Your message dated Fri, 07 Apr 2023 10:02:09 +0000 with message-id <e1pkiv3-009dj7...@fasolo.debian.org> and subject line Bug#1033098: fixed in flatpak 1.10.8-0+deb11u1 has caused the Debian Bug report #1033098, regarding flatpak: CVE-2023-28101: escape characters in metadata can hide permissions changes to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1033098: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033098 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: flatpak Version: 0.6.0-1 Severity: serious Tags: security pending fixed-upstream X-Debbugs-Cc: Debian Security Team <t...@security.debian.org> Forwarded: https://github.com/flatpak/flatpak/security/advisories/GHSA-h43h-fwqx-mpp8 Control: fixed -1 1.14.4-1 Control: fixed -1 1.15.4-1 When installing or upgrading a Flatpak app using the flatpak(1) CLI, the user is normally shown any special permissions that the new app has in its metadata, so that they can make a somewhat informed choice about whether to allow its installation. Ryan Gonzalez discovered that malicious Flatpak app maintainers could manipulate or hide this display of permissions by requesting permissions that include ANSI terminal control codes or other non-printable characters. This was fixed in Flatpak 1.14.4, 1.15.4, 1.12.8 and 1.10.8 by displaying non-printable characters in an escaped format (\xXX, \uXXXX, \UXXXXXXXX) so that they do not alter the terminal's behaviour, and also by treating non-printable characters in certain contexts as invalid (not allowed). Graphical frontends for libflatpak, like GNOME Software and KDE Plasma Discover, are not directly affected by this. When retrieving an app's permissions to show to the user, the graphical frontend continues to be responsible for filtering or escaping any characters that would have a special meaning for its GUI libraries. I've already contacted the security team asking for permission to upload 1.10.8 as a security update for bullseye. smcv
--- End Message ---
--- Begin Message ---Source: flatpak Source-Version: 1.10.8-0+deb11u1 Done: Simon McVittie <s...@debian.org> We believe that the bug you reported is fixed in the latest version of flatpak, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1033...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Simon McVittie <s...@debian.org> (supplier of updated flatpak package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Sat, 18 Mar 2023 15:29:44 +0000 Source: flatpak Architecture: source Version: 1.10.8-0+deb11u1 Distribution: bullseye Urgency: high Maintainer: Utopia Maintenance Team <pkg-utopia-maintain...@lists.alioth.debian.org> Changed-By: Simon McVittie <s...@debian.org> Closes: 1033098 1033099 Changes: flatpak (1.10.8-0+deb11u1) bullseye; urgency=high . * New upstream stable release * Security fixes: - Escape special characters when displaying permissions and metadata, preventing malicious apps from manipulating the appearance of the permissions list using crafted metadata (Closes: #1033098; CVE-2023-28101) - If a Flatpak app is run on a Linux virtual console (tty1, etc.), don't allow copy/paste via the TIOCLINUX ioctl (Closes: #1033099; CVE-2023-28100). Note that this is specific to virtual consoles: Flatpak is not vulnerable to this if run from a graphical terminal emulator such as xterm, gnome-terminal or Konsole. * Other bug fixes: - If an app update is blocked by parental controls policies, clean up the temporary deploy directory - Fix Autotools build with newer versions of gpgme - Fix various regressions in `flatpak history` since 1.9.1 - Fix a typo in an error message - Translation update: pl - Add test coverage for seccomp filters * d/copyright: Update Checksums-Sha1: 9415f9e79461097b0f0a7f5069e739c5941bab56 3685 flatpak_1.10.8-0+deb11u1.dsc 89420d434afa1d3bb9c43450935fd13e37ddc439 1531752 flatpak_1.10.8.orig.tar.xz 941dcd733014f921b24cd4453c358087baf78d24 32388 flatpak_1.10.8-0+deb11u1.debian.tar.xz f7960493595482927849f0fb48d814f07e9912a0 12349 flatpak_1.10.8-0+deb11u1_source.buildinfo Checksums-Sha256: da0ec9346527f6d42a8d953c37ee4f9f62274fc1a30a38cda57b37fb71d18551 3685 flatpak_1.10.8-0+deb11u1.dsc 65569dbf31344581a1e7782d09e702bb41e7011ae21cd021c414a2925f84b82c 1531752 flatpak_1.10.8.orig.tar.xz 2e265d335b5dccb841c2a93800a9384d4743311d6eb1ca721a9bde76b55989f7 32388 flatpak_1.10.8-0+deb11u1.debian.tar.xz 9f9ca709c2102a1c8d0c092a38abfe784cfd850976a9730ca88d0238963499f8 12349 flatpak_1.10.8-0+deb11u1_source.buildinfo Files: c5636ce868eaa34e0a0a4526e266c8e4 3685 admin optional flatpak_1.10.8-0+deb11u1.dsc 25ee921580f591e87b1a8a476026e67f 1531752 admin optional flatpak_1.10.8.orig.tar.xz 9b62911a16decfa8f2ea6491def625ae 32388 admin optional flatpak_1.10.8-0+deb11u1.debian.tar.xz 2588f3854d83543ab1b11839521df963 12349 admin optional flatpak_1.10.8-0+deb11u1_source.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEENuxaZEik9e95vv6Y4FrhR4+BTE8FAmQpdLQACgkQ4FrhR4+B TE+LJA//SI/+evjWEtFXkmjbfH1/TWE8Kx6YzGH81e5TV6b8pRKwLXNiZLgqvljJ Hw92uPG8xdsaGl6Xw9L+BYwGsB64IGk3ZWnSSYjulKYfl8SHp3JD+64yB5h9tsb7 kqLuPWG2xSdebU9t+3mWxAWh4Yjf9SSDtH3acTmD71ybDbWNDO0PVPZcCwyGIYFW B/oPU4Wh2pMfNK8Lf2F18vhSiilAkAaMbJPPP9chmSw/b/2LOGwcgcxrWTe89wFi 5tzuHLrZ3zyCwsv7BaiHW5Si7NksVGJGOIg0lqWNsN1Zkd08or4uIxUvw/QH9Sfe mNIw0Q8Cn33IGJVWkAlnGrQ/79Km9cumNE4vjqq5Mawm86VWu3I05FzYVHIQZxp/ qrytuUmcwLuR++2s+2Zna3QG3kTPcf9QJrGoTYpBCYzKn93QbglYWE1qGIgzCJlg 2ewzL572EGx3BRtaQaRTPbbCR8vgkwljsQ4rNQ3zsvBRpybmfZeEpcP62SLIQo5y RpDEIaYkU02jz/DTAMs0cDcWhD5VDO9kylp/BsvQIfnnGH2FXE80JzoTX8nYpOpa W2mIAhGstz/1z/Yo1kRKN82fqmkj0n/tJ0J34uTrRTGOWzk6u42ZYIOkH5q+Cqpa ov4RYqDSF0E3P0XGoOmlszZ4/AxA26u49sS1sZ2xtSwVrsm9+9I= =n+pR -----END PGP SIGNATURE-----
--- End Message ---
