Control: retitle flatpak: CVE-2017-9780: Flatpak security issue #845 involving setuid/world-writable files
Hi Simon, On Wed, Jun 21, 2017 at 09:46:21AM +0100, Simon McVittie wrote: > Package: flatpak > Version: 0.8.5-2 > Severity: critical > Tags: security fixed-upstream > Forwarded: https://github.com/flatpak/flatpak/issues/845 > Justification: potentially (in worst case) root security hole > > The Flatpak developers recently released version 0.8.7 fixing a security > issue. A third-party app repository could include malicious apps that > contain files with inappropriate permissions, for example setuid or > world-writable. Older Flatpak versions would deploy the files with those > permissions, which would let a local attacker run the setuid executable > or write to the world-writable location. > > In the case of the "system helper", files deployed as part of the app > are owned by root, so in the worst case they could be setuid root. > > Mitigations: > * If you are running apps from a third party already, then there is > already a trust relationship (the app is sandboxed, but the sandbox > is not very strict in practice, and the third-party vendor chooses > what permissions the app will have) > * The default polkit policies will not allow apps to be installed > system-wide unless a privileged (root-equivalent) user has added > the third-party app repository, which indicates that the privileged > user trusts the operator of that repository > * The attacker exploiting the wrong permissions needs to be local > > It seems that upstream consider this to be a minor security issue due > to those mitigations. I requested a CVE for this issue, and it got assigned CVE-2017-9780. Since you are more in in the source package, can you do a post to oss-security so other are informed as well (in case not anyway already known?). Regards, Salvatore
