2021-03-10 21:10:24 |
Andrew Hayzen |
bug |
|
|
added bug |
2021-03-10 21:15:07 |
Andrew Hayzen |
flatpak (Ubuntu): assignee |
|
Andrew Hayzen (ahayzen) |
|
2021-03-10 21:15:09 |
Andrew Hayzen |
flatpak (Ubuntu): status |
New |
In Progress |
|
2021-03-10 21:21:49 |
Andrew Hayzen |
description |
Patches and description coming soon ! I need this to generate a LP bug number :-) |
[Links]
https://github.com/flatpak/flatpak/security/advisories/GHSA-xgh4-387p-hqpp
https://github.com/flatpak/flatpak/pull/4156
[Impact]
Versions in Ubuntu right now:
Hirsute: 1.10.1-4
Groovy: 1.8.2-1ubuntu0.1
Focal: 1.6.5-0ubuntu0.2
Bionic: 1.0.9-0ubuntu0.2
Affected versions:
>= 0.9.4
Patched versions:
>= 1.10.2
[Test Case]
No test case has been mentioned yet, but in the patches there are changes/additions to the unit tests.
[Regression Potential]
Flatpak has a test suite, which is run on build across all relevant architectures and passes.
There is also a manual test plan https://wiki.ubuntu.com/Process/Merges/TestPlan/flatpak .
Flatpak has autopkgtests enabled http://autopkgtest.ubuntu.com/packages/f/flatpak .
Regression potential is low, and upstream is very responsive to any issues raised.
[Other information]
Flatpak since 0.9.4 has a vulnerability in the "file forwarding" feature which can be used by an attacker to gain access to files that would not ordinarily be allowed by the app's permissions.
Impact
By putting the special tokens @@ and/or @@u in the Exec field of a Flatpak app's .desktop file, a malicious app publisher can trick flatpak into behaving as though the user had chosen to open a target file with their Flatpak app, which automatically makes that file available to the Flatpak app.
A minimal solution is the first commit "Disallow @@ and @@U usage in desktop files". The follow-up commits "dir: Reserve the whole @@ prefix" and "dir: Refuse to export .desktop files with suspicious uses of @@ tokens" are recommended, but not strictly required.
Workarounds
Avoid installing Flatpak apps from untrusted sources, or check the contents of the exported .desktop files in exports/share/applications/*.desktop (typically ~/.local/share/flatpak/exports/share/applications/*.desktop and /var/lib/flatpak/exports/share/applications/*.desktop) to make sure that literal filenames do not follow @@ or @@u.
References
Acknowledgements
Thanks to @AntonLydike for reporting this issue, and @refi64 for providing the initial solution. |
|
2021-03-10 21:21:56 |
Andrew Hayzen |
summary |
Placeholder for GHSA-xgh4-387p-hqpp |
Update for GHSA-xgh4-387p-hqpp |
|
2021-03-10 21:22:32 |
Andrew Hayzen |
description |
[Links]
https://github.com/flatpak/flatpak/security/advisories/GHSA-xgh4-387p-hqpp
https://github.com/flatpak/flatpak/pull/4156
[Impact]
Versions in Ubuntu right now:
Hirsute: 1.10.1-4
Groovy: 1.8.2-1ubuntu0.1
Focal: 1.6.5-0ubuntu0.2
Bionic: 1.0.9-0ubuntu0.2
Affected versions:
>= 0.9.4
Patched versions:
>= 1.10.2
[Test Case]
No test case has been mentioned yet, but in the patches there are changes/additions to the unit tests.
[Regression Potential]
Flatpak has a test suite, which is run on build across all relevant architectures and passes.
There is also a manual test plan https://wiki.ubuntu.com/Process/Merges/TestPlan/flatpak .
Flatpak has autopkgtests enabled http://autopkgtest.ubuntu.com/packages/f/flatpak .
Regression potential is low, and upstream is very responsive to any issues raised.
[Other information]
Flatpak since 0.9.4 has a vulnerability in the "file forwarding" feature which can be used by an attacker to gain access to files that would not ordinarily be allowed by the app's permissions.
Impact
By putting the special tokens @@ and/or @@u in the Exec field of a Flatpak app's .desktop file, a malicious app publisher can trick flatpak into behaving as though the user had chosen to open a target file with their Flatpak app, which automatically makes that file available to the Flatpak app.
A minimal solution is the first commit "Disallow @@ and @@U usage in desktop files". The follow-up commits "dir: Reserve the whole @@ prefix" and "dir: Refuse to export .desktop files with suspicious uses of @@ tokens" are recommended, but not strictly required.
Workarounds
Avoid installing Flatpak apps from untrusted sources, or check the contents of the exported .desktop files in exports/share/applications/*.desktop (typically ~/.local/share/flatpak/exports/share/applications/*.desktop and /var/lib/flatpak/exports/share/applications/*.desktop) to make sure that literal filenames do not follow @@ or @@u.
References
Acknowledgements
Thanks to @AntonLydike for reporting this issue, and @refi64 for providing the initial solution. |
[Links]
https://github.com/flatpak/flatpak/security/advisories/GHSA-xgh4-387p-hqpp
https://github.com/flatpak/flatpak/pull/4156
[Impact]
Versions in Ubuntu right now:
Hirsute: 1.10.1-4
Groovy: 1.8.2-1ubuntu0.1
Focal: 1.6.5-0ubuntu0.2
Bionic: 1.0.9-0ubuntu0.2
Affected versions:
>= 0.9.4
Patched versions:
>= 1.10.2
[Test Case]
No test case has been mentioned yet, but in the patches there are changes/additions to the unit tests.
[Regression Potential]
Flatpak has a test suite, which is run on build across all relevant architectures and passes.
There is also a manual test plan https://wiki.ubuntu.com/Process/Merges/TestPlan/flatpak .
Flatpak has autopkgtests enabled http://autopkgtest.ubuntu.com/packages/f/flatpak .
Regression potential is low, and upstream is very responsive to any issues raised.
[Other information]
Sandbox escape via special tokens in .desktop file (flatpak#4146)
Flatpak since 0.9.4 has a vulnerability in the "file forwarding" feature which can be used by an attacker to gain access to files that would not ordinarily be allowed by the app's permissions.
Impact
By putting the special tokens @@ and/or @@u in the Exec field of a Flatpak app's .desktop file, a malicious app publisher can trick flatpak into behaving as though the user had chosen to open a target file with their Flatpak app, which automatically makes that file available to the Flatpak app.
A minimal solution is the first commit "Disallow @@ and @@U usage in desktop files". The follow-up commits "dir: Reserve the whole @@ prefix" and "dir: Refuse to export .desktop files with suspicious uses of @@ tokens" are recommended, but not strictly required.
Workarounds
Avoid installing Flatpak apps from untrusted sources, or check the contents of the exported .desktop files in exports/share/applications/*.desktop (typically ~/.local/share/flatpak/exports/share/applications/*.desktop and /var/lib/flatpak/exports/share/applications/*.desktop) to make sure that literal filenames do not follow @@ or @@u.
References
Acknowledgements
Thanks to @AntonLydike for reporting this issue, and @refi64 for providing the initial solution. |
|
2021-03-10 21:22:59 |
Andrew Hayzen |
information type |
Public |
Public Security |
|
2021-03-10 21:24:45 |
Andrew Hayzen |
attachment added |
|
[bionic] flatpak_1.0.9-0ubuntu0.2_to_flatpak_1.0.9-0ubuntu0.3.debdiff.gz https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/1918482/+attachment/5475502/+files/flatpak_1.0.9-0ubuntu0.2_to_flatpak_1.0.9-0ubuntu0.3.debdiff.gz |
|
2021-03-10 21:28:21 |
Andrew Hayzen |
attachment added |
|
[focal] flatpak_1.6.5-0ubuntu0.2_to_flatpak_1.6.5-0ubuntu0.3.debdiff https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/1918482/+attachment/5475503/+files/flatpak_1.6.5-0ubuntu0.2_to_flatpak_1.6.5-0ubuntu0.3.debdiff.gz |
|
2021-03-10 21:31:10 |
Andrew Hayzen |
attachment added |
|
[groovy] flatpak_1.8.2-1ubuntu0.1_to_flatpak_1.8.2-1ubuntu0.2.debdiff https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/1918482/+attachment/5475504/+files/flatpak_1.8.2-1ubuntu0.1_to_flatpak_1.8.2-1ubuntu0.2.debdiff.gz |
|
2021-03-10 21:36:07 |
Andrew Hayzen |
bug |
|
|
added subscriber Ubuntu Security Sponsors Team |
2021-03-10 22:24:27 |
Andrew Hayzen |
description |
[Links]
https://github.com/flatpak/flatpak/security/advisories/GHSA-xgh4-387p-hqpp
https://github.com/flatpak/flatpak/pull/4156
[Impact]
Versions in Ubuntu right now:
Hirsute: 1.10.1-4
Groovy: 1.8.2-1ubuntu0.1
Focal: 1.6.5-0ubuntu0.2
Bionic: 1.0.9-0ubuntu0.2
Affected versions:
>= 0.9.4
Patched versions:
>= 1.10.2
[Test Case]
No test case has been mentioned yet, but in the patches there are changes/additions to the unit tests.
[Regression Potential]
Flatpak has a test suite, which is run on build across all relevant architectures and passes.
There is also a manual test plan https://wiki.ubuntu.com/Process/Merges/TestPlan/flatpak .
Flatpak has autopkgtests enabled http://autopkgtest.ubuntu.com/packages/f/flatpak .
Regression potential is low, and upstream is very responsive to any issues raised.
[Other information]
Sandbox escape via special tokens in .desktop file (flatpak#4146)
Flatpak since 0.9.4 has a vulnerability in the "file forwarding" feature which can be used by an attacker to gain access to files that would not ordinarily be allowed by the app's permissions.
Impact
By putting the special tokens @@ and/or @@u in the Exec field of a Flatpak app's .desktop file, a malicious app publisher can trick flatpak into behaving as though the user had chosen to open a target file with their Flatpak app, which automatically makes that file available to the Flatpak app.
A minimal solution is the first commit "Disallow @@ and @@U usage in desktop files". The follow-up commits "dir: Reserve the whole @@ prefix" and "dir: Refuse to export .desktop files with suspicious uses of @@ tokens" are recommended, but not strictly required.
Workarounds
Avoid installing Flatpak apps from untrusted sources, or check the contents of the exported .desktop files in exports/share/applications/*.desktop (typically ~/.local/share/flatpak/exports/share/applications/*.desktop and /var/lib/flatpak/exports/share/applications/*.desktop) to make sure that literal filenames do not follow @@ or @@u.
References
Acknowledgements
Thanks to @AntonLydike for reporting this issue, and @refi64 for providing the initial solution. |
[Links]
https://github.com/flatpak/flatpak/security/advisories/GHSA-xgh4-387p-hqpp
https://github.com/flatpak/flatpak/pull/4156
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=984859
[Impact]
Versions in Ubuntu right now:
Hirsute: 1.10.1-4
Groovy: 1.8.2-1ubuntu0.1
Focal: 1.6.5-0ubuntu0.2
Bionic: 1.0.9-0ubuntu0.2
Affected versions:
>= 0.9.4
Patched versions:
>= 1.10.2
[Test Case]
No test case has been mentioned yet, but in the patches there are changes/additions to the unit tests.
[Regression Potential]
Flatpak has a test suite, which is run on build across all relevant architectures and passes.
There is also a manual test plan https://wiki.ubuntu.com/Process/Merges/TestPlan/flatpak .
Flatpak has autopkgtests enabled http://autopkgtest.ubuntu.com/packages/f/flatpak .
Regression potential is low, and upstream is very responsive to any issues raised.
[Other information]
Sandbox escape via special tokens in .desktop file (flatpak#4146)
Flatpak since 0.9.4 has a vulnerability in the "file forwarding" feature which can be used by an attacker to gain access to files that would not ordinarily be allowed by the app's permissions.
Impact
By putting the special tokens @@ and/or @@u in the Exec field of a Flatpak app's .desktop file, a malicious app publisher can trick flatpak into behaving as though the user had chosen to open a target file with their Flatpak app, which automatically makes that file available to the Flatpak app.
A minimal solution is the first commit "Disallow @@ and @@U usage in desktop files". The follow-up commits "dir: Reserve the whole @@ prefix" and "dir: Refuse to export .desktop files with suspicious uses of @@ tokens" are recommended, but not strictly required.
Workarounds
Avoid installing Flatpak apps from untrusted sources, or check the contents of the exported .desktop files in exports/share/applications/*.desktop (typically ~/.local/share/flatpak/exports/share/applications/*.desktop and /var/lib/flatpak/exports/share/applications/*.desktop) to make sure that literal filenames do not follow @@ or @@u.
References
Acknowledgements
Thanks to @AntonLydike for reporting this issue, and @refi64 for providing the initial solution. |
|
2021-03-11 05:49:29 |
Alex Murray |
nominated for series |
|
Ubuntu Focal |
|
2021-03-11 05:49:29 |
Alex Murray |
bug task added |
|
flatpak (Ubuntu Focal) |
|
2021-03-11 05:49:29 |
Alex Murray |
nominated for series |
|
Ubuntu Groovy |
|
2021-03-11 05:49:29 |
Alex Murray |
bug task added |
|
flatpak (Ubuntu Groovy) |
|
2021-03-11 05:49:29 |
Alex Murray |
nominated for series |
|
Ubuntu Bionic |
|
2021-03-11 05:49:29 |
Alex Murray |
bug task added |
|
flatpak (Ubuntu Bionic) |
|
2021-03-11 21:04:41 |
Andrew Hayzen |
cve linked |
|
2021-21381 |
|
2021-03-11 21:04:49 |
Andrew Hayzen |
flatpak (Ubuntu Bionic): assignee |
|
Andrew Hayzen (ahayzen) |
|
2021-03-11 21:04:51 |
Andrew Hayzen |
flatpak (Ubuntu Focal): assignee |
|
Andrew Hayzen (ahayzen) |
|
2021-03-11 21:04:53 |
Andrew Hayzen |
flatpak (Ubuntu Groovy): assignee |
|
Andrew Hayzen (ahayzen) |
|
2021-03-11 21:04:59 |
Andrew Hayzen |
flatpak (Ubuntu Bionic): status |
New |
In Progress |
|
2021-03-11 21:05:01 |
Andrew Hayzen |
flatpak (Ubuntu Focal): status |
New |
In Progress |
|
2021-03-11 21:05:04 |
Andrew Hayzen |
flatpak (Ubuntu Groovy): status |
New |
In Progress |
|
2021-03-11 21:10:08 |
Andrew Hayzen |
flatpak (Ubuntu): status |
In Progress |
Fix Released |
|
2021-03-11 21:14:45 |
Andrew Hayzen |
description |
[Links]
https://github.com/flatpak/flatpak/security/advisories/GHSA-xgh4-387p-hqpp
https://github.com/flatpak/flatpak/pull/4156
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=984859
[Impact]
Versions in Ubuntu right now:
Hirsute: 1.10.1-4
Groovy: 1.8.2-1ubuntu0.1
Focal: 1.6.5-0ubuntu0.2
Bionic: 1.0.9-0ubuntu0.2
Affected versions:
>= 0.9.4
Patched versions:
>= 1.10.2
[Test Case]
No test case has been mentioned yet, but in the patches there are changes/additions to the unit tests.
[Regression Potential]
Flatpak has a test suite, which is run on build across all relevant architectures and passes.
There is also a manual test plan https://wiki.ubuntu.com/Process/Merges/TestPlan/flatpak .
Flatpak has autopkgtests enabled http://autopkgtest.ubuntu.com/packages/f/flatpak .
Regression potential is low, and upstream is very responsive to any issues raised.
[Other information]
Sandbox escape via special tokens in .desktop file (flatpak#4146)
Flatpak since 0.9.4 has a vulnerability in the "file forwarding" feature which can be used by an attacker to gain access to files that would not ordinarily be allowed by the app's permissions.
Impact
By putting the special tokens @@ and/or @@u in the Exec field of a Flatpak app's .desktop file, a malicious app publisher can trick flatpak into behaving as though the user had chosen to open a target file with their Flatpak app, which automatically makes that file available to the Flatpak app.
A minimal solution is the first commit "Disallow @@ and @@U usage in desktop files". The follow-up commits "dir: Reserve the whole @@ prefix" and "dir: Refuse to export .desktop files with suspicious uses of @@ tokens" are recommended, but not strictly required.
Workarounds
Avoid installing Flatpak apps from untrusted sources, or check the contents of the exported .desktop files in exports/share/applications/*.desktop (typically ~/.local/share/flatpak/exports/share/applications/*.desktop and /var/lib/flatpak/exports/share/applications/*.desktop) to make sure that literal filenames do not follow @@ or @@u.
References
Acknowledgements
Thanks to @AntonLydike for reporting this issue, and @refi64 for providing the initial solution. |
[Links]
https://github.com/flatpak/flatpak/security/advisories/GHSA-xgh4-387p-hqpp
https://github.com/flatpak/flatpak/pull/4156
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=984859
https://security-tracker.debian.org/tracker/CVE-2021-21381
[Impact]
Versions in Ubuntu right now:
Hirsute: 1.10.1-4
Groovy: 1.8.2-1ubuntu0.1
Focal: 1.6.5-0ubuntu0.2
Bionic: 1.0.9-0ubuntu0.2
Affected versions:
>= 0.9.4
Patched versions:
>= 1.10.2
[Test Case]
No test case has been mentioned yet, but in the patches there are changes/additions to the unit tests.
[Regression Potential]
Flatpak has a test suite, which is run on build across all relevant architectures and passes.
There is also a manual test plan https://wiki.ubuntu.com/Process/Merges/TestPlan/flatpak .
Flatpak has autopkgtests enabled http://autopkgtest.ubuntu.com/packages/f/flatpak .
Regression potential is low, and upstream is very responsive to any issues raised.
[Other information]
Sandbox escape via special tokens in .desktop file (flatpak#4146)
Flatpak since 0.9.4 has a vulnerability in the "file forwarding" feature which can be used by an attacker to gain access to files that would not ordinarily be allowed by the app's permissions.
Impact
By putting the special tokens @@ and/or @@u in the Exec field of a Flatpak app's .desktop file, a malicious app publisher can trick flatpak into behaving as though the user had chosen to open a target file with their Flatpak app, which automatically makes that file available to the Flatpak app.
A minimal solution is the first commit "Disallow @@ and @@U usage in desktop files". The follow-up commits "dir: Reserve the whole @@ prefix" and "dir: Refuse to export .desktop files with suspicious uses of @@ tokens" are recommended, but not strictly required.
Workarounds
Avoid installing Flatpak apps from untrusted sources, or check the contents of the exported .desktop files in exports/share/applications/*.desktop (typically ~/.local/share/flatpak/exports/share/applications/*.desktop and /var/lib/flatpak/exports/share/applications/*.desktop) to make sure that literal filenames do not follow @@ or @@u.
References
Acknowledgements
Thanks to @AntonLydike for reporting this issue, and @refi64 for providing the initial solution. |
|
2021-03-11 23:11:27 |
Mathew Hodson |
bug watch added |
|
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=984859 |
|
2021-03-11 23:11:27 |
Mathew Hodson |
bug task added |
|
flatpak (Debian) |
|
2021-03-11 23:13:22 |
Mathew Hodson |
flatpak (Ubuntu): importance |
Undecided |
High |
|
2021-03-11 23:13:24 |
Mathew Hodson |
flatpak (Ubuntu Bionic): importance |
Undecided |
High |
|
2021-03-11 23:13:26 |
Mathew Hodson |
flatpak (Ubuntu Focal): importance |
Undecided |
High |
|
2021-03-11 23:13:32 |
Mathew Hodson |
flatpak (Ubuntu Groovy): importance |
Undecided |
High |
|
2021-03-12 01:41:12 |
Bug Watch Updater |
flatpak (Debian): status |
Unknown |
Fix Released |
|
2021-03-19 05:16:21 |
Mathew Hodson |
flatpak (Ubuntu Bionic): importance |
High |
Medium |
|
2021-03-19 05:16:23 |
Mathew Hodson |
flatpak (Ubuntu Focal): importance |
High |
Medium |
|
2021-03-19 05:16:25 |
Mathew Hodson |
flatpak (Ubuntu Groovy): importance |
High |
Medium |
|
2021-03-26 01:59:29 |
Mathew Hodson |
flatpak (Ubuntu): importance |
High |
Medium |
|
2021-04-08 03:26:56 |
Steve Beattie |
flatpak (Ubuntu Bionic): assignee |
Andrew Hayzen (ahayzen) |
Steve Beattie (sbeattie) |
|
2021-04-08 03:27:00 |
Steve Beattie |
flatpak (Ubuntu Focal): assignee |
Andrew Hayzen (ahayzen) |
Steve Beattie (sbeattie) |
|
2021-04-08 03:27:03 |
Steve Beattie |
flatpak (Ubuntu Groovy): assignee |
Andrew Hayzen (ahayzen) |
Steve Beattie (sbeattie) |
|
2021-04-08 03:38:06 |
Steve Beattie |
summary |
Update for GHSA-xgh4-387p-hqpp |
Update for CVE-2021-21381 |
|
2021-05-12 01:53:02 |
Launchpad Janitor |
flatpak (Ubuntu Groovy): status |
In Progress |
Fix Released |
|
2021-05-12 01:53:03 |
Launchpad Janitor |
flatpak (Ubuntu Focal): status |
In Progress |
Fix Released |
|
2021-05-12 01:53:08 |
Launchpad Janitor |
flatpak (Ubuntu Bionic): status |
In Progress |
Fix Released |
|