Comment 9 for bug 1821811

Thanks Paulo, I'm afk on holiday at the moment, so will test this when I'm
back towards the end of the week, thanks!

On Fri, 3 May 2019, 01:35 Paulo Flabiano Smorigo, <
<email address hidden>> wrote:

> Hello Andrew, can you check/test if the packages bellow are working
> properly?
>
> https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/+packages?field.name_filter=flatpak
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1821811
>
> Title:
> New upstream microrelease flatpak 1.0.8
>
> Status in flatpak package in Ubuntu:
> Fix Released
> Status in flatpak source package in Bionic:
> New
> Status in flatpak source package in Cosmic:
> New
>
> Bug description:
> This is a request to SRU the latest microrelease of flatpak into
> bionic and cosmic. Which is also a security update for CVE-2019-10063.
>
> Debian bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=925541
> Upstream bug https://github.com/flatpak/flatpak/issues/2782
>
> [Impact]
>
> New upstream microrelease of flatpak, which brings a security fix for
> CVE-2019-10063.
>
> Bionic is currently at 1.0.7, whereas 1.0.8 is available upstream.
> Cosmic is currently at 1.0.7, whereas 1.0.8 is available upstream.
>
> Disco needs to be synced to >= 1.2.3-2 (is someone able to sync
> 1.2.4-1 from unstable ? ) bug 1822024 has this request.
>
> [Test Case]
>
> No test case has been mentioned in the Debian bug, in the upstream
> pull request it looks like the snapd exploit might be able to be used
> https://www.exploit-db.com/exploits/46594 but the code change is
> minimal so I have not tried this yet.
>
> [Regression Potential]
>
> Flatpak has a test suite, which is run on build across all
> architectures and passes.
>
> There is also a manual test plan
> https://wiki.ubuntu.com/Process/Merges/TestPlan/flatpak. I have
> confirmed that 1.0.8 passes with this test plan on both bionic and
> cosmic.
>
> Flatpak has autopkgtests enabled
> http://autopkgtest.ubuntu.com/packages/f/flatpak which is passing on
> bionic and cosmic.
>
> Regression potential is low, and upstream is very responsive to any
> issues raised.
>
> [Other information]
>
> Debian and upstream comments about the vulnerability.
>
> "flatpak versions since 0.8.1 (and Debian's 0.8.0-2, which has backports
> of the upstream changes that became 0.8.1) attempt to prevent malicious
> apps from escalating their privileges by injecting commands into the
> controlling terminal with the TIOCSTI ioctl (CVE-2017-5226).
>
> This fix was incomplete: on 64-bit platforms, seccomp looks at the whole
> 64-bit word, but the kernel only looks at the low 32 bits. This means we
> also have to block commands like (0x1234567800000000 | TIOCSTI).
> CVE-2019-10063 has been allocated for this vulnerability, which closely
> resembles CVE-2019-7303 in snapd.
>
> Mitigation: as usual with Flatpak sandbox bypasses, this can only be
> exploited if you install a malicious app from a trusted source. The
> sandbox parameters used for most apps are currently sufficiently weak
> that a malicious app could do other equally bad things that we cannot
> prevent, for example by abusing the X11 protocol."
>
> Debian security tracker https://security-
> tracker.debian.org/tracker/CVE-2019-10063
>
> To manage notifications about this bug go to:
>
> https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/1821811/+subscriptions
>