Your message dated Tue, 30 Jan 2018 16:04:39 +0000 with message-id <[email protected]> and subject line Bug#888842: fixed in flatpak 0.10.3-1 has caused the Debian Bug report #888842, regarding flatpak: D-Bus filtering can be bypassed by a crafted authentication handshake to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 888842: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=888842 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: flatpak Version: 0.6.0-1 Severity: important Tags: security Many Flatpak apps ship with sandboxing metadata that gives them filtered access to the D-Bus session and/or system bus. Gabriel Campana of the Google security team discovered that a malicious app could bypass the intended filtering by crafting an authentication message that will be processed as end-of-authentication by the dbus-daemon, but not recognised as end-of-authentication by flatpak-dbus-proxy. This has been fixed upstream in versions 0.10.3 and 0.8.9, which I'm going to package now. The Debian security team has not generally treated Flatpak sandboxing bypasses as security vulnerabilities, on the basis that the sandboxed app provides its own security policy, so no privilege boundary is crossed (in the absence of a curated "app store" where changes to security policy are audited, or a software-downloading UI that highlights security policy changes, neither of which is widely deployed right now). I assume this is still the case, but I'm cc'ing the security team for their information (please let me know if you would like me to prepare a security update). smcv
--- End Message ---
--- Begin Message ---Source: flatpak Source-Version: 0.10.3-1 We believe that the bug you reported is fixed in the latest version of flatpak, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [email protected], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Simon McVittie <[email protected]> (supplier of updated flatpak package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [email protected]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Tue, 30 Jan 2018 14:38:24 +0000 Source: flatpak Binary: flatpak flatpak-tests gir1.2-flatpak-1.0 libflatpak-dev libflatpak-doc libflatpak0 Architecture: source Version: 0.10.3-1 Distribution: unstable Urgency: medium Maintainer: Utopia Maintenance Team <[email protected]> Changed-By: Simon McVittie <[email protected]> Description: flatpak - Application deployment framework for desktop apps flatpak-tests - Application deployment framework for desktop apps (tests) gir1.2-flatpak-1.0 - Application deployment framework for desktop apps (introspection) libflatpak-dev - Application deployment framework for desktop apps (development) libflatpak-doc - Application deployment framework for desktop apps (documentation) libflatpak0 - Application deployment framework for desktop apps (library) Closes: 888842 Changes: flatpak (0.10.3-1) unstable; urgency=medium . * New upstream bugfix release - Fixes a D-Bus filtering bypass in flatpak-dbus-proxy (Closes: #888842) Checksums-Sha1: 2be6813c91659313cdf53235b63b43adcac434c1 3192 flatpak_0.10.3-1.dsc e815620d3321bd17af59c2212256ee3471874ed8 870152 flatpak_0.10.3.orig.tar.xz a3558d85de41593e2958ed5278f7ae61f522c19a 19376 flatpak_0.10.3-1.debian.tar.xz b71e59f75b79d5fd17b378f5098cbbde7f7b7884 11465 flatpak_0.10.3-1_source.buildinfo Checksums-Sha256: b50a32e42dbc80a003ef576bb5d1cbe565fa663d54662106a75af11623e423d8 3192 flatpak_0.10.3-1.dsc d08616cfa7f0e0a5f0234a9859b67450e35377b95929b118a1b7ca7497e91b00 870152 flatpak_0.10.3.orig.tar.xz e8ba3a4086b493d5e36328ea503a976ce1f4981e2e046b56e6f799d4e2dfee75 19376 flatpak_0.10.3-1.debian.tar.xz 89c7bfe3daeafcbaf81e8f36894e86dad1ffc4c1defa0103881fe7b7f593419b 11465 flatpak_0.10.3-1_source.buildinfo Files: 1158cf8344ce4b69d7bd598cb8657f4b 3192 admin optional flatpak_0.10.3-1.dsc 3aff127e150c4195682479eb96c14b18 870152 admin optional flatpak_0.10.3.orig.tar.xz fb5adc33e2ea6d3a951b673debb9cf57 19376 admin optional flatpak_0.10.3-1.debian.tar.xz 9c354dbe582ac0e69d6282b7a87f1ce9 11465 admin optional flatpak_0.10.3-1_source.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEENuxaZEik9e95vv6Y4FrhR4+BTE8FAlpwkqYACgkQ4FrhR4+B TE+iqg//Vri5EFQgoHeBp9Z/654AIYL3QyFeLVDoqRO6WYvpj/vl/S+eZmLFDq3f 51+YI/j+/8tYJ9d19BfossndAmUWBsiw+cEOfQenWqe6zxaXdtxOC2LdxllRl+YP u3BsfVnxVjk2XyG0NCgEp3zjXlRLyCISSraOWJh4ejoVwohqBT3QxU89ieMusN3d BARCEw8G0W1EAUYl9S+NNOxg8d4W77cSX03zsl7BQj/u9stGD+aKVr14Sd3sQ495 Yr2VeRqIGOy36rPRTOVud8YWOOeOZQV7u85SUJAhHx67HDSizNxlMS1aOcoNzOqP WVts4KhlIZ7NbvokSxJsrNrfvGmZcW+/4OHTw71rQkOoPf52rgLe1W5CVtPw9o5E X3qaUoDKu/Z78DMD9cTPVm5BKM0JlTzOfUpUNXPuAS9HUz+r7bYmpbBCZ4w1LYGp Rd0RgmwexruW2vbDiVLaDfPBHrN7h3xT5Ydjua6+rnTBCzjtP9ljydjbkcrUTFHx QBb9y8xgUTXrEA56kDZRlVQj8zs0bKWxtAQ58hbYgpn9ZnSRyVvo1TxGr1/HnSVw EGAPbYQLcv3iLb5lDFzvV/mLc+KPp9Uv2XZN+J1BBcrLgykAw4CcZerqvZDzuK3c XJPTm4kvo9NLfLHzpAul5JmWSj/z4JOhydF9PRFIffRuqZo3C8I= =HAWh -----END PGP SIGNATURE-----
--- End Message ---
_______________________________________________ Pkg-utopia-maintainers mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-utopia-maintainers
