[Bug 1946578] Re: Placeholder for CVE-2021-41133
Please find attached the debdiff for Ubuntu 21.10 impish. I have performed some testing in a VM and built in a PPA. Let me know if anything has been done incorrectly. ** Attachment added: "Impish CVE debdiff" https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/1946578/+attachment/5533002/+files/impish_flatpak_1.10.2-3_to_1.10.2-3ubuntu0.1.debdiff.gz ** Summary changed: - Placeholder for CVE-2021-41133 + Update for CVE-2021-41133 ** Description changed: - *** Placeholder until regressions are fixed upstream *** - [Links] https://github.com/flatpak/flatpak/security/advisories/GHSA-67h7-w3jq-vh4q https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=995935 https://security-tracker.debian.org/tracker/CVE-2021-41133 - [Impact] Versions in Ubuntu right now: Impish: 1.10.2-3 Hirsute: 1.10.2-1ubuntu1 Focal: 1.6.5-0ubuntu0.3 Bionic: 1.0.9-0ubuntu0.3 Affected versions: - 1.11.x, 1.10.x <= 1.10.3, all <= 1.8.2 + 1.11.x, 1.10.x <= 1.10.3, all <= 1.8.2 Patched versions: - 1.10.5, 1.12.1, also expected in 1.8.2 - + 1.10.5, 1.12.1, also expected in 1.8.2 [Test Case] Unknown - [Regression Potential] Flatpak has a test suite, which is run on build across all relevant architectures and passes. There is also a manual test plan https://wiki.ubuntu.com/Process/Merges/TestPlan/flatpak . Flatpak has autopkgtests enabled http://autopkgtest.ubuntu.com/packages/f/flatpak . Regression potential is low, and upstream is very responsive to any issues raised. - [Patches] There were 8 initial patches, then some regressions have been found, one has been patched, but a second has a pending pull request (see the github advisory for links). As noted in the debian bug as well there might be further changes to bubblewrap, so guess it makes sense to wait until this has settled. - [Other Information] An anonymous reporter discovered that Flatpak apps with direct access to AF_UNIX sockets such as those used by Wayland, Pipewire or pipewire-pulse can trick portals and other host-OS services into treating the Flatpak app as though it was an ordinary, non-sandboxed host-OS process, by manipulating the VFS using recent mount-related syscalls that are not blocked by Flatpak's denylist seccomp filter, in order to substitute a crafted /.flatpak-info or make that file disappear entirely. Impact Flatpak apps that act as clients for AF_UNIX sockets such as those used by Wayland, Pipewire or pipewire-pulse can escalate the privileges that the corresponding services will believe the Flatpak app has. Mitigation: Note that protocols that operate entirely over the D-Bus session bus (user bus), system bus or accessibility bus are not affected by this. This is due to the use of a proxy process xdg-dbus-proxy, whose VFS cannot be manipulated by the Flatpak app, when interacting with these buses. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1946578 Title: Update for CVE-2021-41133 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/1946578/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1946578] Re: Placeholder for CVE-2021-41133
** Changed in: flatpak (Ubuntu Impish) Status: New => In Progress ** Changed in: flatpak (Ubuntu Hirsute) Status: New => In Progress ** Changed in: flatpak (Ubuntu Hirsute) Assignee: (unassigned) => Andrew Hayzen (ahayzen) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1946578 Title: Placeholder for CVE-2021-41133 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/1946578/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1946578] Re: Placeholder for CVE-2021-41133
I think we have the regressions under control now. https://salsa.debian.org/debian/flatpak/-/commits/wip/1.10.x/ is packaging of 1.10.5 aimed at inclusion in Debian 11, including one post-1.10.5 bug fix https://github.com/flatpak/flatpak/pull/4461 which will hopefully be included in 1.10.6. I'm waiting for an opinion from the Debian security team. For release series that are already based on 1.10.x, I'd recommend basing your releases on that version. For full effectiveness, you'll want libseccomp 2.5.2, with which we can block all the syscalls we identified as undesired, including `mount_setattr()`. Failing that, libseccomp 2.5.0 is sufficient to be able to block `clone3()`, which I think should prevent a successful exploit: by preventing creation of new user namespaces, it stops a malicious or compromised Flatpak app from getting CAP_SYS_ADMIN in a new user namespace, which it would need if it wanted to be able to invoke `mount_setattr()`. For release series that use 1.6.x or 1.0.x, Flatpak upstream does not support those branches any more and will not make new releases. If someone wants to get involved upstream, I'd accept MRs against those branches as a coordination point for "if you're stuck on this branch, here's what other distros are doing...", similar to what I'm doing for 1.2.x on https://github.com/flatpak/flatpak/pull/4455. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1946578 Title: Placeholder for CVE-2021-41133 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/1946578/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1946578] Re: Placeholder for CVE-2021-41133
** Also affects: flatpak (Ubuntu Impish) Importance: Undecided Assignee: Andrew Hayzen (ahayzen) Status: New ** Also affects: flatpak (Ubuntu Focal) Importance: Undecided Status: New ** Also affects: flatpak (Ubuntu Hirsute) Importance: Undecided Status: New ** Also affects: flatpak (Ubuntu Bionic) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1946578 Title: Placeholder for CVE-2021-41133 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/1946578/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1946578] Re: Placeholder for CVE-2021-41133
If someone has the permissions could they add bionic, focal, hirsute, and impish as affected series ? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1946578 Title: Placeholder for CVE-2021-41133 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/1946578/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1946578] Re: Placeholder for CVE-2021-41133
** Description changed: + *** Placeholder until regressions are fixed upstream *** + [Links] https://github.com/flatpak/flatpak/security/advisories/GHSA-67h7-w3jq-vh4q https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=995935 https://security-tracker.debian.org/tracker/CVE-2021-41133 + + + [Impact] + Versions in Ubuntu right now: + Impish: 1.10.2-3 + Hirsute: 1.10.2-1ubuntu1 + Focal: 1.6.5-0ubuntu0.3 + Bionic: 1.0.9-0ubuntu0.3 + + Affected versions: + 1.11.x, 1.10.x <= 1.10.3, all <= 1.8.2 + + Patched versions: + 1.10.5, 1.12.1, also expected in 1.8.2 + + + [Test Case] + Unknown + + + [Regression Potential] + Flatpak has a test suite, which is run on build across all relevant architectures and passes. + + There is also a manual test plan + https://wiki.ubuntu.com/Process/Merges/TestPlan/flatpak . + + Flatpak has autopkgtests enabled + http://autopkgtest.ubuntu.com/packages/f/flatpak . + + Regression potential is low, and upstream is very responsive to any + issues raised. + + + [Patches] + There were 8 initial patches, then some regressions have been found, one has been patched, but a second has a pending pull request (see the github advisory for links). As noted in the debian bug as well there might be further changes to bubblewrap, so guess it makes sense to wait until this has settled. + + + [Other Information] + An anonymous reporter discovered that Flatpak apps with direct access to AF_UNIX sockets such as those used by Wayland, Pipewire or pipewire-pulse can trick portals and other host-OS services into treating the Flatpak app as though it was an ordinary, non-sandboxed host-OS process, by manipulating the VFS using recent mount-related syscalls that are not blocked by Flatpak's denylist seccomp filter, in order to substitute a crafted /.flatpak-info or make that file disappear entirely. + Impact + + Flatpak apps that act as clients for AF_UNIX sockets such as those used + by Wayland, Pipewire or pipewire-pulse can escalate the privileges that + the corresponding services will believe the Flatpak app has. + + Mitigation: Note that protocols that operate entirely over the D-Bus + session bus (user bus), system bus or accessibility bus are not affected + by this. This is due to the use of a proxy process xdg-dbus-proxy, whose + VFS cannot be manipulated by the Flatpak app, when interacting with + these buses. ** Information type changed from Public to Public Security ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-41133 ** Changed in: flatpak (Ubuntu) Assignee: (unassigned) => Andrew Hayzen (ahayzen) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1946578 Title: Placeholder for CVE-2021-41133 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/1946578/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
