Package: flatpak Version: 0.8.5-2 Severity: critical Tags: security fixed-upstream Forwarded: https://github.com/flatpak/flatpak/issues/845 Justification: potentially (in worst case) root security hole
The Flatpak developers recently released version 0.8.7 fixing a security issue. A third-party app repository could include malicious apps that contain files with inappropriate permissions, for example setuid or world-writable. Older Flatpak versions would deploy the files with those permissions, which would let a local attacker run the setuid executable or write to the world-writable location. In the case of the "system helper", files deployed as part of the app are owned by root, so in the worst case they could be setuid root. Mitigations: * If you are running apps from a third party already, then there is already a trust relationship (the app is sandboxed, but the sandbox is not very strict in practice, and the third-party vendor chooses what permissions the app will have) * The default polkit policies will not allow apps to be installed system-wide unless a privileged (root-equivalent) user has added the third-party app repository, which indicates that the privileged user trusts the operator of that repository * The attacker exploiting the wrong permissions needs to be local It seems that upstream consider this to be a minor security issue due to those mitigations. For the buster and sid suites, this will be fixed in 0.8.7-1 shortly. For the experimental suite, this will be fixed in 0.9.6-1. That will take a bit longer because it needs a newer version of libostree. Security team: do you want a backport/DSA for stretch-security, or do you consider the mitigations to be sufficient to fix this through a stable update instead? I am hoping to get 0.8.7 into stretch r1 as a stable update, but 0.8.6 contains unrelated bug fixes that I realise you won't necessarily want in stretch-security (proposed-update tracked at <https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=864028>). For a stretch-security backport with just this fix, I could optionally also include these security-hardening-related commits from 0.8.6: https://github.com/flatpak/flatpak/commit/6265200c83f23acceb3c9b192ebc1ffa9db140de https://github.com/flatpak/flatpak/commit/414d699621664913dadebcf5db39732b99268c37 Please let me know whether you would prefer those included or excluded. S
