Sync flatpak 1.2.3-2 (universe) from Debian unstable (main) for CVE-2019-10063

Bug #1822024 reported by Anders Kaseorg on 2019-03-28
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
flatpak (Ubuntu)
Undecided
Unassigned

Bug Description

Please sync flatpak 1.2.3-2 (universe) from Debian unstable (main)

Changelog entries since current disco version 1.2.3-1:

flatpak (1.2.3-2) unstable; urgency=high

  * seccomp: Reject all ioctls that the kernel will interpret as TIOCSTI,
    including those where the high 32 bits in a 64-bit word are nonzero.
    (Closes: #925541, CVE-2019-10063)

 -- Simon McVittie <email address hidden> Tue, 26 Mar 2019 20:38:36 +0000

CVE References

Anders Kaseorg (andersk) on 2019-03-28
summary: - Sync flatpak 1.2.3-2 (universe) from Debian unstable (main)
+ Sync flatpak 1.2.3-2 (universe) from Debian unstable (main) for
+ CVE-2019-10063
information type: Public → Public Security
Andrew Hayzen (ahayzen) wrote :

If possible please sync 1.2.4-1 as this is the new upstream microrelease with other fixes as well :-) Also note I am preparing the fix (1.0.8) for bionic and cosmic in bug 1821811, I plan to be submitting this later today. Thanks!

tags: added: upgrade-software-version
Simon Quigley (tsimonq2) wrote :

This bug was fixed in the package flatpak - 1.2.4-1
Sponsored for Anders Kaseorg (andersk)

---------------
flatpak (1.2.4-1) unstable; urgency=medium

  * New upstream stable release
    - Canonicalize XDG_RUNTIME_DIR if it's a symlink
    - Support device nodes for multiple Nvidia graphics cards if the
      proprietary driver is used
    - Fix a crash when certain errors occur while updating apps
    - Fix "flatpak list --arch"
    - Make "Installing %d/%d..." translatable
  * d/p/run-Only-compare-the-lowest-32-ioctl-arg-bits-for-TIOCSTI.patch:
    Drop patch, applied upstream

 -- Simon McVittie <email address hidden> Wed, 27 Mar 2019 20:47:33 +0000

flatpak (1.2.3-2) unstable; urgency=high

  * seccomp: Reject all ioctls that the kernel will interpret as TIOCSTI,
    including those where the high 32 bits in a 64-bit word are nonzero.
    (Closes: #925541, CVE-2019-10063)

 -- Simon McVittie <email address hidden> Tue, 26 Mar 2019 20:38:36 +0000

Changed in flatpak (Ubuntu):
status: New → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers