2021-10-09 22:57:17 |
Andrew Hayzen |
bug |
|
|
added bug |
2021-10-09 23:11:29 |
Andrew Hayzen |
description |
[Links]
https://github.com/flatpak/flatpak/security/advisories/GHSA-67h7-w3jq-vh4q
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=995935
https://security-tracker.debian.org/tracker/CVE-2021-41133 |
*** Placeholder until regressions are fixed upstream ***
[Links]
https://github.com/flatpak/flatpak/security/advisories/GHSA-67h7-w3jq-vh4q
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=995935
https://security-tracker.debian.org/tracker/CVE-2021-41133
[Impact]
Versions in Ubuntu right now:
Impish: 1.10.2-3
Hirsute: 1.10.2-1ubuntu1
Focal: 1.6.5-0ubuntu0.3
Bionic: 1.0.9-0ubuntu0.3
Affected versions:
1.11.x, 1.10.x <= 1.10.3, all <= 1.8.2
Patched versions:
1.10.5, 1.12.1, also expected in 1.8.2
[Test Case]
Unknown
[Regression Potential]
Flatpak has a test suite, which is run on build across all relevant architectures and passes.
There is also a manual test plan https://wiki.ubuntu.com/Process/Merges/TestPlan/flatpak .
Flatpak has autopkgtests enabled http://autopkgtest.ubuntu.com/packages/f/flatpak .
Regression potential is low, and upstream is very responsive to any issues raised.
[Patches]
There were 8 initial patches, then some regressions have been found, one has been patched, but a second has a pending pull request (see the github advisory for links). As noted in the debian bug as well there might be further changes to bubblewrap, so guess it makes sense to wait until this has settled.
[Other Information]
An anonymous reporter discovered that Flatpak apps with direct access to AF_UNIX sockets such as those used by Wayland, Pipewire or pipewire-pulse can trick portals and other host-OS services into treating the Flatpak app as though it was an ordinary, non-sandboxed host-OS process, by manipulating the VFS using recent mount-related syscalls that are not blocked by Flatpak's denylist seccomp filter, in order to substitute a crafted /.flatpak-info or make that file disappear entirely.
Impact
Flatpak apps that act as clients for AF_UNIX sockets such as those used by Wayland, Pipewire or pipewire-pulse can escalate the privileges that the corresponding services will believe the Flatpak app has.
Mitigation: Note that protocols that operate entirely over the D-Bus session bus (user bus), system bus or accessibility bus are not affected by this. This is due to the use of a proxy process xdg-dbus-proxy, whose VFS cannot be manipulated by the Flatpak app, when interacting with these buses. |
|
2021-10-09 23:11:40 |
Andrew Hayzen |
information type |
Public |
Public Security |
|
2021-10-09 23:12:01 |
Andrew Hayzen |
cve linked |
|
2021-41133 |
|
2021-10-09 23:12:59 |
Andrew Hayzen |
flatpak (Ubuntu): assignee |
|
Andrew Hayzen (ahayzen) |
|
2021-10-11 10:34:09 |
Alex Murray |
nominated for series |
|
Ubuntu Impish |
|
2021-10-11 10:34:09 |
Alex Murray |
bug task added |
|
flatpak (Ubuntu Impish) |
|
2021-10-11 10:34:09 |
Alex Murray |
nominated for series |
|
Ubuntu Focal |
|
2021-10-11 10:34:09 |
Alex Murray |
bug task added |
|
flatpak (Ubuntu Focal) |
|
2021-10-11 10:34:09 |
Alex Murray |
nominated for series |
|
Ubuntu Hirsute |
|
2021-10-11 10:34:09 |
Alex Murray |
bug task added |
|
flatpak (Ubuntu Hirsute) |
|
2021-10-11 10:34:09 |
Alex Murray |
nominated for series |
|
Ubuntu Bionic |
|
2021-10-11 10:34:09 |
Alex Murray |
bug task added |
|
flatpak (Ubuntu Bionic) |
|
2021-10-13 00:59:57 |
Andrew Hayzen |
flatpak (Ubuntu Impish): status |
New |
In Progress |
|
2021-10-13 01:00:01 |
Andrew Hayzen |
flatpak (Ubuntu Hirsute): status |
New |
In Progress |
|
2021-10-13 01:00:06 |
Andrew Hayzen |
flatpak (Ubuntu Hirsute): assignee |
|
Andrew Hayzen (ahayzen) |
|
2021-10-14 23:20:02 |
Andrew Hayzen |
attachment added |
|
Impish CVE debdiff https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/1946578/+attachment/5533002/+files/impish_flatpak_1.10.2-3_to_1.10.2-3ubuntu0.1.debdiff.gz |
|
2021-10-14 23:20:48 |
Andrew Hayzen |
summary |
Placeholder for CVE-2021-41133 |
Update for CVE-2021-41133 |
|
2021-10-14 23:21:09 |
Andrew Hayzen |
description |
*** Placeholder until regressions are fixed upstream ***
[Links]
https://github.com/flatpak/flatpak/security/advisories/GHSA-67h7-w3jq-vh4q
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=995935
https://security-tracker.debian.org/tracker/CVE-2021-41133
[Impact]
Versions in Ubuntu right now:
Impish: 1.10.2-3
Hirsute: 1.10.2-1ubuntu1
Focal: 1.6.5-0ubuntu0.3
Bionic: 1.0.9-0ubuntu0.3
Affected versions:
1.11.x, 1.10.x <= 1.10.3, all <= 1.8.2
Patched versions:
1.10.5, 1.12.1, also expected in 1.8.2
[Test Case]
Unknown
[Regression Potential]
Flatpak has a test suite, which is run on build across all relevant architectures and passes.
There is also a manual test plan https://wiki.ubuntu.com/Process/Merges/TestPlan/flatpak .
Flatpak has autopkgtests enabled http://autopkgtest.ubuntu.com/packages/f/flatpak .
Regression potential is low, and upstream is very responsive to any issues raised.
[Patches]
There were 8 initial patches, then some regressions have been found, one has been patched, but a second has a pending pull request (see the github advisory for links). As noted in the debian bug as well there might be further changes to bubblewrap, so guess it makes sense to wait until this has settled.
[Other Information]
An anonymous reporter discovered that Flatpak apps with direct access to AF_UNIX sockets such as those used by Wayland, Pipewire or pipewire-pulse can trick portals and other host-OS services into treating the Flatpak app as though it was an ordinary, non-sandboxed host-OS process, by manipulating the VFS using recent mount-related syscalls that are not blocked by Flatpak's denylist seccomp filter, in order to substitute a crafted /.flatpak-info or make that file disappear entirely.
Impact
Flatpak apps that act as clients for AF_UNIX sockets such as those used by Wayland, Pipewire or pipewire-pulse can escalate the privileges that the corresponding services will believe the Flatpak app has.
Mitigation: Note that protocols that operate entirely over the D-Bus session bus (user bus), system bus or accessibility bus are not affected by this. This is due to the use of a proxy process xdg-dbus-proxy, whose VFS cannot be manipulated by the Flatpak app, when interacting with these buses. |
[Links]
https://github.com/flatpak/flatpak/security/advisories/GHSA-67h7-w3jq-vh4q
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=995935
https://security-tracker.debian.org/tracker/CVE-2021-41133
[Impact]
Versions in Ubuntu right now:
Impish: 1.10.2-3
Hirsute: 1.10.2-1ubuntu1
Focal: 1.6.5-0ubuntu0.3
Bionic: 1.0.9-0ubuntu0.3
Affected versions:
1.11.x, 1.10.x <= 1.10.3, all <= 1.8.2
Patched versions:
1.10.5, 1.12.1, also expected in 1.8.2
[Test Case]
Unknown
[Regression Potential]
Flatpak has a test suite, which is run on build across all relevant architectures and passes.
There is also a manual test plan https://wiki.ubuntu.com/Process/Merges/TestPlan/flatpak .
Flatpak has autopkgtests enabled http://autopkgtest.ubuntu.com/packages/f/flatpak .
Regression potential is low, and upstream is very responsive to any issues raised.
[Patches]
There were 8 initial patches, then some regressions have been found, one has been patched, but a second has a pending pull request (see the github advisory for links). As noted in the debian bug as well there might be further changes to bubblewrap, so guess it makes sense to wait until this has settled.
[Other Information]
An anonymous reporter discovered that Flatpak apps with direct access to AF_UNIX sockets such as those used by Wayland, Pipewire or pipewire-pulse can trick portals and other host-OS services into treating the Flatpak app as though it was an ordinary, non-sandboxed host-OS process, by manipulating the VFS using recent mount-related syscalls that are not blocked by Flatpak's denylist seccomp filter, in order to substitute a crafted /.flatpak-info or make that file disappear entirely.
Impact
Flatpak apps that act as clients for AF_UNIX sockets such as those used by Wayland, Pipewire or pipewire-pulse can escalate the privileges that the corresponding services will believe the Flatpak app has.
Mitigation: Note that protocols that operate entirely over the D-Bus session bus (user bus), system bus or accessibility bus are not affected by this. This is due to the use of a proxy process xdg-dbus-proxy, whose VFS cannot be manipulated by the Flatpak app, when interacting with these buses. |
|
2021-10-15 00:12:05 |
Andrew Hayzen |
attachment added |
|
Hirsute CVE debdiff https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/1946578/+attachment/5533003/+files/hirsute_flatpak_1.10.2-1ubuntu1_to_1.10.2-1ubuntu1.1.debdiff.gz |
|
2021-10-15 00:12:42 |
Alex Murray |
bug |
|
|
added subscriber Ubuntu Security Sponsors Team |
2021-10-15 03:51:02 |
Mathew Hodson |
flatpak (Ubuntu Bionic): importance |
Undecided |
Medium |
|
2021-10-15 03:51:05 |
Mathew Hodson |
flatpak (Ubuntu Focal): importance |
Undecided |
Medium |
|
2021-10-15 03:51:07 |
Mathew Hodson |
flatpak (Ubuntu Hirsute): importance |
Undecided |
Medium |
|
2021-10-15 03:51:10 |
Mathew Hodson |
flatpak (Ubuntu Impish): importance |
Undecided |
Medium |
|
2021-10-20 00:04:22 |
Andrew Hayzen |
flatpak (Ubuntu Focal): assignee |
|
Andrew Hayzen (ahayzen) |
|
2021-10-20 00:04:28 |
Andrew Hayzen |
flatpak (Ubuntu Focal): status |
New |
In Progress |
|
2021-10-20 20:59:49 |
Andrew Hayzen |
attachment added |
|
Partial Focal CVE debdiff https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/1946578/+attachment/5534670/+files/focal_flatpak_1.6.5-0ubuntu0.3_to_1.6.5-0ubuntu0.4.debdiff.gz |
|
2021-10-20 21:00:09 |
Andrew Hayzen |
flatpak (Ubuntu Bionic): status |
New |
In Progress |
|
2021-10-20 21:00:14 |
Andrew Hayzen |
flatpak (Ubuntu Bionic): assignee |
|
Andrew Hayzen (ahayzen) |
|
2021-10-20 21:41:01 |
Andrew Hayzen |
attachment added |
|
Partial Bionic CVE debdiff https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/1946578/+attachment/5534671/+files/bionic_flatpak_1.0.9-0ubuntu0.3_to_1.0.9-0ubuntu0.4.debdiff.gz |
|
2021-12-04 00:23:05 |
Marc Deslauriers |
removed subscriber Ubuntu Security Sponsors Team |
|
|
|
2021-12-14 11:26:20 |
Launchpad Janitor |
flatpak (Ubuntu Impish): status |
In Progress |
Fix Released |
|
2021-12-14 11:26:21 |
Launchpad Janitor |
flatpak (Ubuntu Hirsute): status |
In Progress |
Fix Released |
|
2021-12-14 11:26:24 |
Launchpad Janitor |
flatpak (Ubuntu Focal): status |
In Progress |
Fix Released |
|
2021-12-14 11:26:26 |
Launchpad Janitor |
flatpak (Ubuntu Bionic): status |
In Progress |
Fix Released |
|
2021-12-14 12:09:21 |
Marc Deslauriers |
flatpak (Ubuntu): status |
In Progress |
Fix Released |
|