Debian Bug report logs - #922059

flatpak: CVE-2019-8308: vulnerability similar to runc CVE-2019-5736 involving /proc/self/exe

Reported by: Simon McVittie <smcv@debian.org> Date: Mon, 11 Feb 2019 16:12:04 UTC Severity: critical Tags: patch, security, upstream Found in versions flatpak/0.8.9-0+deb9u1, flatpak/1.2.2-1, flatpak/0.8.5-2+deb9u1, flatpak/1.2.0-1~bpo9+1, flatpak/0.8.9-0+deb9u1~bpo8+1 Fixed in versions flatpak/1.2.3-1, flatpak/0.8.9-0+deb9u2 Done: Simon McVittie <smcv@debian.org> Bug is archived. No further changes may be made.

Toggle useless messages

Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org> :

Bug#922059 ; Package flatpak . (Mon, 11 Feb 2019 16:12:06 GMT) (full text, mbox, link).

Acknowledgement sent to Simon McVittie <smcv@debian.org> :

New Bug report received and forwarded. Copy sent to team@security.debian.org, Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org> . (Mon, 11 Feb 2019 16:12:06 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Simon McVittie <smcv@debian.org> To: Debian Bug Tracking System <submit@bugs.debian.org> Subject: flatpak: vulnerability similar to runc CVE-2019-5736 involving /proc/self/exe Date: Mon, 11 Feb 2019 16:10:07 +0000

Package: flatpak Version: 1.2.2-1 Severity: critical Tags: security upstream patch Justification: root security hole (?) Control: found -1 1.2.0-1~bpo9+1 Control: found -1 0.8.9-0+deb9u1 Control: found -1 0.8.9-0+deb9u1~bpo8+1 Control: found -1 0.8.5-2+deb9u1 Flatpak upstream releases 1.2.3 and 1.0.7 fix a vulnerability similar to runc vulnerability CVE-2019-5736. If a user installs a system-wide Flatpak app or runtime that has an 'apply_extra' script, then the apply_extra script is run in a sandbox, as root, with /proc mounted. A malicious app or runtime could traverse /proc/self/exe to modify a host-side executable. It is not completely clear to me *which* host-side executable. To be on the safe side, I'm assuming that it's something that could lead to an unsandboxed privilege escalation vulnerability. I don't currently have an exploit that can be used to demonstrate this vulnerability. Mitigation: the app or runtime would have to come from a trusted Flatpak repository (such as Flathub) that was previously added as a system-wide source of Flatpak apps by a root-equivalent user. (Non-malicious apply_extra scripts are normally used to process "extra data" files that had to be downloaded out-of-band, such as the archives containing the proprietary Nvidia graphics drivers, which the Flathub maintainers do not believe they are allowed to redistribute directly.) For buster/sid, I'm preparing a 1.2.3-1 release that will fix this. For stretch, 0.8.5 and 0.8.9 appear to be vulnerable. I don't think upstream plan to release a 0.8.10 version, but the patch doesn't seem difficult to backport (untested patch attached). Do the security team want to issue a DSA for this, or should I be targeting the next stretch point release? References: https://lists.freedesktop.org/archives/flatpak/2019-February/001476.html https://github.com/flatpak/flatpak/releases/tag/1.2.3 https://lists.freedesktop.org/archives/flatpak/2019-February/001477.html https://github.com/flatpak/flatpak/releases/tag/1.0.7 Thanks, smcv

Marked as found in versions flatpak/1.2.0-1~bpo9+1. Request was from Simon McVittie <smcv@debian.org> to submit@bugs.debian.org . (Mon, 11 Feb 2019 16:12:06 GMT) (full text, mbox, link).

Marked as found in versions flatpak/0.8.9-0+deb9u1. Request was from Simon McVittie <smcv@debian.org> to submit@bugs.debian.org . (Mon, 11 Feb 2019 16:12:07 GMT) (full text, mbox, link).

Marked as found in versions flatpak/0.8.9-0+deb9u1~bpo8+1. Request was from Simon McVittie <smcv@debian.org> to submit@bugs.debian.org . (Mon, 11 Feb 2019 16:12:07 GMT) (full text, mbox, link).

Marked as found in versions flatpak/0.8.5-2+deb9u1. Request was from Simon McVittie <smcv@debian.org> to submit@bugs.debian.org . (Mon, 11 Feb 2019 16:12:08 GMT) (full text, mbox, link).

Message sent on to Simon McVittie <smcv@debian.org> :

Bug#922059. (Mon, 11 Feb 2019 18:33:06 GMT) (full text, mbox, link).

Message #16 received at 922059-submitter@bugs.debian.org (full text, mbox, reply):

From: Simon McVittie <noreply@salsa.debian.org> To: 922059-submitter@bugs.debian.org Subject: Bug #922059 in flatpak marked as pending Date: Mon, 11 Feb 2019 18:31:22 +0000

Control: tag -1 pending Hello, Bug #922059 in flatpak reported by you has been fixed in the Git repository and is awaiting an upload. You can see the commit message below and you can check the diff of the fix at: https://salsa.debian.org/debian/flatpak/commit/edda1581f561abd42f0e3bbe82cfd784cf48e158 ------------------------------------------------------------------------ New upstream stable release Closes: #922059 ------------------------------------------------------------------------ (this message was generated automatically) -- Greetings https://bugs.debian.org/922059

Added tag(s) pending. Request was from Simon McVittie <noreply@salsa.debian.org> to 922059-submitter@bugs.debian.org . (Mon, 11 Feb 2019 18:33:06 GMT) (full text, mbox, link).

Reply sent to Simon McVittie <smcv@debian.org> :

You have taken responsibility. (Mon, 11 Feb 2019 18:51:17 GMT) (full text, mbox, link).

Notification sent to Simon McVittie <smcv@debian.org> :

Bug acknowledged by developer. (Mon, 11 Feb 2019 18:51:17 GMT) (full text, mbox, link).

Message #23 received at 922059-close@bugs.debian.org (full text, mbox, reply):

From: Simon McVittie <smcv@debian.org> To: 922059-close@bugs.debian.org Subject: Bug#922059: fixed in flatpak 1.2.3-1 Date: Mon, 11 Feb 2019 18:49:15 +0000

Source: flatpak Source-Version: 1.2.3-1 We believe that the bug you reported is fixed in the latest version of flatpak, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 922059@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Simon McVittie <smcv@debian.org> (supplier of updated flatpak package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmaster@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Mon, 11 Feb 2019 16:17:09 +0000 Source: flatpak Architecture: source Version: 1.2.3-1 Distribution: unstable Urgency: high Maintainer: Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org> Changed-By: Simon McVittie <smcv@debian.org> Closes: 922059 Changes: flatpak (1.2.3-1) unstable; urgency=high . * New upstream stable release - Security update: do not let the apply_extra script for a system installation modify the host-side executable via /proc/self/exe, similar to CVE-2019-5736 in runc (Closes: #922059) Checksums-Sha1: f3ad5c1ff838a1301e0da3c704dafbafd0f57a90 3330 flatpak_1.2.3-1.dsc 824abb949e540acaaee6a4122321467abcdc8b3b 1166820 flatpak_1.2.3.orig.tar.xz f43aa084c491d82f71ad56f6650e998fc2dc6b07 24796 flatpak_1.2.3-1.debian.tar.xz 5e043c6e1a5634f87458571ad314f4de79b292b0 11925 flatpak_1.2.3-1_source.buildinfo Checksums-Sha256: e6340ce8807c214d9a1ebf313a0479506b4e989b392a3f35ae8f113648a6cb2b 3330 flatpak_1.2.3-1.dsc bb4720307fc10465660e37bb9489c1d9a349c19143e24f65ddb49032f8b00d44 1166820 flatpak_1.2.3.orig.tar.xz 18dd7c78fefd2b9cdfc258a5410c25cf65f945cbc9398e3ee5043424b352b926 24796 flatpak_1.2.3-1.debian.tar.xz 3a86e01ac8104a6f27c42fa508e07fabaaad8e0d39f7fe9ce105831ebe64d860 11925 flatpak_1.2.3-1_source.buildinfo Files: 11aa721694e81efae8d061442016033f 3330 admin optional flatpak_1.2.3-1.dsc 6ce8069ba5bb027fa7fbe84db209464e 1166820 admin optional flatpak_1.2.3.orig.tar.xz f11bde09a4bd81ca0728de799f28d443 24796 admin optional flatpak_1.2.3-1.debian.tar.xz 678a19200588a7aafc9bd90bae4a9d3a 11925 admin optional flatpak_1.2.3-1_source.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEENuxaZEik9e95vv6Y4FrhR4+BTE8FAlxhv3IACgkQ4FrhR4+B TE9svxAAqQ7bRTUiqhwNRaVzt7JhHEbqd0DiTRDPcoMe34du7DDh2dyTrW9+haSk Kf6K90vw103jXpk/+H8mRIl1Xy7zoRk2TQBhFsz3mdFGhXLFjr/IrdduNb4A53l7 r1K/LXAlH3rbZBGkVXemj71cT824RXFS7vGq8fnD0/c6wEUvTG1eWjlIv1Zowsfa 9btSxdvUR31UB/BX5qM0U09jhUjlqBvwljCKLzxKAXNsHa6jGS5oXLmCM5Z/tfVy hc8ko+4TxLarSS0UsNYQkf/aFnroslGCe1a5m8/WQVMhlYoocez3wzmCYwgAcTGB 9v+mmplaIRXXV8tx3djKbd2BYtHYGFdbxDKC4JVLZU/rEitQqlp2AhF2zA+UXrdq Gavizno23LWq5tw/acxKYxHt3AfKUSnvjYJkV1WkWHtkm9AqGsH+Al8NxVdT4Rcs rvcyh/3XGo/WybZWK6Bqb3BJdrqrQoHWCUkUOgFIz+h2jJ2uBTIKE+3P/l3HUJaS VS0u4GeontlGhEgMF4DjKXSjn9R3LlzCBsm+PhOwQl+n95tRzTyz8iE6C00YIfKw 3oySCuP9szOLtRItG/mxX8Pep1IvUg0JTkWnIn5LgzvZB6wViTwfZbB4KH9dritH TshkaaY83Y19C4B/gb4/lgGOmHw6gK1ZF9cWNrXOcSGBVY+uX4c= =jLaS -----END PGP SIGNATURE-----

Changed Bug title to 'flatpak: CVE-2019-8308: vulnerability similar to runc CVE-2019-5736 involving /proc/self/exe' from 'flatpak: vulnerability similar to runc CVE-2019-5736 involving /proc/self/exe'. Request was from Simon McVittie <smcv@debian.org> to control@bugs.debian.org . (Tue, 12 Feb 2019 23:21:03 GMT) (full text, mbox, link).

Reply sent to Simon McVittie <smcv@debian.org> :

You have taken responsibility. (Mon, 18 Feb 2019 23:21:26 GMT) (full text, mbox, link).

Notification sent to Simon McVittie <smcv@debian.org> :

Bug acknowledged by developer. (Mon, 18 Feb 2019 23:21:26 GMT) (full text, mbox, link).

Message #30 received at 922059-close@bugs.debian.org (full text, mbox, reply):

From: Simon McVittie <smcv@debian.org> To: 922059-close@bugs.debian.org Subject: Bug#922059: fixed in flatpak 0.8.9-0+deb9u2 Date: Mon, 18 Feb 2019 23:18:30 +0000

Source: flatpak Source-Version: 0.8.9-0+deb9u2 We believe that the bug you reported is fixed in the latest version of flatpak, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 922059@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Simon McVittie <smcv@debian.org> (supplier of updated flatpak package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmaster@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Tue, 12 Feb 2019 11:11:22 GMT Source: flatpak Binary: flatpak flatpak-builder flatpak-tests gir1.2-flatpak-1.0 libflatpak-dev libflatpak-doc libflatpak0 Architecture: source Version: 0.8.9-0+deb9u2 Distribution: stretch-security Urgency: medium Maintainer: Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org> Changed-By: Simon McVittie <smcv@debian.org> Description: flatpak - Application deployment framework for desktop apps flatpak-builder - Flatpak application building helper flatpak-tests - Application deployment framework for desktop apps (tests) gir1.2-flatpak-1.0 - Application deployment framework for desktop apps (introspection) libflatpak-dev - Application deployment framework for desktop apps (development) libflatpak-doc - Application deployment framework for desktop apps (documentation) libflatpak0 - Application deployment framework for desktop apps (library) Closes: 922059 Changes: flatpak (0.8.9-0+deb9u2) stretch-security; urgency=medium . * d/p/Don-t-expose-proc-when-running-apply_extra.patch: Backport patch from upstream v1.2.3: do not let the apply_extra script for a system installation modify the host-side executable via /proc/self/exe, similar to CVE-2019-5736 in runc (Closes: #922059) Checksums-Sha256: c4f7e8525e3e4925fc297b6f17c3105e10c8fa7d5639a781bbb309acdbf221cf 3021 flatpak_0.8.9-0+deb9u2.dsc 5f72bbbbc9e7aa686c78dc4b30df5b674f1df906a38488be4116c967a31b9b23 18448 flatpak_0.8.9-0+deb9u2.debian.tar.xz 718c66e0d49b98937ab19d8faae61a25d62c02419ac7498efd2cf09c834543c9 11061 flatpak_0.8.9-0+deb9u2_source.buildinfo 9df2823e12461c96c87d1e3cadf49963b5fefb6be8ad04dafb84c58b8bcbbf50 750480 flatpak_0.8.9.orig.tar.xz Checksums-Sha1: cdfe6e1ccad08e44e91cbdf55ea85833a3fcb14b 3021 flatpak_0.8.9-0+deb9u2.dsc 074125b318afa8d1cf46265db6d115845cc92b5e 18448 flatpak_0.8.9-0+deb9u2.debian.tar.xz a58f816ac04b05688c24ad962bcd9598ed81aab1 11061 flatpak_0.8.9-0+deb9u2_source.buildinfo d52bd785423ea882df548aa71d6fcd2f4db09e83 750480 flatpak_0.8.9.orig.tar.xz Files: b8a48cc8727c08982b0efb0bf9dbcabd 3021 admin optional flatpak_0.8.9-0+deb9u2.dsc ba10d2c52e936067fa6767374480729d 18448 admin optional flatpak_0.8.9-0+deb9u2.debian.tar.xz 96569213028c0e185bd5f16cb3b84e15 11061 admin optional flatpak_0.8.9-0+deb9u2_source.buildinfo 9e4dd45c0b7082063bab9fc688a5b26e 750480 admin optional flatpak_0.8.9.orig.tar.xz -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEENuxaZEik9e95vv6Y4FrhR4+BTE8FAlxiqfcACgkQ4FrhR4+B TE9WiRAAn7/qVCufVOqyyGFapX0vOUgyDUJBEFtGIWlPAuFwMTIWYKK0ICtM4v2L mvEsOdelDAK/6Fc6B2VY9KshSr1AIAwEqUUAF621L7QW4OcFKLzFcbT1BRFoHhts n7u1kgr9el+h4Y+7RVlizDvgT0mG3SrJJUIEhA2VLzQlDAhQpAgYYAFusVRs9YJt fAMz0ofron0WtG/vAcNHgfSwKC+quH8XhPOdSisiNapDlOjmCcFwuXoby+SwrBYY jKcwAPhNJH59Ad5Wle85toiulhnMUeLqvbR5Cbnb7wrnCqaGl/aC2ZPMMoAcLzGs Ki+aydR4xn5AnAhJDcDWjFPHPuSwe/9pmHfdXbgwNK+HlCO3JFkWP4LDbzKZ9ryQ /7W/Q+lwWdw26z/Sa+2oifxv+X1dvQMzM2f1MXDl8G1omBvTsB9kjN0hJ4oTdZ7M q2KPi976h18D6DCoFa+lBxflGmclyxzyCfOHdS2GgqnmXe2QVjna2dkZrPahhYSo zMhBP3RIV4YaTTyYi5Nn3LuUUf1rKBXexCoc60O5Tex9DJdpbBwkstwliZi3caTm mo1SD5gcgekM3+0nnKupY8kKnycwbEPq3qUR7qyd3oscLMGN3mKTCnFvMebXlgC0 6BUK5G33wINp9GivPpWKZjes01jky4w7xLvuJ8TtZ7LisampDeg= =gDG7 -----END PGP SIGNATURE-----

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org . (Sun, 28 Apr 2019 07:34:47 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.