On Thu, 21 Jan 2021 at 17:51:34 +0000, Simon McVittie wrote: > Security team: this is a regression in DSA 4830-1 (CVE-2021-21261), now > fixed upstream in 1.10.1 and backported to 1.2.x. In addition to the > regression that was reported in #980323, I looked at similar code paths > and fixed an equivalent regression elsewhere. It's a 2-line change > (I'll follow up with the full debdiff, which is rather larger due to > patch headers and changelog). Do you want a DSA 4830-2 to fix this?
Here's the proposed source debdiff. I've assumed that urgency=medium genuinely *is* what I want this time :-) smcv
diffstat for flatpak-1.2.5 flatpak-1.2.5 changelog | 17 ++++ patches/build-Convert-environment-into-a-sequence-of-bwrap-argume.patch | 39 ++++++++++ patches/dir-Pass-environment-via-bwrap-setenv-when-running-apply_.patch | 32 ++++++++ patches/series | 2 4 files changed, 90 insertions(+) diff -Nru flatpak-1.2.5/debian/changelog flatpak-1.2.5/debian/changelog --- flatpak-1.2.5/debian/changelog 2021-01-12 16:23:32.000000000 +0000 +++ flatpak-1.2.5/debian/changelog 2021-01-21 13:57:39.000000000 +0000 @@ -1,6 +1,23 @@ +flatpak (1.2.5-0+deb10u3) buster-security; urgency=medium + + * Fix regressions in DSA 4830-1 + - Add patch from upstream to fix a regression in 'flatpak build'. + The patches to resolve CVE-2021-21261 caused a regression in which + 'flatpak build' wouldn't set the LD_LIBRARY_PATH that it should. + (Closes: #980323) + - Add a patch from upstream to fix possible regressions in extra-data. + The extra-data mechanism, used to download large or proprietary + components out-of-band, could suffer from a regression similar to + #980323 if the app or runtime's apply_extra entry point relies on + LD_LIBRARY_PATH. + * Add CVE-2021-21261 reference to previous changelog entry + + -- Simon McVittie <s...@debian.org> Thu, 21 Jan 2021 13:57:39 +0000 + flatpak (1.2.5-0+deb10u2) buster-security; urgency=medium * Add patches for sandbox escape vulnerability GHSA-4ppf-fxf6-vxg2 + (CVE-2021-21261) -- Simon McVittie <s...@debian.org> Tue, 12 Jan 2021 16:23:32 +0000 diff -Nru flatpak-1.2.5/debian/patches/build-Convert-environment-into-a-sequence-of-bwrap-argume.patch flatpak-1.2.5/debian/patches/build-Convert-environment-into-a-sequence-of-bwrap-argume.patch --- flatpak-1.2.5/debian/patches/build-Convert-environment-into-a-sequence-of-bwrap-argume.patch 1970-01-01 01:00:00.000000000 +0100 +++ flatpak-1.2.5/debian/patches/build-Convert-environment-into-a-sequence-of-bwrap-argume.patch 2021-01-21 13:57:39.000000000 +0000 @@ -0,0 +1,39 @@ +From: Simon McVittie <s...@collabora.com> +Date: Mon, 18 Jan 2021 17:52:13 +0000 +Subject: build: Convert environment into a sequence of bwrap arguments + +This means we can systematically pass the environment variables +through bwrap(1), even if it is setuid and thus is filtering out +security-sensitive environment variables. bwrap itself ends up being +run with an empty environment instead. + +This fixes a regression when CVE-2021-21261 was fixed: before the +CVE fixes, LD_LIBRARY_PATH would have been passed through like this +and appeared in the `flatpak build` shell, but during the CVE fixes, +the special case that protected LD_LIBRARY_PATH was removed in favour +of the more general flatpak_bwrap_envp_to_args(). That reasoning only +works if we use flatpak_bwrap_envp_to_args(), consistently, everywhere +that we run the potentially-setuid bwrap. + +Fixes: 6d1773d2 "run: Convert all environment variables into bwrap arguments" +Bug: https://github.com/flatpak/flatpak/issues/4080 +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=980323 +Signed-off-by: Simon McVittie <s...@collabora.com> +Applied-upstream: 1.10.1, commit:9a61d2c44f0a58cebcb9b2787ae88db07ca68bb0 +--- + app/flatpak-builtins-build.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/app/flatpak-builtins-build.c b/app/flatpak-builtins-build.c +index 9410791..5ba3ba8 100644 +--- a/app/flatpak-builtins-build.c ++++ b/app/flatpak-builtins-build.c +@@ -566,6 +566,8 @@ flatpak_builtin_build (int argc, char **argv, GCancellable *cancellable, GError + NULL); + } + ++ flatpak_bwrap_envp_to_args (bwrap); ++ + if (!flatpak_bwrap_bundle_args (bwrap, 1, -1, FALSE, error)) + return FALSE; + diff -Nru flatpak-1.2.5/debian/patches/dir-Pass-environment-via-bwrap-setenv-when-running-apply_.patch flatpak-1.2.5/debian/patches/dir-Pass-environment-via-bwrap-setenv-when-running-apply_.patch --- flatpak-1.2.5/debian/patches/dir-Pass-environment-via-bwrap-setenv-when-running-apply_.patch 1970-01-01 01:00:00.000000000 +0100 +++ flatpak-1.2.5/debian/patches/dir-Pass-environment-via-bwrap-setenv-when-running-apply_.patch 2021-01-21 13:57:39.000000000 +0000 @@ -0,0 +1,32 @@ +From: Simon McVittie <s...@collabora.com> +Date: Mon, 18 Jan 2021 18:07:38 +0000 +Subject: dir: Pass environment via bwrap --setenv when running apply_extra + +This means we can systematically pass the environment variables +through bwrap(1), even if it is setuid and thus is filtering out +security-sensitive environment variables. bwrap ends up being +run with an empty environment instead. + +As with the previous commit, this regressed while fixing CVE-2021-21261. + +Fixes: 6d1773d2 "run: Convert all environment variables into bwrap arguments" +Bug: https://github.com/flatpak/flatpak/issues/4080 +Signed-off-by: Simon McVittie <s...@collabora.com> +Applied-upstream: 1.10.1, commit:fb473cad801c6b61706353256cab32330557374a +--- + common/flatpak-dir.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/common/flatpak-dir.c b/common/flatpak-dir.c +index 40a2e58..f79ebcd 100644 +--- a/common/flatpak-dir.c ++++ b/common/flatpak-dir.c +@@ -6799,6 +6799,8 @@ apply_extra_data (FlatpakDir *self, + app_context, NULL, NULL, cancellable, error)) + return FALSE; + ++ flatpak_bwrap_envp_to_args (bwrap); ++ + flatpak_bwrap_add_arg (bwrap, "/app/bin/apply_extra"); + + flatpak_bwrap_finish (bwrap); diff -Nru flatpak-1.2.5/debian/patches/series flatpak-1.2.5/debian/patches/series --- flatpak-1.2.5/debian/patches/series 2021-01-12 16:23:32.000000000 +0000 +++ flatpak-1.2.5/debian/patches/series 2021-01-21 13:57:39.000000000 +0000 @@ -7,4 +7,6 @@ tests-Exercise-env-fd.patch portal-Do-not-use-caller-supplied-variables-in-environmen.patch tests-Assert-that-env-does-not-go-in-flatpak-run-or-bwrap.patch +build-Convert-environment-into-a-sequence-of-bwrap-argume.patch +dir-Pass-environment-via-bwrap-setenv-when-running-apply_.patch debian/Use-Python-3-for-test-web-server.patch