Описание
Security update for flatpak
This update for flatpak fixes the following issues:
- CVE-2021-21381: Fixed an issue where a sandboxed application could read and write arbitrary host files via special tokens in the .desktop file (bsc#1183459).
- CVE-2021-21261: Fixed a sandbox escape issue via the flatpak-portal service (bsc#1180996).
Non-security fixes:
- openh264 extension needs to use 'extra_data'. (bsc#1155688) The update will provide the support for extra_data' in extensions and will provide a list of versions that are supported. This will be useful for the extra_data for extensions because that will require it to say that it is supported for version > 1.2.5 in the 1.2 series and > 1.4.2 otherwise. The update will includes fixes for a segfault in the function that lists the installed references (flatpak_installation_list_installed_refs). When an appstream update is cancelled while downloading icons, the update will show a proper fail. Before this fix the next update attempt will see an up-to-date timestamp, think everyhing is ok and not download the missing icons. The update will introduce checks in the OCI (Open Container Initiative format) updates for validating if it is gpg verified. The update will install the required runtime for the installed extension. The update will prevent a crash if the 'FlatpakDir' can't ensure it has a repo configured. The update will prevent the removal of local extensions considered remote and not locally related.
Список пакетов
SUSE Enterprise Storage 6
SUSE Linux Enterprise High Performance Computing 15 SP1-ESPOS
SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS
SUSE Linux Enterprise Server 15 SP1-BCL
SUSE Linux Enterprise Server 15 SP1-LTSS
SUSE Linux Enterprise Server for SAP Applications 15 SP1
Ссылки
- Link for SUSE-SU-2022:2990-1
- E-Mail link for SUSE-SU-2022:2990-1
- SUSE Security Ratings
- SUSE Bug 1155688
- SUSE Bug 1180996
- SUSE Bug 1183459
- SUSE CVE CVE-2021-21261 page
- SUSE CVE CVE-2021-21381 page
Описание
Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. A bug was discovered in the `flatpak-portal` service that can allow sandboxed applications to execute arbitrary code on the host system (a sandbox escape). This sandbox-escape bug is present in versions from 0.11.4 and before fixed versions 1.8.5 and 1.10.0. The Flatpak portal D-Bus service (`flatpak-portal`, also known by its D-Bus service name `org.freedesktop.portal.Flatpak`) allows apps in a Flatpak sandbox to launch their own subprocesses in a new sandbox instance, either with the same security settings as the caller or with more restrictive security settings. For example, this is used in Flatpak-packaged web browsers such as Chromium to launch subprocesses that will process untrusted web content, and give those subprocesses a more restrictive sandbox than the browser itself. In vulnerable versions, the Flatpak portal service passes caller-specified environment variables to non-sandboxed processes on the host system, and in particular to the `flatpak run` command that is used to launch the new sandbox instance. A malicious or compromised Flatpak app could set environment variables that are trusted by the `flatpak run` command, and use them to execute arbitrary code that is not in a sandbox. As a workaround, this vulnerability can be mitigated by preventing the `flatpak-portal` service from starting, but that mitigation will prevent many Flatpak apps from working correctly. This is fixed in versions 1.8.5 and 1.10.0.
Затронутые продукты
Ссылки
- CVE-2021-21261
- SUSE Bug 1180996
Описание
Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. In Flatpack since version 0.9.4 and before version 1.10.2 has a vulnerability in the "file forwarding" feature which can be used by an attacker to gain access to files that would not ordinarily be allowed by the app's permissions. By putting the special tokens `@@` and/or `@@u` in the Exec field of a Flatpak app's .desktop file, a malicious app publisher can trick flatpak into behaving as though the user had chosen to open a target file with their Flatpak app, which automatically makes that file available to the Flatpak app. This is fixed in version 1.10.2. A minimal solution is the first commit "`Disallow @@ and @@U usage in desktop files`". The follow-up commits "`dir: Reserve the whole @@ prefix`" and "`dir: Refuse to export .desktop files with suspicious uses of @@ tokens`" are recommended, but not strictly required. As a workaround, avoid installing Flatpak apps from untrusted sources, or check the contents of the exported `.desktop` files in `exports/share/applications/*.desktop` (typically `~/.local/share/flatpak/exports/share/applications/*.desktop` and `/var/lib/flatpak/exports/share/applications/*.desktop`) to make sure that literal filenames do not follow `@@` or `@@u`.
Затронутые продукты
Ссылки
- CVE-2021-21381
- SUSE Bug 1183459