Debian Bug report logs -
#888842
flatpak: CVE-2018-6560: D-Bus filtering can be bypassed by a crafted authentication handshake
Reported by: Simon McVittie <smcv@debian.org>
Date: Tue, 30 Jan 2018 14:33:02 UTC
Severity: important
Tags: security
Found in version flatpak/0.6.0-1
Fixed in versions flatpak/0.10.3-1, flatpak/0.8.9-0+deb9u1
Done: Simon McVittie <smcv@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>:
Bug#888842; Package flatpak.
(Tue, 30 Jan 2018 14:33:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Simon McVittie <smcv@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>.
(Tue, 30 Jan 2018 14:33:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: flatpak
Version: 0.6.0-1
Severity: important
Tags: security
Many Flatpak apps ship with sandboxing metadata that gives them filtered
access to the D-Bus session and/or system bus. Gabriel Campana of the
Google security team discovered that a malicious app could bypass the
intended filtering by crafting an authentication message that will be
processed as end-of-authentication by the dbus-daemon, but not recognised
as end-of-authentication by flatpak-dbus-proxy.
This has been fixed upstream in versions 0.10.3 and 0.8.9, which I'm
going to package now.
The Debian security team has not generally treated Flatpak sandboxing
bypasses as security vulnerabilities, on the basis that the sandboxed
app provides its own security policy, so no privilege boundary is crossed
(in the absence of a curated "app store" where changes to security policy
are audited, or a software-downloading UI that highlights security policy
changes, neither of which is widely deployed right now). I assume this
is still the case, but I'm cc'ing the security team for their information
(please let me know if you would like me to prepare a security update).
smcv
Information forwarded
to debian-bugs-dist@lists.debian.org, Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>:
Bug#888842; Package flatpak.
(Tue, 30 Jan 2018 14:45:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>.
(Tue, 30 Jan 2018 14:45:06 GMT) (full text, mbox, link).
Message #10 received at 888842@bugs.debian.org (full text, mbox, reply):
On Tue, Jan 30, 2018 at 02:31:26PM +0000, Simon McVittie wrote:
> The Debian security team has not generally treated Flatpak sandboxing
> bypasses as security vulnerabilities, on the basis that the sandboxed
> app provides its own security policy, so no privilege boundary is crossed
> (in the absence of a curated "app store" where changes to security policy
> are audited, or a software-downloading UI that highlights security policy
> changes, neither of which is widely deployed right now). I assume this
> is still the case,
Ack that's still the case.
Cheers,
Moritz
Reply sent
to Simon McVittie <smcv@debian.org>:
You have taken responsibility.
(Tue, 30 Jan 2018 16:09:05 GMT) (full text, mbox, link).
Notification sent
to Simon McVittie <smcv@debian.org>:
Bug acknowledged by developer.
(Tue, 30 Jan 2018 16:09:05 GMT) (full text, mbox, link).
Message #15 received at 888842-close@bugs.debian.org (full text, mbox, reply):
Source: flatpak
Source-Version: 0.10.3-1
We believe that the bug you reported is fixed in the latest version of
flatpak, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 888842@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Simon McVittie <smcv@debian.org> (supplier of updated flatpak package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Tue, 30 Jan 2018 14:38:24 +0000
Source: flatpak
Binary: flatpak flatpak-tests gir1.2-flatpak-1.0 libflatpak-dev libflatpak-doc libflatpak0
Architecture: source
Version: 0.10.3-1
Distribution: unstable
Urgency: medium
Maintainer: Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>
Changed-By: Simon McVittie <smcv@debian.org>
Description:
flatpak - Application deployment framework for desktop apps
flatpak-tests - Application deployment framework for desktop apps (tests)
gir1.2-flatpak-1.0 - Application deployment framework for desktop apps (introspection)
libflatpak-dev - Application deployment framework for desktop apps (development)
libflatpak-doc - Application deployment framework for desktop apps (documentation)
libflatpak0 - Application deployment framework for desktop apps (library)
Closes: 888842
Changes:
flatpak (0.10.3-1) unstable; urgency=medium
.
* New upstream bugfix release
- Fixes a D-Bus filtering bypass in flatpak-dbus-proxy
(Closes: #888842)
Checksums-Sha1:
2be6813c91659313cdf53235b63b43adcac434c1 3192 flatpak_0.10.3-1.dsc
e815620d3321bd17af59c2212256ee3471874ed8 870152 flatpak_0.10.3.orig.tar.xz
a3558d85de41593e2958ed5278f7ae61f522c19a 19376 flatpak_0.10.3-1.debian.tar.xz
b71e59f75b79d5fd17b378f5098cbbde7f7b7884 11465 flatpak_0.10.3-1_source.buildinfo
Checksums-Sha256:
b50a32e42dbc80a003ef576bb5d1cbe565fa663d54662106a75af11623e423d8 3192 flatpak_0.10.3-1.dsc
d08616cfa7f0e0a5f0234a9859b67450e35377b95929b118a1b7ca7497e91b00 870152 flatpak_0.10.3.orig.tar.xz
e8ba3a4086b493d5e36328ea503a976ce1f4981e2e046b56e6f799d4e2dfee75 19376 flatpak_0.10.3-1.debian.tar.xz
89c7bfe3daeafcbaf81e8f36894e86dad1ffc4c1defa0103881fe7b7f593419b 11465 flatpak_0.10.3-1_source.buildinfo
Files:
1158cf8344ce4b69d7bd598cb8657f4b 3192 admin optional flatpak_0.10.3-1.dsc
3aff127e150c4195682479eb96c14b18 870152 admin optional flatpak_0.10.3.orig.tar.xz
fb5adc33e2ea6d3a951b673debb9cf57 19376 admin optional flatpak_0.10.3-1.debian.tar.xz
9c354dbe582ac0e69d6282b7a87f1ce9 11465 admin optional flatpak_0.10.3-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEENuxaZEik9e95vv6Y4FrhR4+BTE8FAlpwkqYACgkQ4FrhR4+B
TE+iqg//Vri5EFQgoHeBp9Z/654AIYL3QyFeLVDoqRO6WYvpj/vl/S+eZmLFDq3f
51+YI/j+/8tYJ9d19BfossndAmUWBsiw+cEOfQenWqe6zxaXdtxOC2LdxllRl+YP
u3BsfVnxVjk2XyG0NCgEp3zjXlRLyCISSraOWJh4ejoVwohqBT3QxU89ieMusN3d
BARCEw8G0W1EAUYl9S+NNOxg8d4W77cSX03zsl7BQj/u9stGD+aKVr14Sd3sQ495
Yr2VeRqIGOy36rPRTOVud8YWOOeOZQV7u85SUJAhHx67HDSizNxlMS1aOcoNzOqP
WVts4KhlIZ7NbvokSxJsrNrfvGmZcW+/4OHTw71rQkOoPf52rgLe1W5CVtPw9o5E
X3qaUoDKu/Z78DMD9cTPVm5BKM0JlTzOfUpUNXPuAS9HUz+r7bYmpbBCZ4w1LYGp
Rd0RgmwexruW2vbDiVLaDfPBHrN7h4xT5Ydjua6+rnTBCzjtP9ljydjbkcrUTFHx
QBb9y8xgUTXrEA56kDZRlVQj8zs0bKWxtAQ58hbYgpn9ZnSRyVvo1TxGr1/HnSVw
EGAPbYQLcv3iLb5lDFzvV/mLc+KPp9Uv2XZN+J1BBcrLgykAw4CcZerqvZDzuK3c
XJPTm4kvo9NLfLHzpAul5JmWSj/z4JOhydF9PRFIffRuqZo3C8I=
=HAWh
-----END PGP SIGNATURE-----
Changed Bug title to 'flatpak: CVE-2018-6560: D-Bus filtering can be bypassed by a crafted authentication handshake' from 'flatpak: D-Bus filtering can be bypassed by a crafted authentication handshake'.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Fri, 02 Feb 2018 21:21:03 GMT) (full text, mbox, link).
Reply sent
to Simon McVittie <smcv@debian.org>:
You have taken responsibility.
(Sun, 25 Feb 2018 15:06:34 GMT) (full text, mbox, link).
Notification sent
to Simon McVittie <smcv@debian.org>:
Bug acknowledged by developer.
(Sun, 25 Feb 2018 15:06:34 GMT) (full text, mbox, link).
Message #22 received at 888842-close@bugs.debian.org (full text, mbox, reply):
Source: flatpak
Source-Version: 0.8.9-0+deb9u1
We believe that the bug you reported is fixed in the latest version of
flatpak, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 888842@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Simon McVittie <smcv@debian.org> (supplier of updated flatpak package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Tue, 30 Jan 2018 14:49:40 +0000
Source: flatpak
Binary: flatpak flatpak-builder flatpak-tests gir1.2-flatpak-1.0 libflatpak-dev libflatpak-doc libflatpak0
Architecture: source
Version: 0.8.9-0+deb9u1
Distribution: stretch
Urgency: medium
Maintainer: Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>
Changed-By: Simon McVittie <smcv@debian.org>
Description:
flatpak - Application deployment framework for desktop apps
flatpak-builder - Flatpak application building helper
flatpak-tests - Application deployment framework for desktop apps (tests)
gir1.2-flatpak-1.0 - Application deployment framework for desktop apps (introspection)
libflatpak-dev - Application deployment framework for desktop apps (development)
libflatpak-doc - Application deployment framework for desktop apps (documentation)
libflatpak0 - Application deployment framework for desktop apps (library)
Closes: 888842
Changes:
flatpak (0.8.9-0+deb9u1) stretch; urgency=medium
.
* New upstream release backporting the following fixes from 0.10.x:
- common/flatpak-run.c: Ignore unrecognised permission strings
instead of failing, for forwards compatibility
- dbus-proxy/flatpak-proxy.c: Fix a D-Bus filtering bypass in
flatpak-dbus-proxy (Closes: #888842)
- profile/flatpak.sh.in: Simplify and improve profile.d snippet
(already done in Debian since 0.8.4-1, no practical effect)
* Drop our patch to profile/flatpak.sh.in, no longer necessary
* debian/control: Update Vcs-* metadata for salsa.d.o migration
Checksums-Sha1:
d4bc6ad8d04104c6f8960a1f98d0b42a8b7b2ece 3021 flatpak_0.8.9-0+deb9u1.dsc
d52bd785423ea882df548aa71d6fcd2f4db09e83 750480 flatpak_0.8.9.orig.tar.xz
49cafbd9250e54f8b9a480e2591fcda37a4f9110 17472 flatpak_0.8.9-0+deb9u1.debian.tar.xz
30557a01efbbac3e135f0d692ddbca21fa60cc6c 10692 flatpak_0.8.9-0+deb9u1_source.buildinfo
Checksums-Sha256:
c11b4a27f51c6e9909b486e175552a09e756132713ccb67a504a315a159f82e9 3021 flatpak_0.8.9-0+deb9u1.dsc
9df2823e12461c96c87d1e3cadf49963b5fefb6be8ad04dafb84c58b8bcbbf50 750480 flatpak_0.8.9.orig.tar.xz
92a4f709d0b7c2c659ec78d47de178a2ab2b72cea81a8e49b5c0a6f4c6f2b992 17472 flatpak_0.8.9-0+deb9u1.debian.tar.xz
fa65e63fd5668b51e758b1da5c2b87e3e43604974e59bd368cde1df735f6de21 10692 flatpak_0.8.9-0+deb9u1_source.buildinfo
Files:
44c8b5dcea855ed5530e703ddcd7cb8c 3021 admin optional flatpak_0.8.9-0+deb9u1.dsc
9e4dd45c0b7082063bab9fc688a5b26e 750480 admin optional flatpak_0.8.9.orig.tar.xz
f534975d96b2412e4d7899bd7e583acd 17472 admin optional flatpak_0.8.9-0+deb9u1.debian.tar.xz
8054097cd2df861987d211595e903a13 10692 admin optional flatpak_0.8.9-0+deb9u1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEENuxaZEik9e95vv6Y4FrhR4+BTE8FAlqQoiAACgkQ4FrhR4+B
TE/qLRAArC3afQ4ThXDAbuM3b6XHMY2a4hswimUXYnhujQic3dDptiaOWCRoc31O
XZSanIGyAL2AU1TVtBOd5V7YWNWO4ajwJsCWXfBfDIw7h06mXvotfPE/HFZgUw8g
y9RVpSs8GcLkBshO1UzcgbNWUnCxG5dK0axeMrJ1lokJ6pyT/ZaKs/HgjZxfoZIf
rNOtOTW1L1Z8OnsrabkWcELoHblj4w2PLKxcQN82fHA+CA82Kk6J/OIS3QWZ6T7e
3XQF2iG0C3PMZUe/X1kIfoXtEuD/tiqwtCdQvWnoD+wi179SaI12+FcClgcB0kZb
X27WA4gGOsUF4pGlZON2wd0w0Zu+afCEHOWOxMf55Q4SRr8OtWl9gEyw/KLo7XGJ
3M1YFvYr9YritMr0JxXaqOgY0c1dLpFfbXuQjnuLF+gLJboLJTWWXL8iaMQEwH3k
dpzqWYZ7T/YpaXKzw76APVQr//Si6V5nJyd/cb0Jef8TpaMoVpnFjKaruDkGXVej
+IuAUity0KE1VBFGKPQmke1J7tzjQslcQ0DbMyp8WG+MPxace/OPSFi/b7y9wEIy
g0kRYc6Z7lWTleBjxRzKDYNKmJga5CJGpOB1mGqGN3UqoMJfmsZGNyKHcy624Mgd
rx7t65E8i1hmSzKwwTSDqrw0qNzMyh4x/BO4fCyLrThlEZnhV4o=
=0159
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Mon, 26 Mar 2018 07:28:46 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 19:10:07 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon