flatpak: CVE-2019-8308: vulnerability similar to runc CVE-2019-5736 involving /proc/self/exe

Debian Bug report logs - #922059
flatpak: CVE-2019-8308: vulnerability similar to runc CVE-2019-5736 involving /proc/self/exe

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Simon McVittie <smcv@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: flatpak: vulnerability similar to runc CVE-2019-5736 involving /proc/self/exe

Date: Mon, 11 Feb 2019 16:10:07 +0000

[Message part 1 (text/plain, inline)]

Package: flatpak
Version: 1.2.2-1
Severity: critical
Tags: security upstream patch
Justification: root security hole (?)
Control: found -1 1.2.0-1~bpo9+1
Control: found -1 0.8.9-0+deb9u1
Control: found -1 0.8.9-0+deb9u1~bpo8+1
Control: found -1 0.8.5-2+deb9u1

Flatpak upstream releases 1.2.3 and 1.0.7 fix a vulnerability similar to
runc vulnerability CVE-2019-5736. If a user installs a system-wide Flatpak
app or runtime that has an 'apply_extra' script, then the apply_extra
script is run in a sandbox, as root, with /proc mounted. A malicious app
or runtime could traverse /proc/self/exe to modify a host-side executable.

It is not completely clear to me *which* host-side executable. To be on
the safe side, I'm assuming that it's something that could lead to an
unsandboxed privilege escalation vulnerability. I don't currently have an
exploit that can be used to demonstrate this vulnerability.

Mitigation: the app or runtime would have to come from a trusted Flatpak
repository (such as Flathub) that was previously added as a system-wide
source of Flatpak apps by a root-equivalent user.

(Non-malicious apply_extra scripts are normally used to process "extra
data" files that had to be downloaded out-of-band, such as the archives
containing the proprietary Nvidia graphics drivers, which the Flathub
maintainers do not believe they are allowed to redistribute directly.)

For buster/sid, I'm preparing a 1.2.3-1 release that will fix this.

For stretch, 0.8.5 and 0.8.9 appear to be vulnerable. I don't think
upstream plan to release a 0.8.10 version, but the patch doesn't seem
difficult to backport (untested patch attached).

Do the security team want to issue a DSA for this, or should I be targeting
the next stretch point release?

References:
https://lists.freedesktop.org/archives/flatpak/2019-February/001476.html
https://github.com/flatpak/flatpak/releases/tag/1.2.3
https://lists.freedesktop.org/archives/flatpak/2019-February/001477.html
https://github.com/flatpak/flatpak/releases/tag/1.0.7

Thanks,
    smcv

[Don-t-expose-proc-when-running-apply_extra.patch (text/x-diff, attachment)]

Message #16 received at 922059-submitter@bugs.debian.org (full text, mbox, reply):

From: Simon McVittie <noreply@salsa.debian.org>

To: 922059-submitter@bugs.debian.org

Subject: Bug #922059 in flatpak marked as pending

Date: Mon, 11 Feb 2019 18:31:22 +0000

Control: tag -1 pending

Hello,

Bug #922059 in flatpak reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:

https://salsa.debian.org/debian/flatpak/commit/edda1581f561abd42f0e3bbe82cfd784cf48e158

------------------------------------------------------------------------
New upstream stable release

Closes: #922059
------------------------------------------------------------------------

(this message was generated automatically)
-- 
Greetings

https://bugs.debian.org/922059

Message #23 received at 922059-close@bugs.debian.org (full text, mbox, reply):

From: Simon McVittie <smcv@debian.org>

To: 922059-close@bugs.debian.org

Subject: Bug#922059: fixed in flatpak 1.2.3-1

Date: Mon, 11 Feb 2019 18:49:15 +0000

Source: flatpak
Source-Version: 1.2.3-1

We believe that the bug you reported is fixed in the latest version of
flatpak, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 922059@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Simon McVittie <smcv@debian.org> (supplier of updated flatpak package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Mon, 11 Feb 2019 16:17:09 +0000
Source: flatpak
Architecture: source
Version: 1.2.3-1
Distribution: unstable
Urgency: high
Maintainer: Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>
Changed-By: Simon McVittie <smcv@debian.org>
Closes: 922059
Changes:
 flatpak (1.2.3-1) unstable; urgency=high
 .
   * New upstream stable release
     - Security update: do not let the apply_extra script for a system
       installation modify the host-side executable via /proc/self/exe,
       similar to CVE-2019-5736 in runc (Closes: #922059)
Checksums-Sha1:
 f3ad5c1ff838a1301e0da3c704dafbafd0f57a90 3330 flatpak_1.2.3-1.dsc
 824abb949e540acaaee6a4122321467abcdc8b3b 1166820 flatpak_1.2.3.orig.tar.xz
 f43aa084c491d82f71ad56f6650e998fc2dc6b07 24796 flatpak_1.2.3-1.debian.tar.xz
 5e043c6e1a5634f87458571ad314f4de79b292b0 11925 flatpak_1.2.3-1_source.buildinfo
Checksums-Sha256:
 e6340ce8807c214d9a1ebf313a0479506b4e989b392a3f35ae8f113648a6cb2b 3330 flatpak_1.2.3-1.dsc
 bb4720307fc10465660e37bb9489c1d9a349c19143e24f65ddb49032f8b00d44 1166820 flatpak_1.2.3.orig.tar.xz
 18dd7c78fefd2b9cdfc258a5410c25cf65f945cbc9398e3ee5043424b352b926 24796 flatpak_1.2.3-1.debian.tar.xz
 3a86e01ac8104a6f27c42fa508e07fabaaad8e0d39f7fe9ce105831ebe64d860 11925 flatpak_1.2.3-1_source.buildinfo
Files:
 11aa721694e81efae8d061442016033f 3330 admin optional flatpak_1.2.3-1.dsc
 6ce8069ba5bb027fa7fbe84db209464e 1166820 admin optional flatpak_1.2.3.orig.tar.xz
 f11bde09a4bd81ca0728de799f28d443 24796 admin optional flatpak_1.2.3-1.debian.tar.xz
 678a19200588a7aafc9bd90bae4a9d3a 11925 admin optional flatpak_1.2.3-1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEENuxaZEik9e95vv6Y4FrhR4+BTE8FAlxhv3IACgkQ4FrhR4+B
TE9svxAAqQ7bRTUiqhwNRaVzt7JhHEbqd0DiTRDPcoMe34du7DDh4dyTrW9+haSk
Kf6K90vw103jXpk/+H8mRIl1Xy7zoRk2TQBhFsz3mdFGhXLFjr/IrdduNb4A53l7
r1K/LXAlH3rbZBGkVXemj71cT824RXFS7vGq8fnD0/c6wEUvTG1eWjlIv1Zowsfa
9btSxdvUR31UB/BX5qM0U09jhUjlqBvwljCKLzxKAXNsHa6jGS5oXLmCM5Z/tfVy
hc8ko+4TxLarSS0UsNYQkf/aFnroslGCe1a5m8/WQVMhlYoocez3wzmCYwgAcTGB
9v+mmplaIRXXV8tx3djKbd2BYtHYGFdbxDKC4JVLZU/rEitQqlp2AhF2zA+UXrdq
Gavizno23LWq5tw/acxKYxHt3AfKUSnvjYJkV1WkWHtkm9AqGsH+Al8NxVdT4Rcs
rvcyh/3XGo/WybZWK6Bqb3BJdrqrQoHWCUkUOgFIz+h4jJ2uBTIKE+3P/l3HUJaS
VS0u4GeontlGhEgMF4DjKXSjn9R3LlzCBsm+PhOwQl+n95tRzTyz8iE6C00YIfKw
3oySCuP9szOLtRItG/mxX8Pep1IvUg0JTkWnIn5LgzvZB6wViTwfZbB4KH9dritH
TshkaaY83Y19C4B/gb4/lgGOmHw6gK1ZF9cWNrXOcSGBVY+uX4c=
=jLaS
-----END PGP SIGNATURE-----

Message #30 received at 922059-close@bugs.debian.org (full text, mbox, reply):

From: Simon McVittie <smcv@debian.org>

To: 922059-close@bugs.debian.org

Subject: Bug#922059: fixed in flatpak 0.8.9-0+deb9u2

Date: Mon, 18 Feb 2019 23:18:30 +0000

Source: flatpak
Source-Version: 0.8.9-0+deb9u2

We believe that the bug you reported is fixed in the latest version of
flatpak, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 922059@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Simon McVittie <smcv@debian.org> (supplier of updated flatpak package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Tue, 12 Feb 2019 11:11:22 GMT
Source: flatpak
Binary: flatpak flatpak-builder flatpak-tests gir1.2-flatpak-1.0 libflatpak-dev libflatpak-doc libflatpak0
Architecture: source
Version: 0.8.9-0+deb9u2
Distribution: stretch-security
Urgency: medium
Maintainer: Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>
Changed-By: Simon McVittie <smcv@debian.org>
Description:
 flatpak    - Application deployment framework for desktop apps
 flatpak-builder - Flatpak application building helper
 flatpak-tests - Application deployment framework for desktop apps (tests)
 gir1.2-flatpak-1.0 - Application deployment framework for desktop apps (introspection)
 libflatpak-dev - Application deployment framework for desktop apps (development)
 libflatpak-doc - Application deployment framework for desktop apps (documentation)
 libflatpak0 - Application deployment framework for desktop apps (library)
Closes: 922059
Changes:
 flatpak (0.8.9-0+deb9u2) stretch-security; urgency=medium
 .
   * d/p/Don-t-expose-proc-when-running-apply_extra.patch:
     Backport patch from upstream v1.2.3: do not let the apply_extra
     script for a system installation modify the host-side executable
     via /proc/self/exe, similar to CVE-2019-5736 in runc
     (Closes: #922059)
Checksums-Sha256: 
 c4f7e8525e3e4925fc297b6f17c3105e10c8fa7d5639a781bbb309acdbf221cf 3021 flatpak_0.8.9-0+deb9u2.dsc
 5f72bbbbc9e7aa686c78dc4b30df5b674f1df906a38488be4116c967a31b9b23 18448 flatpak_0.8.9-0+deb9u2.debian.tar.xz
 718c66e0d49b98937ab19d8faae61a25d62c02419ac7498efd2cf09c834543c9 11061 flatpak_0.8.9-0+deb9u2_source.buildinfo
 9df2823e12461c96c87d1e3cadf49963b5fefb6be8ad04dafb84c58b8bcbbf50 750480 flatpak_0.8.9.orig.tar.xz
Checksums-Sha1: 
 cdfe6e1ccad08e44e91cbdf55ea85833a3fcb14b 3021 flatpak_0.8.9-0+deb9u2.dsc
 074125b318afa8d1cf46265db6d115845cc92b5e 18448 flatpak_0.8.9-0+deb9u2.debian.tar.xz
 a58f816ac04b05688c24ad962bcd9598ed81aab1 11061 flatpak_0.8.9-0+deb9u2_source.buildinfo
 d52bd785423ea882df548aa71d6fcd2f4db09e83 750480 flatpak_0.8.9.orig.tar.xz
Files: 
 b8a48cc8727c08982b0efb0bf9dbcabd 3021 admin optional flatpak_0.8.9-0+deb9u2.dsc
 ba10d2c52e936067fa6767374480729d 18448 admin optional flatpak_0.8.9-0+deb9u2.debian.tar.xz
 96569213028c0e185bd5f16cb3b84e15 11061 admin optional flatpak_0.8.9-0+deb9u2_source.buildinfo
 9e4dd45c0b7082063bab9fc688a5b26e 750480 admin optional flatpak_0.8.9.orig.tar.xz

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEENuxaZEik9e95vv6Y4FrhR4+BTE8FAlxiqfcACgkQ4FrhR4+B
TE9WiRAAn7/qVCufVOqyyGFapX0vOUgyDUJBEFtGIWlPAuFwMTIWYKK0ICtM4v2L
mvEsOdelDAK/6Fc6B2VY9KshSr1AIAwEqUUAF621L7QW4OcFKLzFcbT1BRFoHhts
n7u1kgr9el+h4Y+7RVlizDvgT0mG3SrJJUIEhA2VLzQlDAhQpAgYYAFusVRs9YJt
fAMz0ofron0WtG/vAcNHgfSwKC+quH8XhPOdSisiNapDlOjmCcFwuXoby+SwrBYY
jKcwAPhNJH59Ad5Wle85toiulhnMUeLqvbR5Cbnb7wrnCqaGl/aC2ZPMMoAcLzGs
Ki+aydR4xn5AnAhJDcDWjFPHPuSwe/9pmHfdXbgwNK+HlCO3JFkWP4LDbzKZ9ryQ
/7W/Q+lwWdw26z/Sa+2oifxv+X1dvQMzM2f1MXDl8G1omBvTsB9kjN0hJ4oTdZ7M
q2KPi976h48D6DCoFa+lBxflGmclyxzyCfOHdS2GgqnmXe2QVjna2dkZrPahhYSo
zMhBP3RIV4YaTTyYi5Nn3LuUUf1rKBXexCoc60O5Tex9DJdpbBwkstwliZi3caTm
mo1SD5gcgekM3+0nnKupY8kKnycwbEPq3qUR7qyd3oscLMGN3mKTCnFvMebXlgC0
6BUK5G33wINp9GivPpWKZjes01jky4w7xLvuJ8TtZ7LisampDeg=
=gDG7
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.