On Thu, 21 Jan 2021 at 17:51:34 +0000, Simon McVittie wrote:
> Security team: this is a regression in DSA 4830-1 (CVE-2021-21261), now
> fixed upstream in 1.10.1 and backported to 1.2.x. In addition to the
> regression that was reported in #980323, I looked at similar code paths
> and fixed an equivalent regression elsewhere. It's a 2-line change
> (I'll follow up with the full debdiff, which is rather larger due to
> patch headers and changelog). Do you want a DSA 4830-2 to fix this?
Here's the proposed source debdiff.
I've assumed that urgency=medium genuinely *is* what I want this time :-)
smcv
diffstat for flatpak-1.2.5 flatpak-1.2.5
changelog | 17 ++++
patches/build-Convert-environment-into-a-sequence-of-bwrap-argume.patch | 39 ++++++++++
patches/dir-Pass-environment-via-bwrap-setenv-when-running-apply_.patch | 32 ++++++++
patches/series | 2
4 files changed, 90 insertions(+)
diff -Nru flatpak-1.2.5/debian/changelog flatpak-1.2.5/debian/changelog
--- flatpak-1.2.5/debian/changelog 2021-01-12 16:23:32.000000000 +0000
+++ flatpak-1.2.5/debian/changelog 2021-01-21 13:57:39.000000000 +0000
@@ -1,6 +1,23 @@
+flatpak (1.2.5-0+deb10u3) buster-security; urgency=medium
+
+ * Fix regressions in DSA 4830-1
+ - Add patch from upstream to fix a regression in 'flatpak build'.
+ The patches to resolve CVE-2021-21261 caused a regression in which
+ 'flatpak build' wouldn't set the LD_LIBRARY_PATH that it should.
+ (Closes: #980323)
+ - Add a patch from upstream to fix possible regressions in extra-data.
+ The extra-data mechanism, used to download large or proprietary
+ components out-of-band, could suffer from a regression similar to
+ #980323 if the app or runtime's apply_extra entry point relies on
+ LD_LIBRARY_PATH.
+ * Add CVE-2021-21261 reference to previous changelog entry
+
+ -- Simon McVittie <[email protected]> Thu, 21 Jan 2021 13:57:39 +0000
+
flatpak (1.2.5-0+deb10u2) buster-security; urgency=medium
* Add patches for sandbox escape vulnerability GHSA-4ppf-fxf6-vxg2
+ (CVE-2021-21261)
-- Simon McVittie <[email protected]> Tue, 12 Jan 2021 16:23:32 +0000
diff -Nru flatpak-1.2.5/debian/patches/build-Convert-environment-into-a-sequence-of-bwrap-argume.patch flatpak-1.2.5/debian/patches/build-Convert-environment-into-a-sequence-of-bwrap-argume.patch
--- flatpak-1.2.5/debian/patches/build-Convert-environment-into-a-sequence-of-bwrap-argume.patch 1970-01-01 01:00:00.000000000 +0100
+++ flatpak-1.2.5/debian/patches/build-Convert-environment-into-a-sequence-of-bwrap-argume.patch 2021-01-21 13:57:39.000000000 +0000
@@ -0,0 +1,39 @@
+From: Simon McVittie <[email protected]>
+Date: Mon, 18 Jan 2021 17:52:13 +0000
+Subject: build: Convert environment into a sequence of bwrap arguments
+
+This means we can systematically pass the environment variables
+through bwrap(1), even if it is setuid and thus is filtering out
+security-sensitive environment variables. bwrap itself ends up being
+run with an empty environment instead.
+
+This fixes a regression when CVE-2021-21261 was fixed: before the
+CVE fixes, LD_LIBRARY_PATH would have been passed through like this
+and appeared in the `flatpak build` shell, but during the CVE fixes,
+the special case that protected LD_LIBRARY_PATH was removed in favour
+of the more general flatpak_bwrap_envp_to_args(). That reasoning only
+works if we use flatpak_bwrap_envp_to_args(), consistently, everywhere
+that we run the potentially-setuid bwrap.
+
+Fixes: 6d1773d2 "run: Convert all environment variables into bwrap arguments"
+Bug: https://github.com/flatpak/flatpak/issues/4080
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=980323
+Signed-off-by: Simon McVittie <[email protected]>
+Applied-upstream: 1.10.1, commit:9a61d2c44f0a58cebcb9b2787ae88db07ca68bb0
+---
+ app/flatpak-builtins-build.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/app/flatpak-builtins-build.c b/app/flatpak-builtins-build.c
+index 9410791..5ba3ba8 100644
+--- a/app/flatpak-builtins-build.c
++++ b/app/flatpak-builtins-build.c
+@@ -566,6 +566,8 @@ flatpak_builtin_build (int argc, char **argv, GCancellable *cancellable, GError
+ NULL);
+ }
+
++ flatpak_bwrap_envp_to_args (bwrap);
++
+ if (!flatpak_bwrap_bundle_args (bwrap, 1, -1, FALSE, error))
+ return FALSE;
+
diff -Nru flatpak-1.2.5/debian/patches/dir-Pass-environment-via-bwrap-setenv-when-running-apply_.patch flatpak-1.2.5/debian/patches/dir-Pass-environment-via-bwrap-setenv-when-running-apply_.patch
--- flatpak-1.2.5/debian/patches/dir-Pass-environment-via-bwrap-setenv-when-running-apply_.patch 1970-01-01 01:00:00.000000000 +0100
+++ flatpak-1.2.5/debian/patches/dir-Pass-environment-via-bwrap-setenv-when-running-apply_.patch 2021-01-21 13:57:39.000000000 +0000
@@ -0,0 +1,32 @@
+From: Simon McVittie <[email protected]>
+Date: Mon, 18 Jan 2021 18:07:38 +0000
+Subject: dir: Pass environment via bwrap --setenv when running apply_extra
+
+This means we can systematically pass the environment variables
+through bwrap(1), even if it is setuid and thus is filtering out
+security-sensitive environment variables. bwrap ends up being
+run with an empty environment instead.
+
+As with the previous commit, this regressed while fixing CVE-2021-21261.
+
+Fixes: 6d1773d2 "run: Convert all environment variables into bwrap arguments"
+Bug: https://github.com/flatpak/flatpak/issues/4080
+Signed-off-by: Simon McVittie <[email protected]>
+Applied-upstream: 1.10.1, commit:fb473cad801c6b61706353256cab32330557374a
+---
+ common/flatpak-dir.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/common/flatpak-dir.c b/common/flatpak-dir.c
+index 40a2e58..f79ebcd 100644
+--- a/common/flatpak-dir.c
++++ b/common/flatpak-dir.c
+@@ -6799,6 +6799,8 @@ apply_extra_data (FlatpakDir *self,
+ app_context, NULL, NULL, cancellable, error))
+ return FALSE;
+
++ flatpak_bwrap_envp_to_args (bwrap);
++
+ flatpak_bwrap_add_arg (bwrap, "/app/bin/apply_extra");
+
+ flatpak_bwrap_finish (bwrap);
diff -Nru flatpak-1.2.5/debian/patches/series flatpak-1.2.5/debian/patches/series
--- flatpak-1.2.5/debian/patches/series 2021-01-12 16:23:32.000000000 +0000
+++ flatpak-1.2.5/debian/patches/series 2021-01-21 13:57:39.000000000 +0000
@@ -7,4 +7,6 @@
tests-Exercise-env-fd.patch
portal-Do-not-use-caller-supplied-variables-in-environmen.patch
tests-Assert-that-env-does-not-go-in-flatpak-run-or-bwrap.patch
+build-Convert-environment-into-a-sequence-of-bwrap-argume.patch
+dir-Pass-environment-via-bwrap-setenv-when-running-apply_.patch
debian/Use-Python-3-for-test-web-server.patch
