Your message dated Wed, 21 Jun 2017 09:34:34 +0000
with message-id <[email protected]>
and subject line Bug#865413: fixed in flatpak 0.8.7-1
has caused the Debian Bug report #865413,
regarding flatpak: Flatpak security issue #845 involving setuid/world-writable
files
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
865413: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=865413
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: flatpak
Version: 0.8.5-2
Severity: critical
Tags: security fixed-upstream
Forwarded: https://github.com/flatpak/flatpak/issues/845
Justification: potentially (in worst case) root security hole
The Flatpak developers recently released version 0.8.7 fixing a security
issue. A third-party app repository could include malicious apps that
contain files with inappropriate permissions, for example setuid or
world-writable. Older Flatpak versions would deploy the files with those
permissions, which would let a local attacker run the setuid executable
or write to the world-writable location.
In the case of the "system helper", files deployed as part of the app
are owned by root, so in the worst case they could be setuid root.
Mitigations:
* If you are running apps from a third party already, then there is
already a trust relationship (the app is sandboxed, but the sandbox
is not very strict in practice, and the third-party vendor chooses
what permissions the app will have)
* The default polkit policies will not allow apps to be installed
system-wide unless a privileged (root-equivalent) user has added
the third-party app repository, which indicates that the privileged
user trusts the operator of that repository
* The attacker exploiting the wrong permissions needs to be local
It seems that upstream consider this to be a minor security issue due
to those mitigations.
For the buster and sid suites, this will be fixed in 0.8.7-1 shortly.
For the experimental suite, this will be fixed in 0.9.6-1. That will
take a bit longer because it needs a newer version of libostree.
Security team: do you want a backport/DSA for stretch-security, or do
you consider the mitigations to be sufficient to fix this through
a stable update instead? I am hoping to get 0.8.7 into stretch r1 as a
stable update, but 0.8.6 contains unrelated bug fixes that I realise
you won't necessarily want in stretch-security (proposed-update tracked
at <https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=864028>).
For a stretch-security backport with just this fix, I could optionally
also include these security-hardening-related commits from 0.8.6:
https://github.com/flatpak/flatpak/commit/6265200c83f23acceb3c9b192ebc1ffa9db140de
https://github.com/flatpak/flatpak/commit/414d699621664913dadebcf5db39732b99268c37
Please let me know whether you would prefer those included or excluded.
S
--- End Message ---
--- Begin Message ---
Source: flatpak
Source-Version: 0.8.7-1
We believe that the bug you reported is fixed in the latest version of
flatpak, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Simon McVittie <[email protected]> (supplier of updated flatpak package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Wed, 21 Jun 2017 09:50:09 +0100
Source: flatpak
Binary: flatpak flatpak-builder flatpak-tests gir1.2-flatpak-1.0 libflatpak-dev
libflatpak-doc libflatpak0
Architecture: source
Version: 0.8.7-1
Distribution: unstable
Urgency: high
Maintainer: Utopia Maintenance Team
<[email protected]>
Changed-By: Simon McVittie <[email protected]>
Closes: 865413
Description:
flatpak - Application deployment framework for desktop apps
flatpak-builder - Flatpak application building helper
flatpak-tests - Application deployment framework for desktop apps (tests)
gir1.2-flatpak-1.0 - Application deployment framework for desktop apps
(introspection)
libflatpak0 - Application deployment framework for desktop apps (library)
libflatpak-dev - Application deployment framework for desktop apps
(development)
libflatpak-doc - Application deployment framework for desktop apps
(documentation)
Changes:
flatpak (0.8.7-1) unstable; urgency=high
.
* New upstream stable release
- Security: prevent deploying files with inappropriate permissions
(world-writable, setuid, etc.) (Closes: #865413)
- Security: make ~/.local/share/flatpak private to user to defend
against app vendors that might have released files with
inappropriate permissions in the past
- If an error occurs during pull, do not double-set an error,
which is considered to be invalid
- Increase some arbitrary timeouts in a test to make it more
reliable
Checksums-Sha1:
3b68cc99e87c5640df92d707d0c52a45c410c7f9 3022 flatpak_0.8.7-1.dsc
de76311784f7561d851c0086699a6fa64563130e 751020 flatpak_0.8.7.orig.tar.xz
bd2b51f5d18f16e5c91b93ac453149f78a0fde63 17316 flatpak_0.8.7-1.debian.tar.xz
Checksums-Sha256:
e9d20591ff4315d219853989906072599e0fe3d2bc2cf315df8a86b22571e6a7 3022
flatpak_0.8.7-1.dsc
ddd2b1d5b291b55a12bee1ef802d2e36ca7c830e2164d38996fa62460196f311 751020
flatpak_0.8.7.orig.tar.xz
69e28c35cf07a2f3ed23c35eb8bb672adcd63e83e7ad188b9894b3aa4eebe692 17316
flatpak_0.8.7-1.debian.tar.xz
Files:
8bffb71a0a2c97bc1572d8feaf6258d7 3022 admin optional flatpak_0.8.7-1.dsc
b399c93dcd1602750f0c78219b256dd5 751020 admin optional
flatpak_0.8.7.orig.tar.xz
9bd3d577dc8a59a74853028dcbeb1c4b 17316 admin optional
flatpak_0.8.7-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEE2pjyXAhxxJpZ6v8sTej/KmPHzJAFAllKOSIACgkQTej/KmPH
zJAwlQ/+KQ5EPT6DVsVZAC1+7FgbLHlCxKv+im5YB5iLIgzMkQxB+yhT71c1LrGH
yP+7zNxNgrebCokha/xmaN3laI7PjF6I9hpgcED5aN6+mkOEyVr0+dX20UzwEUtl
yLQ+j1g39EzrqDIIQZKG9bYN3MPSWNT4koUoRVH7Tvt91SzQzfcR/1Q+BI/QIs2c
YtQ4CT6h3lHswZ8Lgg9PRtl2XxE5jZmwDFPtNNymA8KpXJQFNUbul0RZwuXAP1NV
p60uPe7SihboztS9S41tUsIaBmREWeppFMmGHfTCOM4LNMCV4VBFaLss76v7vPaq
c27R929/v2DSVVcbzZnS9ZvmM7niWB1UG7HVcOYi3bODSFxkrLAesFbTz2tpf4lI
2MWtZHo3gwIb88EnHcshMVJ+gCP3M7UVvcK5SnwSNDasfJ4uyKjnTvzD2ClHIFAw
DCpu5KfyZAGajMcH9oL3xUAbQQgNxhG+3o6cx/KIwKJ2aQu88E1sTE6DsmzRGcmS
AHO5DbH+B/MoGrTzA3OEwiJxG4cddbaXLPSp988TzLggLyaetpCCslsIkRut6qmZ
mMAv5kkdrouV3vHrTW22qZW9VUUDFRoOFnoKsk4q72Dgl+EzidH8ApwzSoV9Kbbt
9lb3XL7Nd6FMFTADdrYcRZp496r2WGXy9neulIYc+8MEYeoGPtk=
=iVvZ
-----END PGP SIGNATURE-----
--- End Message ---
