* SECURITY UPDATE: Flatpak sandbox escape via spawn portal (LP: #1911473)
- debian/patches/CVE-2021-21261-1.patch: tests: Add minimal version
of "ok" helper.
- debian/patches/CVE-2021-21261-2.patch: common: Add a backport of
G_DBUS_METHOD_INVOCATION_HANDLED.
- debian/patches/CVE-2021-21261-3.patch: run: Convert all environment
variables into bwrap arguments.
- debian/patches/CVE-2021-21261-4.patch: tests: Expand coverage for
environment variable overrides.
- debian/patches/CVE-2021-21261-5.patch: context: Add --env-fd option.
- debian/patches/CVE-2021-21261-6.patch: portal: Convert --env in
extra-args into --env-fd.
- debian/patches/CVE-2021-21261-7.patch: tests: Exercise --env-fd.
- debian/patches/CVE-2021-21261-8.patch: portal: Do not use
caller-supplied variables in environment.
- debian/patches/CVE-2021-21261-9.patch: tests: Assert that --env= does
not go in `flatpak run` or bwrap environ.
- CVE-2021-21261
-- Andrew Hayzen <email address hidden> Wed, 13 Jan 2021 21:09:15 +0000
This bug was fixed in the package flatpak - 1.6.5-0ubuntu0.2
---------------
flatpak (1.6.5-0ubuntu0.2) focal-security; urgency=medium
* SECURITY UPDATE: Flatpak sandbox escape via spawn portal (LP: #1911473) patches/ CVE-2021- 21261-1. patch: tests: Add minimal version patches/ CVE-2021- 21261-2. patch: common: Add a backport of DBUS_METHOD_ INVOCATION_ HANDLED. patches/ CVE-2021- 21261-3. patch: run: Convert all environment patches/ CVE-2021- 21261-4. patch: tests: Expand coverage for patches/ CVE-2021- 21261-5. patch: context: Add --env-fd option. patches/ CVE-2021- 21261-6. patch: portal: Convert --env in patches/ CVE-2021- 21261-7. patch: tests: Exercise --env-fd. patches/ CVE-2021- 21261-8. patch: portal: Do not use supplied variables in environment. patches/ CVE-2021- 21261-9. patch: tests: Assert that --env= does
- debian/
of "ok" helper.
- debian/
G_
- debian/
variables into bwrap arguments.
- debian/
environment variable overrides.
- debian/
- debian/
extra-args into --env-fd.
- debian/
- debian/
caller-
- debian/
not go in `flatpak run` or bwrap environ.
- CVE-2021-21261
-- Andrew Hayzen <email address hidden> Wed, 13 Jan 2021 21:09:15 +0000