Your message dated Wed, 21 Jun 2017 16:34:30 +0000
with message-id <[email protected]>
and subject line Bug#865413: fixed in flatpak 0.9.6-1
has caused the Debian Bug report #865413,
regarding flatpak: Flatpak security issue #845 involving setuid/world-writable
files
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
865413: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=865413
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: flatpak
Version: 0.8.5-2
Severity: critical
Tags: security fixed-upstream
Forwarded: https://github.com/flatpak/flatpak/issues/845
Justification: potentially (in worst case) root security hole
The Flatpak developers recently released version 0.8.7 fixing a security
issue. A third-party app repository could include malicious apps that
contain files with inappropriate permissions, for example setuid or
world-writable. Older Flatpak versions would deploy the files with those
permissions, which would let a local attacker run the setuid executable
or write to the world-writable location.
In the case of the "system helper", files deployed as part of the app
are owned by root, so in the worst case they could be setuid root.
Mitigations:
* If you are running apps from a third party already, then there is
already a trust relationship (the app is sandboxed, but the sandbox
is not very strict in practice, and the third-party vendor chooses
what permissions the app will have)
* The default polkit policies will not allow apps to be installed
system-wide unless a privileged (root-equivalent) user has added
the third-party app repository, which indicates that the privileged
user trusts the operator of that repository
* The attacker exploiting the wrong permissions needs to be local
It seems that upstream consider this to be a minor security issue due
to those mitigations.
For the buster and sid suites, this will be fixed in 0.8.7-1 shortly.
For the experimental suite, this will be fixed in 0.9.6-1. That will
take a bit longer because it needs a newer version of libostree.
Security team: do you want a backport/DSA for stretch-security, or do
you consider the mitigations to be sufficient to fix this through
a stable update instead? I am hoping to get 0.8.7 into stretch r1 as a
stable update, but 0.8.6 contains unrelated bug fixes that I realise
you won't necessarily want in stretch-security (proposed-update tracked
at <https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=864028>).
For a stretch-security backport with just this fix, I could optionally
also include these security-hardening-related commits from 0.8.6:
https://github.com/flatpak/flatpak/commit/6265200c83f23acceb3c9b192ebc1ffa9db140de
https://github.com/flatpak/flatpak/commit/414d699621664913dadebcf5db39732b99268c37
Please let me know whether you would prefer those included or excluded.
S
--- End Message ---
--- Begin Message ---
Source: flatpak
Source-Version: 0.9.6-1
We believe that the bug you reported is fixed in the latest version of
flatpak, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Simon McVittie <[email protected]> (supplier of updated flatpak package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Wed, 21 Jun 2017 15:09:59 +0100
Source: flatpak
Binary: flatpak flatpak-builder flatpak-tests gir1.2-flatpak-1.0 libflatpak-dev
libflatpak-doc libflatpak0
Architecture: source
Version: 0.9.6-1
Distribution: experimental
Urgency: high
Maintainer: Utopia Maintenance Team
<[email protected]>
Changed-By: Simon McVittie <[email protected]>
Closes: 865413
Description:
flatpak - Application deployment framework for desktop apps
flatpak-builder - Flatpak application building helper
flatpak-tests - Application deployment framework for desktop apps (tests)
gir1.2-flatpak-1.0 - Application deployment framework for desktop apps
(introspection)
libflatpak0 - Application deployment framework for desktop apps (library)
libflatpak-dev - Application deployment framework for desktop apps
(development)
libflatpak-doc - Application deployment framework for desktop apps
(documentation)
Changes:
flatpak (0.9.6-1) experimental; urgency=high
.
* New upstream release
- Security: prevent deploying files with inappropriate permissions
(world-writable, setuid, etc.) (Closes: #865413)
- Security: make ~/.local/share/flatpak private to user to defend
against app vendors that might have released files with
inappropriate permissions in the past
- Bump libostree build-dependency to 2017.7
- d/p/testlibrary-Call-g_assert_no_error-first.patch:
Drop, applied upstream
* Standards-Version: 4.0.0
- Use https URL for format of debian/copyright
Checksums-Sha1:
6b7736a329247a37ddc1b1322c147d4f6e7b3143 3088 flatpak_0.9.6-1.dsc
e5be7975b5dac18ceff0ce693d964eeaf7e9b50e 845660 flatpak_0.9.6.orig.tar.xz
f72d90871896aacc2e4b9cb5a0bd0725b95c62a9 17068 flatpak_0.9.6-1.debian.tar.xz
Checksums-Sha256:
e61b0a2bff08d7af501ff2f02dd9dbca6d0b07ee9c88d904d6bcd2b450fe476d 3088
flatpak_0.9.6-1.dsc
d0835b70db8de97d3d3a6a57ecbc0bf8c69d308daa20897079634521e1949f9e 845660
flatpak_0.9.6.orig.tar.xz
48d72ab4463f5cea1834f91c973991d73fbdf4dfac38e603c458ddc5840f4663 17068
flatpak_0.9.6-1.debian.tar.xz
Files:
c879e47c0e72d693dd8209ad600a1a3a 3088 admin optional flatpak_0.9.6-1.dsc
2aa4dee109f689e498a5c4daace83b5d 845660 admin optional
flatpak_0.9.6.orig.tar.xz
085ab1ca0ed76e9d5e07074c89e75e19 17068 admin optional
flatpak_0.9.6-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEE2pjyXAhxxJpZ6v8sTej/KmPHzJAFAllKnTcACgkQTej/KmPH
zJBTrg/7BnZALPBFnG6e2QtLHsdeWtqJNvz321Nisdt1wF1U+P0+c0yvNFnkrIvN
3j7i18pE0ieCM5UvbxVfHIuWhH2opBwcYCBSJhUYFvvWLBn8utPkAzisdVhx0KtR
Y9UxhBm36Kjm8QEFey20VYMr98GlYUZCmm3ypjhx2A267qQ7/kkxHI3FUjMJTWnh
tf07PRDutZdthiFoGc8141YI53GZwUs/GjkQ4nhQx66WRqxCyYncnI5TsP5PqyMt
NtZQyTVndoxg8GWWIfdC1ujEW8S30k8iSdrB2gwTZkSQWLgBZNvioeGn0nUmKIPE
ZJ55J54fu2SNXY+nqFpSphuUpGJS7DITQ4CQzApuQsAL2aBDECkbHc3GfRjI2bH5
pCgmWBFolBvoWTKaTC6dUqBjGcFjlrQ/x6nRZotxMN1aUizh8/o+3kUV8NVWyJO4
PbiLGCnKERJWVtwmGak/bEX9s+m+PabC9CAvBTEdY9LIMbQxIkIsT4q/DI0ndMSn
O0RBvBczQtWR+KRAG152L9MDWEOKiZexNxaFnoQQ5E4gM1ifw/YDdkzZlJyb7Oue
6hzbFzB3tjMoTAn/+UQX6I4etfmimMnrIVYT2zUatkGVFFvce9blMgRXUXb9pAoa
jJKLaHcP91F+xPw/MubqZpVuKlt+nZuq0j7K+0DqZsVG5QfnBOY=
=8tQf
-----END PGP SIGNATURE-----
--- End Message ---
