Your message dated Tue, 30 Jan 2018 16:04:39 +0000
with message-id <[email protected]>
and subject line Bug#888842: fixed in flatpak 0.10.3-1
has caused the Debian Bug report #888842,
regarding flatpak: D-Bus filtering can be bypassed by a crafted authentication 
handshake
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
888842: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=888842
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: flatpak
Version: 0.6.0-1
Severity: important
Tags: security

Many Flatpak apps ship with sandboxing metadata that gives them filtered
access to the D-Bus session and/or system bus. Gabriel Campana of the
Google security team discovered that a malicious app could bypass the
intended filtering by crafting an authentication message that will be
processed as end-of-authentication by the dbus-daemon, but not recognised
as end-of-authentication by flatpak-dbus-proxy.

This has been fixed upstream in versions 0.10.3 and 0.8.9, which I'm
going to package now.

The Debian security team has not generally treated Flatpak sandboxing
bypasses as security vulnerabilities, on the basis that the sandboxed
app provides its own security policy, so no privilege boundary is crossed
(in the absence of a curated "app store" where changes to security policy
are audited, or a software-downloading UI that highlights security policy
changes, neither of which is widely deployed right now). I assume this
is still the case, but I'm cc'ing the security team for their information
(please let me know if you would like me to prepare a security update).

    smcv

--- End Message ---
--- Begin Message ---
Source: flatpak
Source-Version: 0.10.3-1

We believe that the bug you reported is fixed in the latest version of
flatpak, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Simon McVittie <[email protected]> (supplier of updated flatpak package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Tue, 30 Jan 2018 14:38:24 +0000
Source: flatpak
Binary: flatpak flatpak-tests gir1.2-flatpak-1.0 libflatpak-dev libflatpak-doc 
libflatpak0
Architecture: source
Version: 0.10.3-1
Distribution: unstable
Urgency: medium
Maintainer: Utopia Maintenance Team 
<[email protected]>
Changed-By: Simon McVittie <[email protected]>
Description:
 flatpak    - Application deployment framework for desktop apps
 flatpak-tests - Application deployment framework for desktop apps (tests)
 gir1.2-flatpak-1.0 - Application deployment framework for desktop apps 
(introspection)
 libflatpak-dev - Application deployment framework for desktop apps 
(development)
 libflatpak-doc - Application deployment framework for desktop apps 
(documentation)
 libflatpak0 - Application deployment framework for desktop apps (library)
Closes: 888842
Changes:
 flatpak (0.10.3-1) unstable; urgency=medium
 .
   * New upstream bugfix release
     - Fixes a D-Bus filtering bypass in flatpak-dbus-proxy
       (Closes: #888842)
Checksums-Sha1:
 2be6813c91659313cdf53235b63b43adcac434c1 3192 flatpak_0.10.3-1.dsc
 e815620d3321bd17af59c2212256ee3471874ed8 870152 flatpak_0.10.3.orig.tar.xz
 a3558d85de41593e2958ed5278f7ae61f522c19a 19376 flatpak_0.10.3-1.debian.tar.xz
 b71e59f75b79d5fd17b378f5098cbbde7f7b7884 11465 
flatpak_0.10.3-1_source.buildinfo
Checksums-Sha256:
 b50a32e42dbc80a003ef576bb5d1cbe565fa663d54662106a75af11623e423d8 3192 
flatpak_0.10.3-1.dsc
 d08616cfa7f0e0a5f0234a9859b67450e35377b95929b118a1b7ca7497e91b00 870152 
flatpak_0.10.3.orig.tar.xz
 e8ba3a4086b493d5e36328ea503a976ce1f4981e2e046b56e6f799d4e2dfee75 19376 
flatpak_0.10.3-1.debian.tar.xz
 89c7bfe3daeafcbaf81e8f36894e86dad1ffc4c1defa0103881fe7b7f593419b 11465 
flatpak_0.10.3-1_source.buildinfo
Files:
 1158cf8344ce4b69d7bd598cb8657f4b 3192 admin optional flatpak_0.10.3-1.dsc
 3aff127e150c4195682479eb96c14b18 870152 admin optional 
flatpak_0.10.3.orig.tar.xz
 fb5adc33e2ea6d3a951b673debb9cf57 19376 admin optional 
flatpak_0.10.3-1.debian.tar.xz
 9c354dbe582ac0e69d6282b7a87f1ce9 11465 admin optional 
flatpak_0.10.3-1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEENuxaZEik9e95vv6Y4FrhR4+BTE8FAlpwkqYACgkQ4FrhR4+B
TE+iqg//Vri5EFQgoHeBp9Z/654AIYL3QyFeLVDoqRO6WYvpj/vl/S+eZmLFDq3f
51+YI/j+/8tYJ9d19BfossndAmUWBsiw+cEOfQenWqe6zxaXdtxOC2LdxllRl+YP
u3BsfVnxVjk2XyG0NCgEp3zjXlRLyCISSraOWJh4ejoVwohqBT3QxU89ieMusN3d
BARCEw8G0W1EAUYl9S+NNOxg8d4W77cSX03zsl7BQj/u9stGD+aKVr14Sd3sQ495
Yr2VeRqIGOy36rPRTOVud8YWOOeOZQV7u85SUJAhHx67HDSizNxlMS1aOcoNzOqP
WVts4KhlIZ7NbvokSxJsrNrfvGmZcW+/4OHTw71rQkOoPf52rgLe1W5CVtPw9o5E
X3qaUoDKu/Z78DMD9cTPVm5BKM0JlTzOfUpUNXPuAS9HUz+r7bYmpbBCZ4w1LYGp
Rd0RgmwexruW2vbDiVLaDfPBHrN7h3xT5Ydjua6+rnTBCzjtP9ljydjbkcrUTFHx
QBb9y8xgUTXrEA56kDZRlVQj8zs0bKWxtAQ58hbYgpn9ZnSRyVvo1TxGr1/HnSVw
EGAPbYQLcv3iLb5lDFzvV/mLc+KPp9Uv2XZN+J1BBcrLgykAw4CcZerqvZDzuK3c
XJPTm4kvo9NLfLHzpAul5JmWSj/z4JOhydF9PRFIffRuqZo3C8I=
=HAWh
-----END PGP SIGNATURE-----

--- End Message ---
_______________________________________________
Pkg-utopia-maintainers mailing list
[email protected]
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-utopia-maintainers

Reply via email to