Your message dated Sat, 24 Jun 2017 14:47:31 +0000 with message-id <e1domlt-000gqd...@fasolo.debian.org> and subject line Bug#865413: fixed in flatpak 0.8.5-2+deb9u1 has caused the Debian Bug report #865413, regarding flatpak: CVE-2017-9780: Flatpak security issue to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 865413: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=865413 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: flatpak Version: 0.8.5-2 Severity: critical Tags: security fixed-upstream Forwarded: https://github.com/flatpak/flatpak/issues/845 Justification: potentially (in worst case) root security hole The Flatpak developers recently released version 0.8.7 fixing a security issue. A third-party app repository could include malicious apps that contain files with inappropriate permissions, for example setuid or world-writable. Older Flatpak versions would deploy the files with those permissions, which would let a local attacker run the setuid executable or write to the world-writable location. In the case of the "system helper", files deployed as part of the app are owned by root, so in the worst case they could be setuid root. Mitigations: * If you are running apps from a third party already, then there is already a trust relationship (the app is sandboxed, but the sandbox is not very strict in practice, and the third-party vendor chooses what permissions the app will have) * The default polkit policies will not allow apps to be installed system-wide unless a privileged (root-equivalent) user has added the third-party app repository, which indicates that the privileged user trusts the operator of that repository * The attacker exploiting the wrong permissions needs to be local It seems that upstream consider this to be a minor security issue due to those mitigations. For the buster and sid suites, this will be fixed in 0.8.7-1 shortly. For the experimental suite, this will be fixed in 0.9.6-1. That will take a bit longer because it needs a newer version of libostree. Security team: do you want a backport/DSA for stretch-security, or do you consider the mitigations to be sufficient to fix this through a stable update instead? I am hoping to get 0.8.7 into stretch r1 as a stable update, but 0.8.6 contains unrelated bug fixes that I realise you won't necessarily want in stretch-security (proposed-update tracked at <https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=864028>). For a stretch-security backport with just this fix, I could optionally also include these security-hardening-related commits from 0.8.6: https://github.com/flatpak/flatpak/commit/6265200c83f23acceb3c9b192ebc1ffa9db140de https://github.com/flatpak/flatpak/commit/414d699621664913dadebcf5db39732b99268c37 Please let me know whether you would prefer those included or excluded. S
--- End Message ---
--- Begin Message ---Source: flatpak Source-Version: 0.8.5-2+deb9u1 We believe that the bug you reported is fixed in the latest version of flatpak, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 865...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Simon McVittie <s...@debian.org> (supplier of updated flatpak package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Wed, 21 Jun 2017 12:05:49 +0100 Source: flatpak Binary: flatpak flatpak-builder flatpak-tests gir1.2-flatpak-1.0 libflatpak-dev libflatpak-doc libflatpak0 Architecture: source Version: 0.8.5-2+deb9u1 Distribution: stretch-security Urgency: high Maintainer: Utopia Maintenance Team <pkg-utopia-maintain...@lists.alioth.debian.org> Changed-By: Simon McVittie <s...@debian.org> Closes: 865413 Description: flatpak - Application deployment framework for desktop apps flatpak-builder - Flatpak application building helper flatpak-tests - Application deployment framework for desktop apps (tests) gir1.2-flatpak-1.0 - Application deployment framework for desktop apps (introspection) libflatpak0 - Application deployment framework for desktop apps (library) libflatpak-dev - Application deployment framework for desktop apps (development) libflatpak-doc - Application deployment framework for desktop apps (documentation) Changes: flatpak (0.8.5-2+deb9u1) stretch-security; urgency=high . * d/p/Ensure-we-don-t-install-world-writable-dirs-or-setuid-fil.patch: Patch from upstream stable release 0.8.7. Prevent deploying files with inappropriate permissions (world-writable, setuid, etc.) (Closes: #865413) * d/p/dir-Ensure-.local-share-flatpak-is-0700.patch: Patch from upstream stable release 0.8.7. Make ~/.local/share/flatpak private to user to defend against app vendors that might have released files with inappropriate permissions in the past Checksums-Sha1: e846b80ef7681b3c07097543e4caedb8dc27d0c5 3050 flatpak_0.8.5-2+deb9u1.dsc 89d0784b27123ec61e2efa36febfdbe2f2edb009 744808 flatpak_0.8.5.orig.tar.xz 7534963a7c9b6bcb222c20e4dd978f65a63bd24b 19528 flatpak_0.8.5-2+deb9u1.debian.tar.xz Checksums-Sha256: 1d3ffc3be9fc2596816c00a81534b66d891959540dfa6bed8dfe7b69aa6bac74 3050 flatpak_0.8.5-2+deb9u1.dsc fd31bc23e5b62a187fa9eaed937aadac2ab48911c338005b39ed889b2ebf95e5 744808 flatpak_0.8.5.orig.tar.xz 4033dc04ac1465fec19145e7814d98a64660184403ffa16b44465eac680ea604 19528 flatpak_0.8.5-2+deb9u1.debian.tar.xz Files: acbf2aeac7e5c18ee1a741b7433d3e28 3050 admin optional flatpak_0.8.5-2+deb9u1.dsc d160b96fdee4be1f9b0ecf60641899f8 744808 admin optional flatpak_0.8.5.orig.tar.xz 97a2460243a83ffc779718a904bcbaa0 19528 admin optional flatpak_0.8.5-2+deb9u1.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEE2pjyXAhxxJpZ6v8sTej/KmPHzJAFAllKl/oACgkQTej/KmPH zJC8vxAAjzDWa3as3hhmA7sLD3mQu0/j2/q2Jv85TM2NF6crpzYHYvfDG1Aat7xK OYttxp5DfkcSfYM1zFI3PBwvPg/wrd9aHZC7IHKUSsfbXnqNnRrwoXns+7UheC6L BWrGmH0e4vh9fOvPeGB9DeDtE2qZ/SNhbSFcG1SeailDgnSVhaumSIh/HiUAPwra G4WybbByMXHj3FtWMdL551DHr0IWvDhDBZSkhf/WO/vY3sAFk+u/Ix7LA/KM+AM8 IZBtd2I8woT7a0B3qSBYXFp1KGkJsSLZvSb93fe70GBW/XqCCpZHl5xktyRvc3VL wypDw4vuK1dXcnpfptgiIL/avEmecIHUYdd7C/OYlNDGuycarI3ozoEcuY1jwbW5 mGkTEEcLa4XuNgm6II61NfSEvfpgkPUxHz9X2P4LLIWODHJQw+iCUQdmxtT4oEMv M9HqGLgBe6XZGdJu9LT9wawrdXGxT0/kLxgl/S2ehN0QIdJuwJgue+pzneqDrxId DQMhCRvRbn2vZbT8s/pQW7OTGYgikn6DLyf9kRlwvDsM+NZIHOKHGYH6OuH1Crp4 LfnoIT4K0VTUb6dzoAlnikklmQkm/Xc0cg1Y1C1D6MTdSruDvRwvEn4y86vN0VAI IJuQcqtWroq4Wv2mWPjAJOwh0YN4LfDJvwe2CrpB7W42MeC3adg= =Lp3U -----END PGP SIGNATURE-----
--- End Message ---
