flatpak: CVE-2021-41133, GHSA-67h7-w3jq-vh4q: sandbox escape via recent VFS syscalls

Debian Bug report logs - #995935
flatpak: CVE-2021-41133, GHSA-67h7-w3jq-vh4q: sandbox escape via recent VFS syscalls

Reply or subscribe to this bug.

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Simon McVittie <smcv@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: flatpak: GHSA-67h7-w3jq-vh4q: sandbox escape via recent VFS syscalls

Date: Fri, 8 Oct 2021 12:50:18 +0100

Package: flatpak
Version: 0.5.0-1
Severity: important
Tags: security
Justification: user security hole
X-Debbugs-Cc: Debian Security Team <team@security.debian.org>

https://github.com/flatpak/flatpak/security/advisories/GHSA-67h7-w3jq-vh4q

Flatpak 1.12.0 and 1.10.4 fix a security vulnerability in the portal
support. Some recently added syscalls were not blocked by the seccomp
rules which allowed the application to create sub-sandboxes which can
confuse the sandboxing verification mechanisms of the portal. This has
been addressed by extending the seccomp rules.

Mitigation: this does not affect the standard D-Bus session or system
buses, or the AT-SPI accessibility bus, due to the way Flatpak mediates
access to those sockets with a proxy. It can affect other AF_UNIX-based
protocols, potentially including X11, Wayland, PulseAudio and Pipewire.

Mitigation: this only affects users of relatively recent kernels.

This was unexpectedly unembargoed on my day off work, so I'm preparing
updated packages ASAP but it will take me a little while...

Will the security team want to issue a DSA for this?

    smcv

Message #12 received at 995935-close@bugs.debian.org (full text, mbox, reply):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>

To: 995935-close@bugs.debian.org

Subject: Bug#995935: fixed in flatpak 1.12.0-1

Date: Fri, 08 Oct 2021 13:03:42 +0000

Source: flatpak
Source-Version: 1.12.0-1
Done: Simon McVittie <smcv@debian.org>

We believe that the bug you reported is fixed in the latest version of
flatpak, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 995935@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Simon McVittie <smcv@debian.org> (supplier of updated flatpak package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Fri, 08 Oct 2021 12:58:34 +0100
Source: flatpak
Architecture: source
Version: 1.12.0-1
Distribution: unstable
Urgency: high
Maintainer: Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>
Changed-By: Simon McVittie <smcv@debian.org>
Closes: 995935
Changes:
 flatpak (1.12.0-1) unstable; urgency=high
 .
   * New upstream stable release
     - Don't allow VFS manipulation which could be used to trick portals
       into allowing unintended access to host
       (Closes: #995935, GHSA-67h7-w3jq-vh4q)
     - Fix misleading progress output in `flatpak repair`
     - Fix parental controls check when installing system-wide as non-root
     - Cope with /var/tmp being a symlink
     - Improve handling of separate locale environment variables such as
       LC_COLLATE
     - Share host's /etc/gai.conf with apps that have Internet access
     - Test-suite fixes (previously applied in 1.11.3-2)
   * Drop both patches from 1.11.3-2, applied upstream
   * d/control: Add Recommends on ca-certificates.
     Most Flatpak users will likely want to install from https servers.
Checksums-Sha1:
 84e862760bb97e783b59098f009cf4632c59a69c 3615 flatpak_1.12.0-1.dsc
 2134d53ba1ab266277cf05c5c84763c375f67a7b 1546180 flatpak_1.12.0.orig.tar.xz
 746b897caeeae2691d6510b876f8144cbe63a434 31836 flatpak_1.12.0-1.debian.tar.xz
 25580c1a998c0bcb47d523fabfbdd8527ea34d98 11645 flatpak_1.12.0-1_source.buildinfo
Checksums-Sha256:
 0c55237254e4a7dfb51cff2c2bbd9eee048d9c00cd2b0df116446641a9ed8d31 3615 flatpak_1.12.0-1.dsc
 d8a9a1f4cd1790711e836964eab6fb69de83b86c902249fff0c73706c73dd586 1546180 flatpak_1.12.0.orig.tar.xz
 039310d0695b43292ae503e291ae7b1597233675f6903fba02c171ccc561ff85 31836 flatpak_1.12.0-1.debian.tar.xz
 09e04bae79957b50c8b3f5be439e8f1de9347b4105bb10e458f20594af953ace 11645 flatpak_1.12.0-1_source.buildinfo
Files:
 4f163deb95143006c982cc169f6818ff 3615 admin optional flatpak_1.12.0-1.dsc
 b141339cb86983626a28650064af1c35 1546180 admin optional flatpak_1.12.0.orig.tar.xz
 90b8ae61e89c0d85bb350a32fc508acc 31836 admin optional flatpak_1.12.0-1.debian.tar.xz
 3cb0c43add46fd419dc8adbabb51c743 11645 admin optional flatpak_1.12.0-1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEENuxaZEik9e95vv6Y4FrhR4+BTE8FAmFgO9wACgkQ4FrhR4+B
TE/6ChAAhDS+T/1wKyzLH8BvApqn7dBphXpTysVBcGPqCGgENwYCrY9CopL9txkI
SpKyZbGnbvWyIIvAT3H6XVDV7R2z5X6I7vHNc3DctCc0qp1noq0s7M1Ct1nNM0Tz
AqPG84Yy0ZtoXVQlNC8bVjoSK5Yotk7fMVb1Uj4ruJOSIpMEafCALLMt1miwOROO
6pQJpGcXff29cgvo2viSrSOtz/kZ/ZRrDvNZzYtDN6dB6G/FUqpbNhi30ghb0ULi
KKsmbzSCLsgGjvlnJsvvKj625b6pYsWFsH0DU/h43eHm/JLA/NIgy8VoM77WL6cw
4bz/gXYVukVCywzPMfaYRqkWyla9PibaTIclaIjS6SRGVG1qzUbXfZ2U0XYbqkei
UdQ3ntYs7HCe5RXZvmibLclyfbBjsDYCzc16lGhgjaO6PlHiHTwXpl+Ho2mSUYwq
kG3jYpCYQ83u5qRcxzJaFamsw4dwK1OeQYq7IXwHO+UHm4ODotuc86t7x9ZHuQhB
ksHtPrSEM4JyxNA4uhU1IPPWCoo9m4bL7eL8h4Bl9Rm/yGcQs63yHbhGcI4vY+p6
SRLLxekR4xoTWyj93XlfIQwyF7y0us8lMV/M2eJNDIqatUp9w5yAiDllcvFHQTXo
wVvjkF40+XLncscJkN1Om4pFpInYHj/B6Wa69bO3PT1bCtGAi70=
=/Av7
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.