Bug#980323: flatpak: LD_LIBRARY_PATH is not set under flatpak-builder

Thu, 21 Jan 2021 10:27:17 -0800 

On Thu, 21 Jan 2021 at 17:51:34 +0000, Simon McVittie wrote:
> Security team: this is a regression in DSA 4830-1 (CVE-2021-21261), now
> fixed upstream in 1.10.1 and backported to 1.2.x. In addition to the
> regression that was reported in #980323, I looked at similar code paths
> and fixed an equivalent regression elsewhere. It's a 2-line change
> (I'll follow up with the full debdiff, which is rather larger due to
> patch headers and changelog). Do you want a DSA 4830-2 to fix this?

Here's the proposed source debdiff.

I've assumed that urgency=medium genuinely *is* what I want this time :-)

    smcv

diffstat for flatpak-1.2.5 flatpak-1.2.5

 changelog                                                               |   17 ++++
 patches/build-Convert-environment-into-a-sequence-of-bwrap-argume.patch |   39 ++++++++++
 patches/dir-Pass-environment-via-bwrap-setenv-when-running-apply_.patch |   32 ++++++++
 patches/series                                                          |    2 
 4 files changed, 90 insertions(+)

diff -Nru flatpak-1.2.5/debian/changelog flatpak-1.2.5/debian/changelog
--- flatpak-1.2.5/debian/changelog	2021-01-12 16:23:32.000000000 +0000
+++ flatpak-1.2.5/debian/changelog	2021-01-21 13:57:39.000000000 +0000
@@ -1,6 +1,23 @@
+flatpak (1.2.5-0+deb10u3) buster-security; urgency=medium
+
+  * Fix regressions in DSA 4830-1
+    - Add patch from upstream to fix a regression in 'flatpak build'.
+      The patches to resolve CVE-2021-21261 caused a regression in which
+      'flatpak build' wouldn't set the LD_LIBRARY_PATH that it should.
+      (Closes: #980323)
+    - Add a patch from upstream to fix possible regressions in extra-data.
+      The extra-data mechanism, used to download large or proprietary
+      components out-of-band, could suffer from a regression similar to
+      #980323 if the app or runtime's apply_extra entry point relies on
+      LD_LIBRARY_PATH.
+  * Add CVE-2021-21261 reference to previous changelog entry
+
+ -- Simon McVittie <s...@debian.org>  Thu, 21 Jan 2021 13:57:39 +0000
+
 flatpak (1.2.5-0+deb10u2) buster-security; urgency=medium
 
   * Add patches for sandbox escape vulnerability GHSA-4ppf-fxf6-vxg2
+    (CVE-2021-21261)
 
  -- Simon McVittie <s...@debian.org>  Tue, 12 Jan 2021 16:23:32 +0000
 
diff -Nru flatpak-1.2.5/debian/patches/build-Convert-environment-into-a-sequence-of-bwrap-argume.patch flatpak-1.2.5/debian/patches/build-Convert-environment-into-a-sequence-of-bwrap-argume.patch
--- flatpak-1.2.5/debian/patches/build-Convert-environment-into-a-sequence-of-bwrap-argume.patch	1970-01-01 01:00:00.000000000 +0100
+++ flatpak-1.2.5/debian/patches/build-Convert-environment-into-a-sequence-of-bwrap-argume.patch	2021-01-21 13:57:39.000000000 +0000
@@ -0,0 +1,39 @@
+From: Simon McVittie <s...@collabora.com>
+Date: Mon, 18 Jan 2021 17:52:13 +0000
+Subject: build: Convert environment into a sequence of bwrap arguments
+
+This means we can systematically pass the environment variables
+through bwrap(1), even if it is setuid and thus is filtering out
+security-sensitive environment variables. bwrap itself ends up being
+run with an empty environment instead.
+
+This fixes a regression when CVE-2021-21261 was fixed: before the
+CVE fixes, LD_LIBRARY_PATH would have been passed through like this
+and appeared in the `flatpak build` shell, but during the CVE fixes,
+the special case that protected LD_LIBRARY_PATH was removed in favour
+of the more general flatpak_bwrap_envp_to_args(). That reasoning only
+works if we use flatpak_bwrap_envp_to_args(), consistently, everywhere
+that we run the potentially-setuid bwrap.
+
+Fixes: 6d1773d2 "run: Convert all environment variables into bwrap arguments"
+Bug: https://github.com/flatpak/flatpak/issues/4080
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=980323
+Signed-off-by: Simon McVittie <s...@collabora.com>
+Applied-upstream: 1.10.1, commit:9a61d2c44f0a58cebcb9b2787ae88db07ca68bb0
+---
+ app/flatpak-builtins-build.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/app/flatpak-builtins-build.c b/app/flatpak-builtins-build.c
+index 9410791..5ba3ba8 100644
+--- a/app/flatpak-builtins-build.c
++++ b/app/flatpak-builtins-build.c
+@@ -566,6 +566,8 @@ flatpak_builtin_build (int argc, char **argv, GCancellable *cancellable, GError
+                               NULL);
+     }
+ 
++  flatpak_bwrap_envp_to_args (bwrap);
++
+   if (!flatpak_bwrap_bundle_args (bwrap, 1, -1, FALSE, error))
+     return FALSE;
+ 
diff -Nru flatpak-1.2.5/debian/patches/dir-Pass-environment-via-bwrap-setenv-when-running-apply_.patch flatpak-1.2.5/debian/patches/dir-Pass-environment-via-bwrap-setenv-when-running-apply_.patch
--- flatpak-1.2.5/debian/patches/dir-Pass-environment-via-bwrap-setenv-when-running-apply_.patch	1970-01-01 01:00:00.000000000 +0100
+++ flatpak-1.2.5/debian/patches/dir-Pass-environment-via-bwrap-setenv-when-running-apply_.patch	2021-01-21 13:57:39.000000000 +0000
@@ -0,0 +1,32 @@
+From: Simon McVittie <s...@collabora.com>
+Date: Mon, 18 Jan 2021 18:07:38 +0000
+Subject: dir: Pass environment via bwrap --setenv when running apply_extra
+
+This means we can systematically pass the environment variables
+through bwrap(1), even if it is setuid and thus is filtering out
+security-sensitive environment variables. bwrap ends up being
+run with an empty environment instead.
+
+As with the previous commit, this regressed while fixing CVE-2021-21261.
+
+Fixes: 6d1773d2 "run: Convert all environment variables into bwrap arguments"
+Bug: https://github.com/flatpak/flatpak/issues/4080
+Signed-off-by: Simon McVittie <s...@collabora.com>
+Applied-upstream: 1.10.1, commit:fb473cad801c6b61706353256cab32330557374a
+---
+ common/flatpak-dir.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/common/flatpak-dir.c b/common/flatpak-dir.c
+index 40a2e58..f79ebcd 100644
+--- a/common/flatpak-dir.c
++++ b/common/flatpak-dir.c
+@@ -6799,6 +6799,8 @@ apply_extra_data (FlatpakDir   *self,
+                                          app_context, NULL, NULL, cancellable, error))
+     return FALSE;
+ 
++  flatpak_bwrap_envp_to_args (bwrap);
++
+   flatpak_bwrap_add_arg (bwrap, "/app/bin/apply_extra");
+ 
+   flatpak_bwrap_finish (bwrap);
diff -Nru flatpak-1.2.5/debian/patches/series flatpak-1.2.5/debian/patches/series
--- flatpak-1.2.5/debian/patches/series	2021-01-12 16:23:32.000000000 +0000
+++ flatpak-1.2.5/debian/patches/series	2021-01-21 13:57:39.000000000 +0000
@@ -7,4 +7,6 @@
 tests-Exercise-env-fd.patch
 portal-Do-not-use-caller-supplied-variables-in-environmen.patch
 tests-Assert-that-env-does-not-go-in-flatpak-run-or-bwrap.patch
+build-Convert-environment-into-a-sequence-of-bwrap-argume.patch
+dir-Pass-environment-via-bwrap-setenv-when-running-apply_.patch
 debian/Use-Python-3-for-test-web-server.patch

Reply via email to