Bug#922059: marked as done (flatpak: CVE-2019-8308: vulnerability similar to runc CVE-2019-5736 involving /proc/self/exe)

[Debian Bug Tracking System]

Your message dated Mon, 18 Feb 2019 23:18:30 +0000
with message-id <e1gvsbc-0006jy...@fasolo.debian.org>
and subject line Bug#922059: fixed in flatpak 0.8.9-0+deb9u2
has caused the Debian Bug report #922059,
regarding flatpak: CVE-2019-8308: vulnerability similar to runc CVE-2019-5736 
involving /proc/self/exe
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
922059: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=922059
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: flatpak
Version: 1.2.2-1
Severity: critical
Tags: security upstream patch
Justification: root security hole (?)
Control: found -1 1.2.0-1~bpo9+1
Control: found -1 0.8.9-0+deb9u1
Control: found -1 0.8.9-0+deb9u1~bpo8+1
Control: found -1 0.8.5-2+deb9u1

Flatpak upstream releases 1.2.3 and 1.0.7 fix a vulnerability similar to
runc vulnerability CVE-2019-5736. If a user installs a system-wide Flatpak
app or runtime that has an 'apply_extra' script, then the apply_extra
script is run in a sandbox, as root, with /proc mounted. A malicious app
or runtime could traverse /proc/self/exe to modify a host-side executable.

It is not completely clear to me *which* host-side executable. To be on
the safe side, I'm assuming that it's something that could lead to an
unsandboxed privilege escalation vulnerability. I don't currently have an
exploit that can be used to demonstrate this vulnerability.

Mitigation: the app or runtime would have to come from a trusted Flatpak
repository (such as Flathub) that was previously added as a system-wide
source of Flatpak apps by a root-equivalent user.

(Non-malicious apply_extra scripts are normally used to process "extra
data" files that had to be downloaded out-of-band, such as the archives
containing the proprietary Nvidia graphics drivers, which the Flathub
maintainers do not believe they are allowed to redistribute directly.)

For buster/sid, I'm preparing a 1.2.3-1 release that will fix this.

For stretch, 0.8.5 and 0.8.9 appear to be vulnerable. I don't think
upstream plan to release a 0.8.10 version, but the patch doesn't seem
difficult to backport (untested patch attached).

Do the security team want to issue a DSA for this, or should I be targeting
the next stretch point release?

References:
https://lists.freedesktop.org/archives/flatpak/2019-February/001476.html
https://github.com/flatpak/flatpak/releases/tag/1.2.3
https://lists.freedesktop.org/archives/flatpak/2019-February/001477.html
https://github.com/flatpak/flatpak/releases/tag/1.0.7

Thanks,
    smcv

From: Alexander Larsson <al...@redhat.com>
Date: Sun, 10 Feb 2019 18:23:44 +0100
Subject: Don't expose /proc when running apply_extra

As shown by CVE-2019-5736, it is sometimes possible for the sandbox
app to access outside files using /proc/self/exe. This is not
typically an issue for flatpak as the sandbox runs as the user which
has no permissions to e.g. modify the host files.

However, when installing apps using extra-data into the system repo
we *do* actually run a sandbox as root. So, in this case we disable mounting
/proc in the sandbox, which will neuter attacks like this.

(cherry picked from commit 468858c1cbcdbcb27266deb5c7347b37adf3a9e4)
---
 common/flatpak-dir.c | 2 +-
 common/flatpak-run.c | 6 +++++-
 common/flatpak-run.h | 1 +
 3 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/common/flatpak-dir.c b/common/flatpak-dir.c
index 4f6f54d..35e0a65 100644
--- a/common/flatpak-dir.c
+++ b/common/flatpak-dir.c
@@ -3914,7 +3914,7 @@ apply_extra_data (FlatpakDir          *self,
             NULL);
 
   if (!flatpak_run_setup_base_argv (argv_array, fd_array, runtime_files, NULL, runtime_ref_parts[2],
-                                    FLATPAK_RUN_FLAG_NO_SESSION_HELPER,
+                                    FLATPAK_RUN_FLAG_NO_SESSION_HELPER | FLATPAK_RUN_FLAG_NO_PROC,
                                     error))
     return FALSE;
 
diff --git a/common/flatpak-run.c b/common/flatpak-run.c
index cad8bc9..9a69f7b 100644
--- a/common/flatpak-run.c
+++ b/common/flatpak-run.c
@@ -4071,9 +4071,13 @@ flatpak_run_setup_base_argv (GPtrArray      *argv_array,
   if (fd_array)
     g_array_append_val (fd_array, group_fd);
 
+  if ((flags & FLATPAK_RUN_FLAG_NO_PROC) == 0)
+    add_args (argv_array,
+              "--proc", "/proc",
+              NULL);
+
   add_args (argv_array,
             "--unshare-pid",
-            "--proc", "/proc",
             "--dir", "/tmp",
             "--dir", "/var/tmp",
             "--dir", "/run/host",
diff --git a/common/flatpak-run.h b/common/flatpak-run.h
index 8a29fe0..e16c4db 100644
--- a/common/flatpak-run.h
+++ b/common/flatpak-run.h
@@ -105,6 +105,7 @@ typedef enum {
   FLATPAK_RUN_FLAG_NO_SESSION_HELPER  = (1 << 4),
   FLATPAK_RUN_FLAG_MULTIARCH          = (1 << 5),
   FLATPAK_RUN_FLAG_WRITABLE_ETC       = (1 << 6),
+  FLATPAK_RUN_FLAG_NO_PROC            = (1 << 19),
 } FlatpakRunFlags;
 
 gboolean flatpak_run_setup_base_argv (GPtrArray      *argv_array,

--- End Message ---

--- Begin Message ---

Source: flatpak
Source-Version: 0.8.9-0+deb9u2

We believe that the bug you reported is fixed in the latest version of
flatpak, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 922...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Simon McVittie <s...@debian.org> (supplier of updated flatpak package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Tue, 12 Feb 2019 11:11:22 GMT
Source: flatpak
Binary: flatpak flatpak-builder flatpak-tests gir1.2-flatpak-1.0 libflatpak-dev 
libflatpak-doc libflatpak0
Architecture: source
Version: 0.8.9-0+deb9u2
Distribution: stretch-security
Urgency: medium
Maintainer: Utopia Maintenance Team 
<pkg-utopia-maintain...@lists.alioth.debian.org>
Changed-By: Simon McVittie <s...@debian.org>
Description:
 flatpak    - Application deployment framework for desktop apps
 flatpak-builder - Flatpak application building helper
 flatpak-tests - Application deployment framework for desktop apps (tests)
 gir1.2-flatpak-1.0 - Application deployment framework for desktop apps 
(introspection)
 libflatpak-dev - Application deployment framework for desktop apps 
(development)
 libflatpak-doc - Application deployment framework for desktop apps 
(documentation)
 libflatpak0 - Application deployment framework for desktop apps (library)
Closes: 922059
Changes:
 flatpak (0.8.9-0+deb9u2) stretch-security; urgency=medium
 .
   * d/p/Don-t-expose-proc-when-running-apply_extra.patch:
     Backport patch from upstream v1.2.3: do not let the apply_extra
     script for a system installation modify the host-side executable
     via /proc/self/exe, similar to CVE-2019-5736 in runc
     (Closes: #922059)
Checksums-Sha256: 
 c4f7e8525e3e4925fc297b6f17c3105e10c8fa7d5639a781bbb309acdbf221cf 3021 
flatpak_0.8.9-0+deb9u2.dsc
 5f72bbbbc9e7aa686c78dc4b30df5b674f1df906a38488be4116c967a31b9b23 18448 
flatpak_0.8.9-0+deb9u2.debian.tar.xz
 718c66e0d49b98937ab19d8faae61a25d62c02419ac7498efd2cf09c834543c9 11061 
flatpak_0.8.9-0+deb9u2_source.buildinfo
 9df2823e12461c96c87d1e3cadf49963b5fefb6be8ad04dafb84c58b8bcbbf50 750480 
flatpak_0.8.9.orig.tar.xz
Checksums-Sha1: 
 cdfe6e1ccad08e44e91cbdf55ea85833a3fcb14b 3021 flatpak_0.8.9-0+deb9u2.dsc
 074125b318afa8d1cf46265db6d115845cc92b5e 18448 
flatpak_0.8.9-0+deb9u2.debian.tar.xz
 a58f816ac04b05688c24ad962bcd9598ed81aab1 11061 
flatpak_0.8.9-0+deb9u2_source.buildinfo
 d52bd785423ea882df548aa71d6fcd2f4db09e83 750480 flatpak_0.8.9.orig.tar.xz
Files: 
 b8a48cc8727c08982b0efb0bf9dbcabd 3021 admin optional flatpak_0.8.9-0+deb9u2.dsc
 ba10d2c52e936067fa6767374480729d 18448 admin optional 
flatpak_0.8.9-0+deb9u2.debian.tar.xz
 96569213028c0e185bd5f16cb3b84e15 11061 admin optional 
flatpak_0.8.9-0+deb9u2_source.buildinfo
 9e4dd45c0b7082063bab9fc688a5b26e 750480 admin optional 
flatpak_0.8.9.orig.tar.xz

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEENuxaZEik9e95vv6Y4FrhR4+BTE8FAlxiqfcACgkQ4FrhR4+B
TE9WiRAAn7/qVCufVOqyyGFapX0vOUgyDUJBEFtGIWlPAuFwMTIWYKK0ICtM4v2L
mvEsOdelDAK/6Fc6B2VY9KshSr1AIAwEqUUAF621L7QW4OcFKLzFcbT1BRFoHhts
n7u1kgr9el+h4Y+7RVlizDvgT0mG3SrJJUIEhA2VLzQlDAhQpAgYYAFusVRs9YJt
fAMz0ofron0WtG/vAcNHgfSwKC+quH8XhPOdSisiNapDlOjmCcFwuXoby+SwrBYY
jKcwAPhNJH59Ad5Wle85toiulhnMUeLqvbR5Cbnb7wrnCqaGl/aC2ZPMMoAcLzGs
Ki+aydR4xn5AnAhJDcDWjFPHPuSwe/9pmHfdXbgwNK+HlCO3JFkWP4LDbzKZ9ryQ
/7W/Q+lwWdw26z/Sa+2oifxv+X1dvQMzM2f1MXDl8G1omBvTsB9kjN0hJ4oTdZ7M
q2KPi976h18D6DCoFa+lBxflGmclyxzyCfOHdS2GgqnmXe2QVjna2dkZrPahhYSo
zMhBP3RIV4YaTTyYi5Nn3LuUUf1rKBXexCoc60O5Tex9DJdpbBwkstwliZi3caTm
mo1SD5gcgekM3+0nnKupY8kKnycwbEPq3qUR7qyd3oscLMGN3mKTCnFvMebXlgC0
6BUK5G33wINp9GivPpWKZjes01jky4w7xLvuJ8TtZ7LisampDeg=
=gDG7
-----END PGP SIGNATURE-----

--- End Message ---