Update for ghsa-4ppf-fxf6-vxg2
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
flatpak (Ubuntu) |
Fix Released
|
Medium
|
Andrew Hayzen | ||
Bionic |
Fix Released
|
Medium
|
Andrew Hayzen | ||
Focal |
Fix Released
|
Medium
|
Andrew Hayzen | ||
Groovy |
Fix Released
|
Medium
|
Andrew Hayzen | ||
Hirsute |
Fix Released
|
Medium
|
Andrew Hayzen |
Bug Description
[Links]
Upstream Advisory: https:/
Debian: https:/
DSA: https:/
[Impact]
Versions in Ubuntu right now:
Hirsute: 1.8.4-2
Groovy: 1.8.2-1
Focal: 1.6.5-0ubuntu0.1
Bionic: 1.0.9-0ubuntu0.1
Affected versions:
>= 0.11.4 and < 1.9.4, except for 1.8.x >= 1.8.5
Patched versions:
Expected to be >= 1.9.4, 1.8.x >= 1.8.5
There are also branches with patches for 1.6.x (Ubuntu 20.04), but nothing available yet for 1.0.x (Ubuntu 18.04).
[Test Case]
No test case has been mentioned yet, but in the patches there are changes/additions to the unit tests.
[Regression Potential]
Flatpak has a test suite, which is run on build across all architectures and passes.
There is also a manual test plan https:/
Flatpak has autopkgtests enabled http://
Regression potential is low, and upstream is very responsive to any issues raised.
[Other information]
Simon McVittie discovered a bug in the flatpak-portal service that can allow sandboxed applications to execute arbitrary code on the host system (a sandbox escape).
The Flatpak portal D-Bus service (flatpak-portal, also known by its D-Bus service name org.freedesktop
more restrictive security settings. For example, this is used in Flatpak-packaged web browsers such as Chromium to launch subprocesses
that will process untrusted web content, and give those subprocesses a more restrictive sandbox than the browser itself.
In vulnerable versions, the Flatpak portal service passes caller-specified environment variables to non-sandboxed processes on the host system, and in particular to the flatpak run command that is used to launch the new sandbox instance. A malicious or compromised Flatpak app could set environment variables that are trusted by the flatpak run command, and use them to execute arbitrary code that is not in a sandbox.
CVE References
Changed in flatpak (Ubuntu): | |
status: | New → In Progress |
assignee: | nobody → Andrew Hayzen (ahayzen) |
description: | updated |
description: | updated |
Changed in flatpak (Ubuntu Focal): | |
status: | New → In Progress |
assignee: | nobody → Andrew Hayzen (ahayzen) |
Changed in flatpak (Ubuntu Bionic): | |
importance: | Undecided → Medium |
Changed in flatpak (Ubuntu Focal): | |
importance: | Undecided → Medium |
Changed in flatpak (Ubuntu Hirsute): | |
importance: | Undecided → Medium |
Changed in flatpak (Ubuntu Groovy): | |
importance: | Undecided → Medium |
Changed in flatpak (Ubuntu Groovy): | |
assignee: | nobody → Andrew Hayzen (ahayzen) |
Changed in flatpak (Ubuntu Bionic): | |
assignee: | nobody → Andrew Hayzen (ahayzen) |
tags: | added: patch |
This is now public.