Your message dated Sat, 20 Mar 2021 19:52:50 +0000 with message-id <e1lnheu-000i3h...@fasolo.debian.org> and subject line Bug#984859: fixed in flatpak 1.2.5-0+deb10u4 has caused the Debian Bug report #984859, regarding CVE-2021-21381: flatpak: sandbox escape via special tokens in .desktop file (flatpak#4146) to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 984859: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=984859 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: flatpak Version: 0.9.4-1 Severity: grave Tags: patch upstream security Justification: user security hole Forwarded: https://github.com/flatpak/flatpak/issues/4146 X-Debbugs-Cc: Debian Security Team <t...@security.debian.org> Control: close -1 1.10.1-4 flatpak since 0.9.4 has a bug in the "file forwarding" feature, which can be used by an attacker to gain access to files that would not ordinarily be allowed by the app's permissions. By putting the special tokens @@ and/or @@u in the Exec field of a Flatpak app's .desktop file, a malicious app publisher can trick flatpak into behaving as though the user had chosen to open a target file with their Flatpak app, which automatically makes that file available to the Flatpak app. There is no CVE ID available for this yet, so I'm tracking it using the upstream issue reference flatpak#4146. I've already fixed this in unstable and contacted the security team. Mitigations: Flatpak apps need to be at least partially trusted, because they are executing arbitrary code in a sandbox that is unlikely to be fully robust against a determined attacker; the permissions are chosen by the publisher (although end users can override them), so granting yourself access to the desired file is a lot easier than making use of this vulnerability and will likely have the same result for most users; and sites like Flathub that publish apps on behalf of third-party developers are in a position to detect and prevent this attack if they want to. stretch does not appear to be vulnerable: the feature that had the bug was not yet present in 0.8.x. smcv
--- End Message ---
--- Begin Message ---Source: flatpak Source-Version: 1.2.5-0+deb10u4 Done: Simon McVittie <s...@debian.org> We believe that the bug you reported is fixed in the latest version of flatpak, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 984...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Simon McVittie <s...@debian.org> (supplier of updated flatpak package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Wed, 10 Mar 2021 11:13:59 +0000 Source: flatpak Architecture: source Version: 1.2.5-0+deb10u4 Distribution: buster-security Urgency: high Maintainer: Utopia Maintenance Team <pkg-utopia-maintain...@lists.alioth.debian.org> Changed-By: Simon McVittie <s...@debian.org> Closes: 984859 Changes: flatpak (1.2.5-0+deb10u4) buster-security; urgency=high . * Add patches from upstream 1.10.2 release to fix a sandbox escape via special tokens in .desktop files (flatpak#4146, Closes: #984859) Checksums-Sha1: d14a4e6147e7dfee8c1863169ad3a659a77948f1 3362 flatpak_1.2.5-0+deb10u4.dsc c41720fa9095b3c15550f4feaf7199acce9da817 36084 flatpak_1.2.5-0+deb10u4.debian.tar.xz 667ddded47e5c4551f6f89a46fa7ca514ebedd03 12733 flatpak_1.2.5-0+deb10u4_source.buildinfo Checksums-Sha256: ecf6f8bb2153d2078d0fb9e0e6875fdccd306550397fe53c300c1073f5f3f88c 3362 flatpak_1.2.5-0+deb10u4.dsc 9e535602041332f187f7447a97b49afc313861aac9117f9c8ce02e3027f2b9d8 36084 flatpak_1.2.5-0+deb10u4.debian.tar.xz a6a57c725897b806fe0f315d3aeeb4ed0d504f8b02e0f4ef73e0fd069cd31a24 12733 flatpak_1.2.5-0+deb10u4_source.buildinfo Files: d2326f249da2bcf75d7b6386932a1373 3362 admin optional flatpak_1.2.5-0+deb10u4.dsc 881d500200b7941f84657dc6b37b77ea 36084 admin optional flatpak_1.2.5-0+deb10u4.debian.tar.xz 4c6c5f3610ac93aea3b74fe4b5dd60d2 12733 admin optional flatpak_1.2.5-0+deb10u4_source.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEENuxaZEik9e95vv6Y4FrhR4+BTE8FAmBJW20ACgkQ4FrhR4+B TE+A+g/9GMvWvRR0VH7UPNAAxMzD5V/J99xn7tZYcRq1sxK8lUTzZBWSXLEIRrfU d4DNuf2vxQX+KnTbXhTzKef+eERXDpKWREFS/DhHCroW3IR5hyDfJSHKHMXU3Ccp KdfZC06DJdJBukyFLiMUKnxDOA2mkfY1NA8R1laLoFcyCXg7S51pmXSYX0y84fsR AUKGQeE5k9fkQScvIMcG8BLoNFfBlAH2rW+5lJ56Ap8AXGXLaNRl0RQJ+IvoflDg Onokud50bvD+nbx4EyBsVsLT1QmZMzP+mjnASmV2f7iDfuGE0CvX/OTt7OHTEjKC 75LPHgBiAxhBO/IqqqQohqGRMvjNSCGdbMQi9htOEhnQ3OOS+HLDSrLPyuQ+udc0 n5vMJpaBDW09ctopOZmujdxLdDx5p7hlzpRMoF9R+trk+Z23wHwJmwq2M7mtDpFU +tLgDRLP9kIyMgM/VIUQNkFALrw/ERkUQdR25sOavavOmn3fzjx7RiQGC4bDmNvt IqLvURx1MzDsHDiMVfN+xyqDeVOEyJzNNiOr0hyrdwTkwkf9Pm4YjNRbJ3wJcg3o iya70WB2wjVX1ksO1z8A6LX0XtisGTjEDlUisXbVTd8/+Vnw3mkfIU0SUwJkjmMJ 6tbjdFSB/vj9l8kwD06NF75oO4L8X9AFZtY880QVmxFIHLPvtus= =37MR -----END PGP SIGNATURE-----
--- End Message ---
