Activity log for bug #1918482

Date Who What changed Old value New value Message
2021-03-10 21:10:24 Andrew Hayzen bug added bug
2021-03-10 21:15:07 Andrew Hayzen flatpak (Ubuntu): assignee Andrew Hayzen (ahayzen)
2021-03-10 21:15:09 Andrew Hayzen flatpak (Ubuntu): status New In Progress
2021-03-10 21:21:49 Andrew Hayzen description Patches and description coming soon ! I need this to generate a LP bug number :-) [Links] https://github.com/flatpak/flatpak/security/advisories/GHSA-xgh4-387p-hqpp https://github.com/flatpak/flatpak/pull/4156 [Impact] Versions in Ubuntu right now: Hirsute: 1.10.1-4 Groovy: 1.8.2-1ubuntu0.1 Focal: 1.6.5-0ubuntu0.2 Bionic: 1.0.9-0ubuntu0.2 Affected versions: >= 0.9.4 Patched versions: >= 1.10.2 [Test Case] No test case has been mentioned yet, but in the patches there are changes/additions to the unit tests. [Regression Potential] Flatpak has a test suite, which is run on build across all relevant architectures and passes. There is also a manual test plan https://wiki.ubuntu.com/Process/Merges/TestPlan/flatpak . Flatpak has autopkgtests enabled http://autopkgtest.ubuntu.com/packages/f/flatpak . Regression potential is low, and upstream is very responsive to any issues raised. [Other information] Flatpak since 0.9.4 has a vulnerability in the "file forwarding" feature which can be used by an attacker to gain access to files that would not ordinarily be allowed by the app's permissions. Impact By putting the special tokens @@ and/or @@u in the Exec field of a Flatpak app's .desktop file, a malicious app publisher can trick flatpak into behaving as though the user had chosen to open a target file with their Flatpak app, which automatically makes that file available to the Flatpak app. A minimal solution is the first commit "Disallow @@ and @@U usage in desktop files". The follow-up commits "dir: Reserve the whole @@ prefix" and "dir: Refuse to export .desktop files with suspicious uses of @@ tokens" are recommended, but not strictly required. Workarounds Avoid installing Flatpak apps from untrusted sources, or check the contents of the exported .desktop files in exports/share/applications/*.desktop (typically ~/.local/share/flatpak/exports/share/applications/*.desktop and /var/lib/flatpak/exports/share/applications/*.desktop) to make sure that literal filenames do not follow @@ or @@u. References Acknowledgements Thanks to @AntonLydike for reporting this issue, and @refi64 for providing the initial solution.
2021-03-10 21:21:56 Andrew Hayzen summary Placeholder for GHSA-xgh4-387p-hqpp Update for GHSA-xgh4-387p-hqpp
2021-03-10 21:22:32 Andrew Hayzen description [Links] https://github.com/flatpak/flatpak/security/advisories/GHSA-xgh4-387p-hqpp https://github.com/flatpak/flatpak/pull/4156 [Impact] Versions in Ubuntu right now: Hirsute: 1.10.1-4 Groovy: 1.8.2-1ubuntu0.1 Focal: 1.6.5-0ubuntu0.2 Bionic: 1.0.9-0ubuntu0.2 Affected versions: >= 0.9.4 Patched versions: >= 1.10.2 [Test Case] No test case has been mentioned yet, but in the patches there are changes/additions to the unit tests. [Regression Potential] Flatpak has a test suite, which is run on build across all relevant architectures and passes. There is also a manual test plan https://wiki.ubuntu.com/Process/Merges/TestPlan/flatpak . Flatpak has autopkgtests enabled http://autopkgtest.ubuntu.com/packages/f/flatpak . Regression potential is low, and upstream is very responsive to any issues raised. [Other information] Flatpak since 0.9.4 has a vulnerability in the "file forwarding" feature which can be used by an attacker to gain access to files that would not ordinarily be allowed by the app's permissions. Impact By putting the special tokens @@ and/or @@u in the Exec field of a Flatpak app's .desktop file, a malicious app publisher can trick flatpak into behaving as though the user had chosen to open a target file with their Flatpak app, which automatically makes that file available to the Flatpak app. A minimal solution is the first commit "Disallow @@ and @@U usage in desktop files". The follow-up commits "dir: Reserve the whole @@ prefix" and "dir: Refuse to export .desktop files with suspicious uses of @@ tokens" are recommended, but not strictly required. Workarounds Avoid installing Flatpak apps from untrusted sources, or check the contents of the exported .desktop files in exports/share/applications/*.desktop (typically ~/.local/share/flatpak/exports/share/applications/*.desktop and /var/lib/flatpak/exports/share/applications/*.desktop) to make sure that literal filenames do not follow @@ or @@u. References Acknowledgements Thanks to @AntonLydike for reporting this issue, and @refi64 for providing the initial solution. [Links] https://github.com/flatpak/flatpak/security/advisories/GHSA-xgh4-387p-hqpp https://github.com/flatpak/flatpak/pull/4156 [Impact] Versions in Ubuntu right now: Hirsute: 1.10.1-4 Groovy: 1.8.2-1ubuntu0.1 Focal: 1.6.5-0ubuntu0.2 Bionic: 1.0.9-0ubuntu0.2 Affected versions:     >= 0.9.4 Patched versions:     >= 1.10.2 [Test Case] No test case has been mentioned yet, but in the patches there are changes/additions to the unit tests. [Regression Potential] Flatpak has a test suite, which is run on build across all relevant architectures and passes. There is also a manual test plan https://wiki.ubuntu.com/Process/Merges/TestPlan/flatpak . Flatpak has autopkgtests enabled http://autopkgtest.ubuntu.com/packages/f/flatpak . Regression potential is low, and upstream is very responsive to any issues raised. [Other information] Sandbox escape via special tokens in .desktop file (flatpak#4146) Flatpak since 0.9.4 has a vulnerability in the "file forwarding" feature which can be used by an attacker to gain access to files that would not ordinarily be allowed by the app's permissions. Impact By putting the special tokens @@ and/or @@u in the Exec field of a Flatpak app's .desktop file, a malicious app publisher can trick flatpak into behaving as though the user had chosen to open a target file with their Flatpak app, which automatically makes that file available to the Flatpak app. A minimal solution is the first commit "Disallow @@ and @@U usage in desktop files". The follow-up commits "dir: Reserve the whole @@ prefix" and "dir: Refuse to export .desktop files with suspicious uses of @@ tokens" are recommended, but not strictly required. Workarounds Avoid installing Flatpak apps from untrusted sources, or check the contents of the exported .desktop files in exports/share/applications/*.desktop (typically ~/.local/share/flatpak/exports/share/applications/*.desktop and /var/lib/flatpak/exports/share/applications/*.desktop) to make sure that literal filenames do not follow @@ or @@u. References Acknowledgements Thanks to @AntonLydike for reporting this issue, and @refi64 for providing the initial solution.
2021-03-10 21:22:59 Andrew Hayzen information type Public Public Security
2021-03-10 21:24:45 Andrew Hayzen attachment added [bionic] flatpak_1.0.9-0ubuntu0.2_to_flatpak_1.0.9-0ubuntu0.3.debdiff.gz https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/1918482/+attachment/5475502/+files/flatpak_1.0.9-0ubuntu0.2_to_flatpak_1.0.9-0ubuntu0.3.debdiff.gz
2021-03-10 21:28:21 Andrew Hayzen attachment added [focal] flatpak_1.6.5-0ubuntu0.2_to_flatpak_1.6.5-0ubuntu0.3.debdiff https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/1918482/+attachment/5475503/+files/flatpak_1.6.5-0ubuntu0.2_to_flatpak_1.6.5-0ubuntu0.3.debdiff.gz
2021-03-10 21:31:10 Andrew Hayzen attachment added [groovy] flatpak_1.8.2-1ubuntu0.1_to_flatpak_1.8.2-1ubuntu0.2.debdiff https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/1918482/+attachment/5475504/+files/flatpak_1.8.2-1ubuntu0.1_to_flatpak_1.8.2-1ubuntu0.2.debdiff.gz
2021-03-10 21:36:07 Andrew Hayzen bug added subscriber Ubuntu Security Sponsors Team
2021-03-10 22:24:27 Andrew Hayzen description [Links] https://github.com/flatpak/flatpak/security/advisories/GHSA-xgh4-387p-hqpp https://github.com/flatpak/flatpak/pull/4156 [Impact] Versions in Ubuntu right now: Hirsute: 1.10.1-4 Groovy: 1.8.2-1ubuntu0.1 Focal: 1.6.5-0ubuntu0.2 Bionic: 1.0.9-0ubuntu0.2 Affected versions:     >= 0.9.4 Patched versions:     >= 1.10.2 [Test Case] No test case has been mentioned yet, but in the patches there are changes/additions to the unit tests. [Regression Potential] Flatpak has a test suite, which is run on build across all relevant architectures and passes. There is also a manual test plan https://wiki.ubuntu.com/Process/Merges/TestPlan/flatpak . Flatpak has autopkgtests enabled http://autopkgtest.ubuntu.com/packages/f/flatpak . Regression potential is low, and upstream is very responsive to any issues raised. [Other information] Sandbox escape via special tokens in .desktop file (flatpak#4146) Flatpak since 0.9.4 has a vulnerability in the "file forwarding" feature which can be used by an attacker to gain access to files that would not ordinarily be allowed by the app's permissions. Impact By putting the special tokens @@ and/or @@u in the Exec field of a Flatpak app's .desktop file, a malicious app publisher can trick flatpak into behaving as though the user had chosen to open a target file with their Flatpak app, which automatically makes that file available to the Flatpak app. A minimal solution is the first commit "Disallow @@ and @@U usage in desktop files". The follow-up commits "dir: Reserve the whole @@ prefix" and "dir: Refuse to export .desktop files with suspicious uses of @@ tokens" are recommended, but not strictly required. Workarounds Avoid installing Flatpak apps from untrusted sources, or check the contents of the exported .desktop files in exports/share/applications/*.desktop (typically ~/.local/share/flatpak/exports/share/applications/*.desktop and /var/lib/flatpak/exports/share/applications/*.desktop) to make sure that literal filenames do not follow @@ or @@u. References Acknowledgements Thanks to @AntonLydike for reporting this issue, and @refi64 for providing the initial solution. [Links] https://github.com/flatpak/flatpak/security/advisories/GHSA-xgh4-387p-hqpp https://github.com/flatpak/flatpak/pull/4156 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=984859 [Impact] Versions in Ubuntu right now: Hirsute: 1.10.1-4 Groovy: 1.8.2-1ubuntu0.1 Focal: 1.6.5-0ubuntu0.2 Bionic: 1.0.9-0ubuntu0.2 Affected versions:     >= 0.9.4 Patched versions:     >= 1.10.2 [Test Case] No test case has been mentioned yet, but in the patches there are changes/additions to the unit tests. [Regression Potential] Flatpak has a test suite, which is run on build across all relevant architectures and passes. There is also a manual test plan https://wiki.ubuntu.com/Process/Merges/TestPlan/flatpak . Flatpak has autopkgtests enabled http://autopkgtest.ubuntu.com/packages/f/flatpak . Regression potential is low, and upstream is very responsive to any issues raised. [Other information] Sandbox escape via special tokens in .desktop file (flatpak#4146) Flatpak since 0.9.4 has a vulnerability in the "file forwarding" feature which can be used by an attacker to gain access to files that would not ordinarily be allowed by the app's permissions. Impact By putting the special tokens @@ and/or @@u in the Exec field of a Flatpak app's .desktop file, a malicious app publisher can trick flatpak into behaving as though the user had chosen to open a target file with their Flatpak app, which automatically makes that file available to the Flatpak app. A minimal solution is the first commit "Disallow @@ and @@U usage in desktop files". The follow-up commits "dir: Reserve the whole @@ prefix" and "dir: Refuse to export .desktop files with suspicious uses of @@ tokens" are recommended, but not strictly required. Workarounds Avoid installing Flatpak apps from untrusted sources, or check the contents of the exported .desktop files in exports/share/applications/*.desktop (typically ~/.local/share/flatpak/exports/share/applications/*.desktop and /var/lib/flatpak/exports/share/applications/*.desktop) to make sure that literal filenames do not follow @@ or @@u. References Acknowledgements Thanks to @AntonLydike for reporting this issue, and @refi64 for providing the initial solution.
2021-03-11 05:49:29 Alex Murray nominated for series Ubuntu Focal
2021-03-11 05:49:29 Alex Murray bug task added flatpak (Ubuntu Focal)
2021-03-11 05:49:29 Alex Murray nominated for series Ubuntu Groovy
2021-03-11 05:49:29 Alex Murray bug task added flatpak (Ubuntu Groovy)
2021-03-11 05:49:29 Alex Murray nominated for series Ubuntu Bionic
2021-03-11 05:49:29 Alex Murray bug task added flatpak (Ubuntu Bionic)
2021-03-11 21:04:41 Andrew Hayzen cve linked 2021-21381
2021-03-11 21:04:49 Andrew Hayzen flatpak (Ubuntu Bionic): assignee Andrew Hayzen (ahayzen)
2021-03-11 21:04:51 Andrew Hayzen flatpak (Ubuntu Focal): assignee Andrew Hayzen (ahayzen)
2021-03-11 21:04:53 Andrew Hayzen flatpak (Ubuntu Groovy): assignee Andrew Hayzen (ahayzen)
2021-03-11 21:04:59 Andrew Hayzen flatpak (Ubuntu Bionic): status New In Progress
2021-03-11 21:05:01 Andrew Hayzen flatpak (Ubuntu Focal): status New In Progress
2021-03-11 21:05:04 Andrew Hayzen flatpak (Ubuntu Groovy): status New In Progress
2021-03-11 21:10:08 Andrew Hayzen flatpak (Ubuntu): status In Progress Fix Released
2021-03-11 21:14:45 Andrew Hayzen description [Links] https://github.com/flatpak/flatpak/security/advisories/GHSA-xgh4-387p-hqpp https://github.com/flatpak/flatpak/pull/4156 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=984859 [Impact] Versions in Ubuntu right now: Hirsute: 1.10.1-4 Groovy: 1.8.2-1ubuntu0.1 Focal: 1.6.5-0ubuntu0.2 Bionic: 1.0.9-0ubuntu0.2 Affected versions:     >= 0.9.4 Patched versions:     >= 1.10.2 [Test Case] No test case has been mentioned yet, but in the patches there are changes/additions to the unit tests. [Regression Potential] Flatpak has a test suite, which is run on build across all relevant architectures and passes. There is also a manual test plan https://wiki.ubuntu.com/Process/Merges/TestPlan/flatpak . Flatpak has autopkgtests enabled http://autopkgtest.ubuntu.com/packages/f/flatpak . Regression potential is low, and upstream is very responsive to any issues raised. [Other information] Sandbox escape via special tokens in .desktop file (flatpak#4146) Flatpak since 0.9.4 has a vulnerability in the "file forwarding" feature which can be used by an attacker to gain access to files that would not ordinarily be allowed by the app's permissions. Impact By putting the special tokens @@ and/or @@u in the Exec field of a Flatpak app's .desktop file, a malicious app publisher can trick flatpak into behaving as though the user had chosen to open a target file with their Flatpak app, which automatically makes that file available to the Flatpak app. A minimal solution is the first commit "Disallow @@ and @@U usage in desktop files". The follow-up commits "dir: Reserve the whole @@ prefix" and "dir: Refuse to export .desktop files with suspicious uses of @@ tokens" are recommended, but not strictly required. Workarounds Avoid installing Flatpak apps from untrusted sources, or check the contents of the exported .desktop files in exports/share/applications/*.desktop (typically ~/.local/share/flatpak/exports/share/applications/*.desktop and /var/lib/flatpak/exports/share/applications/*.desktop) to make sure that literal filenames do not follow @@ or @@u. References Acknowledgements Thanks to @AntonLydike for reporting this issue, and @refi64 for providing the initial solution. [Links] https://github.com/flatpak/flatpak/security/advisories/GHSA-xgh4-387p-hqpp https://github.com/flatpak/flatpak/pull/4156 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=984859 https://security-tracker.debian.org/tracker/CVE-2021-21381 [Impact] Versions in Ubuntu right now: Hirsute: 1.10.1-4 Groovy: 1.8.2-1ubuntu0.1 Focal: 1.6.5-0ubuntu0.2 Bionic: 1.0.9-0ubuntu0.2 Affected versions:     >= 0.9.4 Patched versions:     >= 1.10.2 [Test Case] No test case has been mentioned yet, but in the patches there are changes/additions to the unit tests. [Regression Potential] Flatpak has a test suite, which is run on build across all relevant architectures and passes. There is also a manual test plan https://wiki.ubuntu.com/Process/Merges/TestPlan/flatpak . Flatpak has autopkgtests enabled http://autopkgtest.ubuntu.com/packages/f/flatpak . Regression potential is low, and upstream is very responsive to any issues raised. [Other information] Sandbox escape via special tokens in .desktop file (flatpak#4146) Flatpak since 0.9.4 has a vulnerability in the "file forwarding" feature which can be used by an attacker to gain access to files that would not ordinarily be allowed by the app's permissions. Impact By putting the special tokens @@ and/or @@u in the Exec field of a Flatpak app's .desktop file, a malicious app publisher can trick flatpak into behaving as though the user had chosen to open a target file with their Flatpak app, which automatically makes that file available to the Flatpak app. A minimal solution is the first commit "Disallow @@ and @@U usage in desktop files". The follow-up commits "dir: Reserve the whole @@ prefix" and "dir: Refuse to export .desktop files with suspicious uses of @@ tokens" are recommended, but not strictly required. Workarounds Avoid installing Flatpak apps from untrusted sources, or check the contents of the exported .desktop files in exports/share/applications/*.desktop (typically ~/.local/share/flatpak/exports/share/applications/*.desktop and /var/lib/flatpak/exports/share/applications/*.desktop) to make sure that literal filenames do not follow @@ or @@u. References Acknowledgements Thanks to @AntonLydike for reporting this issue, and @refi64 for providing the initial solution.
2021-03-11 23:11:27 Mathew Hodson bug watch added https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=984859
2021-03-11 23:11:27 Mathew Hodson bug task added flatpak (Debian)
2021-03-11 23:13:22 Mathew Hodson flatpak (Ubuntu): importance Undecided High
2021-03-11 23:13:24 Mathew Hodson flatpak (Ubuntu Bionic): importance Undecided High
2021-03-11 23:13:26 Mathew Hodson flatpak (Ubuntu Focal): importance Undecided High
2021-03-11 23:13:32 Mathew Hodson flatpak (Ubuntu Groovy): importance Undecided High
2021-03-12 01:41:12 Bug Watch Updater flatpak (Debian): status Unknown Fix Released
2021-03-19 05:16:21 Mathew Hodson flatpak (Ubuntu Bionic): importance High Medium
2021-03-19 05:16:23 Mathew Hodson flatpak (Ubuntu Focal): importance High Medium
2021-03-19 05:16:25 Mathew Hodson flatpak (Ubuntu Groovy): importance High Medium
2021-03-26 01:59:29 Mathew Hodson flatpak (Ubuntu): importance High Medium
2021-04-08 03:26:56 Steve Beattie flatpak (Ubuntu Bionic): assignee Andrew Hayzen (ahayzen) Steve Beattie (sbeattie)
2021-04-08 03:27:00 Steve Beattie flatpak (Ubuntu Focal): assignee Andrew Hayzen (ahayzen) Steve Beattie (sbeattie)
2021-04-08 03:27:03 Steve Beattie flatpak (Ubuntu Groovy): assignee Andrew Hayzen (ahayzen) Steve Beattie (sbeattie)
2021-04-08 03:38:06 Steve Beattie summary Update for GHSA-xgh4-387p-hqpp Update for CVE-2021-21381
2021-05-12 01:53:02 Launchpad Janitor flatpak (Ubuntu Groovy): status In Progress Fix Released
2021-05-12 01:53:03 Launchpad Janitor flatpak (Ubuntu Focal): status In Progress Fix Released
2021-05-12 01:53:08 Launchpad Janitor flatpak (Ubuntu Bionic): status In Progress Fix Released