New upstream microrelease flatpak 1.0.8

Bug #1821811 reported by Andrew Hayzen on 2019-03-26
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
flatpak (Ubuntu)
Low
Andrew Hayzen
Bionic
Low
Unassigned
Cosmic
Low
Unassigned

Bug Description

This is a request to SRU the latest microrelease of flatpak into bionic and cosmic. Which is also a security update for CVE-2019-10063.

Debian bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=925541
Upstream bug https://github.com/flatpak/flatpak/issues/2782

[Impact]

New upstream microrelease of flatpak, which brings a security fix for CVE-2019-10063.

Bionic is currently at 1.0.7, whereas 1.0.8 is available upstream.
Cosmic is currently at 1.0.7, whereas 1.0.8 is available upstream.

Disco needs to be synced to >= 1.2.3-2 (is someone able to sync 1.2.4-1 from unstable ? ) bug 1822024 has this request.

[Test Case]

No test case has been mentioned in the Debian bug, in the upstream pull request it looks like the snapd exploit might be able to be used https://www.exploit-db.com/exploits/46594 but the code change is minimal so I have not tried this yet.

[Regression Potential]

Flatpak has a test suite, which is run on build across all architectures and passes.

There is also a manual test plan https://wiki.ubuntu.com/Process/Merges/TestPlan/flatpak. I have confirmed that 1.0.8 passes with this test plan on both bionic and cosmic.

Flatpak has autopkgtests enabled http://autopkgtest.ubuntu.com/packages/f/flatpak which is passing on bionic and cosmic.

Regression potential is low, and upstream is very responsive to any issues raised.

[Other information]

Debian and upstream comments about the vulnerability.

"flatpak versions since 0.8.1 (and Debian's 0.8.0-2, which has backports
of the upstream changes that became 0.8.1) attempt to prevent malicious
apps from escalating their privileges by injecting commands into the
controlling terminal with the TIOCSTI ioctl (CVE-2017-5226).

This fix was incomplete: on 64-bit platforms, seccomp looks at the whole
64-bit word, but the kernel only looks at the low 32 bits. This means we
also have to block commands like (0x1234567800000000 | TIOCSTI).
CVE-2019-10063 has been allocated for this vulnerability, which closely
resembles CVE-2019-7303 in snapd.

Mitigation: as usual with Flatpak sandbox bypasses, this can only be
exploited if you install a malicious app from a trusted source. The
sandbox parameters used for most apps are currently sufficiently weak
that a malicious app could do other equally bad things that we cannot
prevent, for example by abusing the X11 protocol."

Debian security tracker https://security-tracker.debian.org/tracker/CVE-2019-10063

CVE References

Andrew Hayzen (ahayzen) on 2019-03-26
Changed in flatpak (Ubuntu):
assignee: nobody → Andrew Hayzen (ahayzen)
information type: Public → Public Security
Changed in flatpak (Ubuntu):
status: New → In Progress
Andrew Hayzen (ahayzen) wrote :
Changed in flatpak (Ubuntu):
status: In Progress → Confirmed
Andrew Hayzen (ahayzen) wrote :

This has been fixed in disco as per version 1.2.4-1. Is someone able to nominate this bug for bionic and cosmic, and mark the main bug as fixed released. (I don't have permission to nominate for series)

summary: - New upstream microrelease flatpak 1.0.X
+ New upstream microrelease flatpak 1.0.8
Changed in flatpak (Ubuntu):
status: Confirmed → Fix Released
tags: added: upgrade-software-version
Changed in flatpak (Ubuntu):
importance: Undecided → Low
Changed in flatpak (Ubuntu Bionic):
importance: Undecided → Low
Changed in flatpak (Ubuntu Cosmic):
importance: Undecided → Low
Seth Arnold (seth-arnold) wrote :

Hello Andrew, thanks for taking this update.

Could you confirm the sha256sum of the tarball you used while generating this?

I think the right approach for this update is going to be to upload a new package with new tarball, and edit the diff to keep only the debian/changelog hunk. It's important to make sure we use the same tarball that you tested.

Thanks

Andrew Hayzen (ahayzen) wrote :

Hi,

I used pull-lp-source flatpak {bionic,cosmic}, then uscan --download-version 1.0.8 and uupdate, as there is a new upstream release with this fix.

For bionic these are the sha256sum's in my build folder

85e9f11188fde70fa6c4b1e17b1bc61d1ea5abf9fe4e0d956c3f421deaace4da flatpak_1.0.7-0ubuntu0.18.04.1.debian.tar.xz
e0e6626a6d475ab263e7eab93d945d88f37c055fc9083d349101829b61253590 flatpak_1.0.7.orig.tar.xz
f8e3f7ea885a95ab46684a3ae5d2b7f5bcebc120d2819468a3e08d14b5aef226 flatpak_1.0.8-0ubuntu0.18.04.1.debian.tar.xz
1b1b419e3b2e8e75b18eb6442f0eb585fe402cea529729c15bbaf2622d746c3c flatpak_1.0.8.orig.tar.xz
1b1b419e3b2e8e75b18eb6442f0eb585fe402cea529729c15bbaf2622d746c3c flatpak-1.0.8.tar.xz

For cosmic these are the sha256sum's in my build folder

d6634d222d6175e5aeba6e5b1ca2be61cfe3b02afe79dc390feac09e56efb673 flatpak_1.0.7-0ubuntu0.18.10.1.debian.tar.xz
e0e6626a6d475ab263e7eab93d945d88f37c055fc9083d349101829b61253590 flatpak_1.0.7.orig.tar.xz
b29bfb4b530d4c3d48d2024a40b698a33b072b2dec619364701d51cba106d51b flatpak_1.0.8-0ubuntu0.18.10.1.debian.tar.xz
1b1b419e3b2e8e75b18eb6442f0eb585fe402cea529729c15bbaf2622d746c3c flatpak_1.0.8.orig.tar.xz
1b1b419e3b2e8e75b18eb6442f0eb585fe402cea529729c15bbaf2622d746c3c flatpak-1.0.8.tar.xz

Let me know if you need more info :-)

Seth Arnold (seth-arnold) wrote :

Excellent, thanks Andrew.

Andrew Hayzen (ahayzen) wrote :

Is there anything else I need to do to help this update ?

Hello Andrew, can you check/test if the packages bellow are working properly?
https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/+packages?field.name_filter=flatpak

Download full text (3.5 KiB)

Thanks Paulo, I'm afk on holiday at the moment, so will test this when I'm
back towards the end of the week, thanks!

On Fri, 3 May 2019, 01:35 Paulo Flabiano Smorigo, <
<email address hidden>> wrote:

> Hello Andrew, can you check/test if the packages bellow are working
> properly?
>
> https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/+packages?field.name_filter=flatpak
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1821811
>
> Title:
> New upstream microrelease flatpak 1.0.8
>
> Status in flatpak package in Ubuntu:
> Fix Released
> Status in flatpak source package in Bionic:
> New
> Status in flatpak source package in Cosmic:
> New
>
> Bug description:
> This is a request to SRU the latest microrelease of flatpak into
> bionic and cosmic. Which is also a security update for CVE-2019-10063.
>
> Debian bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=925541
> Upstream bug https://github.com/flatpak/flatpak/issues/2782
>
> [Impact]
>
> New upstream microrelease of flatpak, which brings a security fix for
> CVE-2019-10063.
>
> Bionic is currently at 1.0.7, whereas 1.0.8 is available upstream.
> Cosmic is currently at 1.0.7, whereas 1.0.8 is available upstream.
>
> Disco needs to be synced to >= 1.2.3-2 (is someone able to sync
> 1.2.4-1 from unstable ? ) bug 1822024 has this request.
>
> [Test Case]
>
> No test case has been mentioned in the Debian bug, in the upstream
> pull request it looks like the snapd exploit might be able to be used
> https://www.exploit-db.com/exploits/46594 but the code change is
> minimal so I have not tried this yet.
>
> [Regression Potential]
>
> Flatpak has a test suite, which is run on build across all
> architectures and passes.
>
> There is also a manual test plan
> https://wiki.ubuntu.com/Process/Merges/TestPlan/flatpak. I have
> confirmed that 1.0.8 passes with this test plan on both bionic and
> cosmic.
>
> Flatpak has autopkgtests enabled
> http://autopkgtest.ubuntu.com/packages/f/flatpak which is passing on
> bionic and cosmic.
>
> Regression potential is low, and upstream is very responsive to any
> issues raised.
>
> [Other information]
>
> Debian and upstream comments about the vulnerability.
>
> "flatpak versions since 0.8.1 (and Debian's 0.8.0-2, which has backports
> of the upstream changes that became 0.8.1) attempt to prevent malicious
> apps from escalating their privileges by injecting commands into the
> controlling terminal with the TIOCSTI ioctl (CVE-2017-5226).
>
> This fix was incomplete: on 64-bit platforms, seccomp looks at the whole
> 64-bit word, but the kernel only looks at the low 32 bits. This means we
> also have to block commands like (0x1234567800000000 | TIOCSTI).
> CVE-2019-10063 has been allocated for this vulnerability, which closely
> resembles CVE-2019-7303 in snapd.
>
> Mitigation: as usual with Flatpak sandbox bypasses, this can only be
> exploited if you install a malicious app from a trusted source. The
> sandbox parameters used for most apps are currently sufficiently weak
> ...

Read more...

Andrew Hayzen (ahayzen) wrote :

Paulo, I have tested the following flatpak versions on bionic and cosmic, they appear to work correctly and the debdiffs match the ones I generated - so LGTM :-)

$ apt policy flatpak
flatpak:
  Installed: 1.0.8-0ubuntu0.18.04.1
  Candidate: 1.0.8-0ubuntu0.18.04.1
  Version table:
 *** 1.0.8-0ubuntu0.18.04.1 500
        500 http://ppa.launchpad.net/ubuntu-security-proposed/ppa/ubuntu bionic/main amd64 Packages
        100 /var/lib/dpkg/status
     1.0.7-0ubuntu0.18.04.1 500
        500 http://gb.archive.ubuntu.com/ubuntu bionic-updates/universe amd64 Packages
        500 http://security.ubuntu.com/ubuntu bionic-security/universe amd64 Packages
     0.11.3-3 500

$ apt policy flatpak
flatpak:
  Installed: 1.0.8-0ubuntu0.18.10.1
  Candidate: 1.0.8-0ubuntu0.18.10.1
  Version table:
 *** 1.0.8-0ubuntu0.18.10.1 500
        500 http://ppa.launchpad.net/ubuntu-security-proposed/ppa/ubuntu cosmic/main amd64 Packages
        100 /var/lib/dpkg/status
     1.0.7-0ubuntu0.18.10.1 500
        500 http://gb.archive.ubuntu.com/ubuntu cosmic-updates/universe amd64 Packages
        500 http://security.ubuntu.com/ubuntu cosmic-security/universe amd64 Packages
     1.0.4-1 500
        500 http://gb.archive.ubuntu.com/ubuntu cosmic/universe amd64 Packages
        500 http://gb.archive.ubuntu.com/ubuntu bionic/universe amd64 Packages

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package flatpak - 1.0.8-0ubuntu0.18.10.1

---------------
flatpak (1.0.8-0ubuntu0.18.10.1) cosmic-security; urgency=medium

  * Update to 1.0.8 (LP: #1821811)
  * New upstream release
    - SECURITY UPDATE: seccomp: Reject all ioctls that the kernel will
      interpret as TIOCSTI, including those where the high 32 bits in
      a 64-bit word are nonzero.
    - CVE-2019-10063

 -- Andrew Hayzen <email address hidden> Thu, 28 Mar 2019 21:57:34 +0000

Changed in flatpak (Ubuntu Cosmic):
status: New → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package flatpak - 1.0.8-0ubuntu0.18.04.1

---------------
flatpak (1.0.8-0ubuntu0.18.04.1) bionic-security; urgency=medium

  * Update to 1.0.8 (LP: #1821811)
  * New upstream release
    - SECURITY UPDATE: seccomp: Reject all ioctls that the kernel will
      interpret as TIOCSTI, including those where the high 32 bits in
      a 64-bit word are nonzero.
    - CVE-2019-10063

 -- Andrew Hayzen <email address hidden> Wed, 27 Mar 2019 21:21:48 +0000

Changed in flatpak (Ubuntu Bionic):
status: New → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.