Please find attached the debdiff for Ubuntu 21.10 impish. I have performed some testing in a VM and built in a PPA.
Let me know if anything has been done incorrectly. ** Attachment added: "Impish CVE debdiff" https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/1946578/+attachment/5533002/+files/impish_flatpak_1.10.2-3_to_1.10.2-3ubuntu0.1.debdiff.gz ** Summary changed: - Placeholder for CVE-2021-41133 + Update for CVE-2021-41133 ** Description changed: - *** Placeholder until regressions are fixed upstream *** - [Links] https://github.com/flatpak/flatpak/security/advisories/GHSA-67h7-w3jq-vh4q https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=995935 https://security-tracker.debian.org/tracker/CVE-2021-41133 - [Impact] Versions in Ubuntu right now: Impish: 1.10.2-3 Hirsute: 1.10.2-1ubuntu1 Focal: 1.6.5-0ubuntu0.3 Bionic: 1.0.9-0ubuntu0.3 Affected versions: - 1.11.x, 1.10.x <= 1.10.3, all <= 1.8.2 + 1.11.x, 1.10.x <= 1.10.3, all <= 1.8.2 Patched versions: - 1.10.5, 1.12.1, also expected in 1.8.2 - + 1.10.5, 1.12.1, also expected in 1.8.2 [Test Case] Unknown - [Regression Potential] Flatpak has a test suite, which is run on build across all relevant architectures and passes. There is also a manual test plan https://wiki.ubuntu.com/Process/Merges/TestPlan/flatpak . Flatpak has autopkgtests enabled http://autopkgtest.ubuntu.com/packages/f/flatpak . Regression potential is low, and upstream is very responsive to any issues raised. - [Patches] There were 8 initial patches, then some regressions have been found, one has been patched, but a second has a pending pull request (see the github advisory for links). As noted in the debian bug as well there might be further changes to bubblewrap, so guess it makes sense to wait until this has settled. - [Other Information] An anonymous reporter discovered that Flatpak apps with direct access to AF_UNIX sockets such as those used by Wayland, Pipewire or pipewire-pulse can trick portals and other host-OS services into treating the Flatpak app as though it was an ordinary, non-sandboxed host-OS process, by manipulating the VFS using recent mount-related syscalls that are not blocked by Flatpak's denylist seccomp filter, in order to substitute a crafted /.flatpak-info or make that file disappear entirely. Impact Flatpak apps that act as clients for AF_UNIX sockets such as those used by Wayland, Pipewire or pipewire-pulse can escalate the privileges that the corresponding services will believe the Flatpak app has. Mitigation: Note that protocols that operate entirely over the D-Bus session bus (user bus), system bus or accessibility bus are not affected by this. This is due to the use of a proxy process xdg-dbus-proxy, whose VFS cannot be manipulated by the Flatpak app, when interacting with these buses. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1946578 Title: Update for CVE-2021-41133 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/1946578/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
