Your message dated Mon, 11 Feb 2019 18:49:15 +0000 with message-id <e1gtgdn-0004m9...@fasolo.debian.org> and subject line Bug#922059: fixed in flatpak 1.2.3-1 has caused the Debian Bug report #922059, regarding flatpak: vulnerability similar to runc CVE-2019-5736 involving /proc/self/exe to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 922059: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=922059 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: flatpak Version: 1.2.2-1 Severity: critical Tags: security upstream patch Justification: root security hole (?) Control: found -1 1.2.0-1~bpo9+1 Control: found -1 0.8.9-0+deb9u1 Control: found -1 0.8.9-0+deb9u1~bpo8+1 Control: found -1 0.8.5-2+deb9u1 Flatpak upstream releases 1.2.3 and 1.0.7 fix a vulnerability similar to runc vulnerability CVE-2019-5736. If a user installs a system-wide Flatpak app or runtime that has an 'apply_extra' script, then the apply_extra script is run in a sandbox, as root, with /proc mounted. A malicious app or runtime could traverse /proc/self/exe to modify a host-side executable. It is not completely clear to me *which* host-side executable. To be on the safe side, I'm assuming that it's something that could lead to an unsandboxed privilege escalation vulnerability. I don't currently have an exploit that can be used to demonstrate this vulnerability. Mitigation: the app or runtime would have to come from a trusted Flatpak repository (such as Flathub) that was previously added as a system-wide source of Flatpak apps by a root-equivalent user. (Non-malicious apply_extra scripts are normally used to process "extra data" files that had to be downloaded out-of-band, such as the archives containing the proprietary Nvidia graphics drivers, which the Flathub maintainers do not believe they are allowed to redistribute directly.) For buster/sid, I'm preparing a 1.2.3-1 release that will fix this. For stretch, 0.8.5 and 0.8.9 appear to be vulnerable. I don't think upstream plan to release a 0.8.10 version, but the patch doesn't seem difficult to backport (untested patch attached). Do the security team want to issue a DSA for this, or should I be targeting the next stretch point release? References: https://lists.freedesktop.org/archives/flatpak/2019-February/001476.html https://github.com/flatpak/flatpak/releases/tag/1.2.3 https://lists.freedesktop.org/archives/flatpak/2019-February/001477.html https://github.com/flatpak/flatpak/releases/tag/1.0.7 Thanks, smcvFrom: Alexander Larsson <al...@redhat.com> Date: Sun, 10 Feb 2019 18:23:44 +0100 Subject: Don't expose /proc when running apply_extra As shown by CVE-2019-5736, it is sometimes possible for the sandbox app to access outside files using /proc/self/exe. This is not typically an issue for flatpak as the sandbox runs as the user which has no permissions to e.g. modify the host files. However, when installing apps using extra-data into the system repo we *do* actually run a sandbox as root. So, in this case we disable mounting /proc in the sandbox, which will neuter attacks like this. (cherry picked from commit 468858c1cbcdbcb27266deb5c7347b37adf3a9e4) --- common/flatpak-dir.c | 2 +- common/flatpak-run.c | 6 +++++- common/flatpak-run.h | 1 + 3 files changed, 7 insertions(+), 2 deletions(-) diff --git a/common/flatpak-dir.c b/common/flatpak-dir.c index 4f6f54d..35e0a65 100644 --- a/common/flatpak-dir.c +++ b/common/flatpak-dir.c @@ -3914,7 +3914,7 @@ apply_extra_data (FlatpakDir *self, NULL); if (!flatpak_run_setup_base_argv (argv_array, fd_array, runtime_files, NULL, runtime_ref_parts[2], - FLATPAK_RUN_FLAG_NO_SESSION_HELPER, + FLATPAK_RUN_FLAG_NO_SESSION_HELPER | FLATPAK_RUN_FLAG_NO_PROC, error)) return FALSE; diff --git a/common/flatpak-run.c b/common/flatpak-run.c index cad8bc9..9a69f7b 100644 --- a/common/flatpak-run.c +++ b/common/flatpak-run.c @@ -4071,9 +4071,13 @@ flatpak_run_setup_base_argv (GPtrArray *argv_array, if (fd_array) g_array_append_val (fd_array, group_fd); + if ((flags & FLATPAK_RUN_FLAG_NO_PROC) == 0) + add_args (argv_array, + "--proc", "/proc", + NULL); + add_args (argv_array, "--unshare-pid", - "--proc", "/proc", "--dir", "/tmp", "--dir", "/var/tmp", "--dir", "/run/host", diff --git a/common/flatpak-run.h b/common/flatpak-run.h index 8a29fe0..e16c4db 100644 --- a/common/flatpak-run.h +++ b/common/flatpak-run.h @@ -105,6 +105,7 @@ typedef enum { FLATPAK_RUN_FLAG_NO_SESSION_HELPER = (1 << 4), FLATPAK_RUN_FLAG_MULTIARCH = (1 << 5), FLATPAK_RUN_FLAG_WRITABLE_ETC = (1 << 6), + FLATPAK_RUN_FLAG_NO_PROC = (1 << 19), } FlatpakRunFlags; gboolean flatpak_run_setup_base_argv (GPtrArray *argv_array,
--- End Message ---
--- Begin Message ---Source: flatpak Source-Version: 1.2.3-1 We believe that the bug you reported is fixed in the latest version of flatpak, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 922...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Simon McVittie <s...@debian.org> (supplier of updated flatpak package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Mon, 11 Feb 2019 16:17:09 +0000 Source: flatpak Architecture: source Version: 1.2.3-1 Distribution: unstable Urgency: high Maintainer: Utopia Maintenance Team <pkg-utopia-maintain...@lists.alioth.debian.org> Changed-By: Simon McVittie <s...@debian.org> Closes: 922059 Changes: flatpak (1.2.3-1) unstable; urgency=high . * New upstream stable release - Security update: do not let the apply_extra script for a system installation modify the host-side executable via /proc/self/exe, similar to CVE-2019-5736 in runc (Closes: #922059) Checksums-Sha1: f3ad5c1ff838a1301e0da3c704dafbafd0f57a90 3330 flatpak_1.2.3-1.dsc 824abb949e540acaaee6a4122321467abcdc8b3b 1166820 flatpak_1.2.3.orig.tar.xz f43aa084c491d82f71ad56f6650e998fc2dc6b07 24796 flatpak_1.2.3-1.debian.tar.xz 5e043c6e1a5634f87458571ad314f4de79b292b0 11925 flatpak_1.2.3-1_source.buildinfo Checksums-Sha256: e6340ce8807c214d9a1ebf313a0479506b4e989b392a3f35ae8f113648a6cb2b 3330 flatpak_1.2.3-1.dsc bb4720307fc10465660e37bb9489c1d9a349c19143e24f65ddb49032f8b00d44 1166820 flatpak_1.2.3.orig.tar.xz 18dd7c78fefd2b9cdfc258a5410c25cf65f945cbc9398e3ee5043424b352b926 24796 flatpak_1.2.3-1.debian.tar.xz 3a86e01ac8104a6f27c42fa508e07fabaaad8e0d39f7fe9ce105831ebe64d860 11925 flatpak_1.2.3-1_source.buildinfo Files: 11aa721694e81efae8d061442016033f 3330 admin optional flatpak_1.2.3-1.dsc 6ce8069ba5bb027fa7fbe84db209464e 1166820 admin optional flatpak_1.2.3.orig.tar.xz f11bde09a4bd81ca0728de799f28d443 24796 admin optional flatpak_1.2.3-1.debian.tar.xz 678a19200588a7aafc9bd90bae4a9d3a 11925 admin optional flatpak_1.2.3-1_source.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEENuxaZEik9e95vv6Y4FrhR4+BTE8FAlxhv3IACgkQ4FrhR4+B TE9svxAAqQ7bRTUiqhwNRaVzt7JhHEbqd0DiTRDPcoMe34du7DDh2dyTrW9+haSk Kf6K90vw103jXpk/+H8mRIl1Xy7zoRk2TQBhFsz3mdFGhXLFjr/IrdduNb4A53l7 r1K/LXAlH3rbZBGkVXemj71cT824RXFS7vGq8fnD0/c6wEUvTG1eWjlIv1Zowsfa 9btSxdvUR31UB/BX5qM0U09jhUjlqBvwljCKLzxKAXNsHa6jGS5oXLmCM5Z/tfVy hc8ko+4TxLarSS0UsNYQkf/aFnroslGCe1a5m8/WQVMhlYoocez3wzmCYwgAcTGB 9v+mmplaIRXXV8tx3djKbd2BYtHYGFdbxDKC4JVLZU/rEitQqlp2AhF2zA+UXrdq Gavizno23LWq5tw/acxKYxHt3AfKUSnvjYJkV1WkWHtkm9AqGsH+Al8NxVdT4Rcs rvcyh/3XGo/WybZWK6Bqb3BJdrqrQoHWCUkUOgFIz+h2jJ2uBTIKE+3P/l3HUJaS VS0u4GeontlGhEgMF4DjKXSjn9R3LlzCBsm+PhOwQl+n95tRzTyz8iE6C00YIfKw 3oySCuP9szOLtRItG/mxX8Pep1IvUg0JTkWnIn5LgzvZB6wViTwfZbB4KH9dritH TshkaaY83Y19C4B/gb4/lgGOmHw6gK1ZF9cWNrXOcSGBVY+uX4c= =jLaS -----END PGP SIGNATURE-----
--- End Message ---
