-21261-6.patch: tests: Exercise --env-fd.
    - debian/patches/CVE-2021-21261-7.patch: portal: Do not use
      caller-supplied variables in environment.
    - debian/patches/CVE-2021-21261-8.patch: tests: Assert that --env= does
      not go in `flatpak run` or bwrap environ.
    - CVE-2021-21261

 -- Andrew Hayzen <email address hidden> Fri, 22 Jan 2021 00:59:12 +0000

Changed in flatpak (Ubuntu Groovy):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.