Activity log for bug #1821811

Date Who What changed Old value New value Message
2019-03-26 21:45:30 Andrew Hayzen bug added bug
2019-03-26 21:47:21 Andrew Hayzen flatpak (Ubuntu): assignee Andrew Hayzen (ahayzen)
2019-03-26 21:47:31 Andrew Hayzen information type Public Public Security
2019-03-26 21:47:58 Andrew Hayzen flatpak (Ubuntu): status New In Progress
2019-03-28 23:17:22 Andrew Hayzen description Placeholder for a future flatpak 1.0.X release for bionic and cosmic. This is a request to SRU the latest microrelease of flatpak into bionic and cosmic. Which is also a security update for CVE-2019-10063. Debian bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=925541 Upstream bug https://github.com/flatpak/flatpak/issues/2782 [Impact] New upstream microrelease of flatpak, which brings a security fix for CVE-2019-10063. Bionic is currently at 1.0.7, whereas 1.0.8 is available upstream. Cosmic is currently at 1.0.7, whereas 1.0.8 is available upstream. Disco needs to be synced to >= 1.2.3-2 (is someone able to sync 1.2.4-1 from unstable ? ) bug 1822024 has this request. [Test Case] No test case has been mentioned in the Debian bug, in the upstream pull request it looks like the snapd exploit might be able to be used https://www.exploit-db.com/exploits/46594 but the code change is minimal so I have not tried this yet. [Regression Potential] Flatpak has a test suite, which is run on build across all architectures and passes. There is also a manual test plan https://wiki.ubuntu.com/Process/Merges/TestPlan/flatpak. I have confirmed that 1.0.8 passes with this test plan on both bionic and cosmic. Flatpak has autopkgtests enabled http://autopkgtest.ubuntu.com/packages/f/flatpak which is passing on bionic and cosmic. Regression potential is low, and upstream is very responsive to any issues raised. [Other information] Debian and upstream comments about the vulnerability. "flatpak versions since 0.8.1 (and Debian's 0.8.0-2, which has backports of the upstream changes that became 0.8.1) attempt to prevent malicious apps from escalating their privileges by injecting commands into the controlling terminal with the TIOCSTI ioctl (CVE-2017-5226). This fix was incomplete: on 64-bit platforms, seccomp looks at the whole 64-bit word, but the kernel only looks at the low 32 bits. This means we also have to block commands like (0x1234567800000000 | TIOCSTI). CVE-2019-10063 has been allocated for this vulnerability, which closely resembles CVE-2019-7303 in snapd. Mitigation: as usual with Flatpak sandbox bypasses, this can only be exploited if you install a malicious app from a trusted source. The sandbox parameters used for most apps are currently sufficiently weak that a malicious app could do other equally bad things that we cannot prevent, for example by abusing the X11 protocol." Debian security tracker https://security-tracker.debian.org/tracker/CVE-2019-10063
2019-03-28 23:21:26 Andrew Hayzen attachment added Flatpak bionic 1.0.7-0ubuntu0.18.04.1 to 1.0.8-0ubuntu0.18.04.1 debdiff.gz https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/1821811/+attachment/5250333/+files/flatpak_1.0.7-0ubuntu0.18.04.1_to_flatpak_1.0.8-0ubuntu0.18.04.1.debdiff.gz
2019-03-28 23:22:36 Andrew Hayzen attachment added Flatpak cosmic 1.0.7-0ubuntu0.18.10.1 to 1.0.8-0ubuntu0.18.10.1 debdiff.gz https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/1821811/+attachment/5250334/+files/flatpak_1.0.7-0ubuntu0.18.10.1_to_flatpak_1.0.8-0ubuntu0.18.10.1.debdiff.gz
2019-03-28 23:23:14 Andrew Hayzen bug added subscriber Ubuntu Security Sponsors Team
2019-03-28 23:23:29 Andrew Hayzen flatpak (Ubuntu): status In Progress Confirmed
2019-03-31 14:16:43 Andrew Hayzen summary New upstream microrelease flatpak 1.0.X New upstream microrelease flatpak 1.0.8
2019-03-31 14:16:50 Andrew Hayzen cve linked 2019-10063
2019-03-31 20:38:33 Mathew Hodson nominated for series Ubuntu Cosmic
2019-03-31 20:38:33 Mathew Hodson bug task added flatpak (Ubuntu Cosmic)
2019-03-31 20:38:33 Mathew Hodson nominated for series Ubuntu Bionic
2019-03-31 20:38:33 Mathew Hodson bug task added flatpak (Ubuntu Bionic)
2019-03-31 20:39:20 Mathew Hodson flatpak (Ubuntu): status Confirmed Fix Released
2019-03-31 20:40:14 Mathew Hodson tags upgrade-software-version
2019-03-31 20:43:33 Mathew Hodson flatpak (Ubuntu): importance Undecided Low
2019-03-31 20:43:36 Mathew Hodson flatpak (Ubuntu Bionic): importance Undecided Low
2019-03-31 20:43:39 Mathew Hodson flatpak (Ubuntu Cosmic): importance Undecided Low
2019-05-05 07:24:29 Andrew Hayzen bug watch added https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=925541
2019-05-05 07:24:29 Andrew Hayzen bug watch added https://github.com/flatpak/flatpak/issues/2782
2019-05-05 07:24:29 Andrew Hayzen cve linked 2017-5226
2019-05-05 07:24:29 Andrew Hayzen cve linked 2019-7303
2019-05-09 17:51:42 Launchpad Janitor flatpak (Ubuntu Cosmic): status New Fix Released
2019-05-09 18:01:47 Launchpad Janitor flatpak (Ubuntu Bionic): status New Fix Released