** Description changed: - Placeholder for a future flatpak 1.0.X release for bionic and cosmic. + This is a request to SRU the latest microrelease of flatpak into bionic + and cosmic. Which is also a security update for CVE-2019-10063. + + Debian bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=925541 + Upstream bug https://github.com/flatpak/flatpak/issues/2782 + + [Impact] + + New upstream microrelease of flatpak, which brings a security fix for + CVE-2019-10063. + + Bionic is currently at 1.0.7, whereas 1.0.8 is available upstream. + Cosmic is currently at 1.0.7, whereas 1.0.8 is available upstream. + + Disco needs to be synced to >= 1.2.3-2 (is someone able to sync 1.2.4-1 + from unstable ? ) bug 1822024 has this request. + + [Test Case] + + No test case has been mentioned in the Debian bug, in the upstream pull + request it looks like the snapd exploit might be able to be used + https://www.exploit-db.com/exploits/46594 but the code change is minimal + so I have not tried this yet. + + [Regression Potential] + + Flatpak has a test suite, which is run on build across all architectures + and passes. + + There is also a manual test plan + https://wiki.ubuntu.com/Process/Merges/TestPlan/flatpak. I have + confirmed that 1.0.8 passes with this test plan on both bionic and + cosmic. + + Flatpak has autopkgtests enabled + http://autopkgtest.ubuntu.com/packages/f/flatpak which is passing on + bionic and cosmic. + + Regression potential is low, and upstream is very responsive to any + issues raised. + + [Other information] + + Debian and upstream comments about the vulnerability. + + "flatpak versions since 0.8.1 (and Debian's 0.8.0-2, which has backports + of the upstream changes that became 0.8.1) attempt to prevent malicious + apps from escalating their privileges by injecting commands into the + controlling terminal with the TIOCSTI ioctl (CVE-2017-5226). + + This fix was incomplete: on 64-bit platforms, seccomp looks at the whole + 64-bit word, but the kernel only looks at the low 32 bits. This means we + also have to block commands like (0x1234567800000000 | TIOCSTI). + CVE-2019-10063 has been allocated for this vulnerability, which closely + resembles CVE-2019-7303 in snapd. + + Mitigation: as usual with Flatpak sandbox bypasses, this can only be + exploited if you install a malicious app from a trusted source. The + sandbox parameters used for most apps are currently sufficiently weak + that a malicious app could do other equally bad things that we cannot + prevent, for example by abusing the X11 protocol." + + Debian security tracker https://security- + tracker.debian.org/tracker/CVE-2019-10063
** Attachment added: "Flatpak bionic 1.0.7-0ubuntu0.18.04.1 to 1.0.8-0ubuntu0.18.04.1 debdiff.gz" https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/1821811/+attachment/5250333/+files/flatpak_1.0.7-0ubuntu0.18.04.1_to_flatpak_1.0.8-0ubuntu0.18.04.1.debdiff.gz -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1821811 Title: New upstream microrelease flatpak 1.0.X To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/1821811/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
