** Also affects: flatpak (Ubuntu Focal)
Importance: Undecided
Status: New
** Also affects: flatpak (Ubuntu Groovy)
Importance: Undecided
Status: New
** Also affects: flatpak (Ubuntu Bionic)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to flatpak in Ubuntu.
https://bugs.launchpad.net/bugs/1918482
Title:
Update for GHSA-xgh4-387p-hqpp
Status in flatpak package in Ubuntu:
In Progress
Status in flatpak source package in Bionic:
New
Status in flatpak source package in Focal:
New
Status in flatpak source package in Groovy:
New
Bug description:
[Links]
https://github.com/flatpak/flatpak/security/advisories/GHSA-xgh4-387p-hqpp
https://github.com/flatpak/flatpak/pull/4156
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=984859
[Impact]
Versions in Ubuntu right now:
Hirsute: 1.10.1-4
Groovy: 1.8.2-1ubuntu0.1
Focal: 1.6.5-0ubuntu0.2
Bionic: 1.0.9-0ubuntu0.2
Affected versions:
>= 0.9.4
Patched versions:
>= 1.10.2
[Test Case]
No test case has been mentioned yet, but in the patches there are
changes/additions to the unit tests.
[Regression Potential]
Flatpak has a test suite, which is run on build across all relevant
architectures and passes.
There is also a manual test plan
https://wiki.ubuntu.com/Process/Merges/TestPlan/flatpak .
Flatpak has autopkgtests enabled
http://autopkgtest.ubuntu.com/packages/f/flatpak .
Regression potential is low, and upstream is very responsive to any
issues raised.
[Other information]
Sandbox escape via special tokens in .desktop file (flatpak#4146)
Flatpak since 0.9.4 has a vulnerability in the "file forwarding" feature
which can be used by an attacker to gain access to files that would not
ordinarily be allowed by the app's permissions.
Impact
By putting the special tokens @@ and/or @@u in the Exec field of a
Flatpak app's .desktop file, a malicious app publisher can trick
flatpak into behaving as though the user had chosen to open a target
file with their Flatpak app, which automatically makes that file
available to the Flatpak app.
A minimal solution is the first commit "Disallow @@ and @@U usage in desktop
files". The follow-up commits "dir: Reserve the whole @@ prefix" and "dir:
Refuse to export .desktop files with suspicious uses of @@ tokens" are
recommended, but not strictly required.
Workarounds
Avoid installing Flatpak apps from untrusted sources, or check the contents
of the exported .desktop files in exports/share/applications/*.desktop
(typically ~/.local/share/flatpak/exports/share/applications/*.desktop and
/var/lib/flatpak/exports/share/applications/*.desktop) to make sure that
literal filenames do not follow @@ or @@u.
References
Acknowledgements
Thanks to @AntonLydike for reporting this issue, and @refi64 for
providing the initial solution.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/1918482/+subscriptions
--
Mailing list: https://launchpad.net/~desktop-packages
Post to : [email protected]
Unsubscribe : https://launchpad.net/~desktop-packages
More help : https://help.launchpad.net/ListHelp
