• [SECURITY] [DSA 4830-1] flatpak security update

    From Moritz Muehlenhoff@21:1/5 to All on Thu Jan 14 20:20:01 2021
    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA512

    - ------------------------------------------------------------------------- Debian Security Advisory DSA-4830-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff January 14, 2021 https://www.debian.org/security/faq
    - -------------------------------------------------------------------------

    Package : flatpak
    CVE ID : not yet available

    Simon McVittie discovered a bug in the flatpak-portal service that can
    allow sandboxed applications to execute arbitrary code on the host system
    (a sandbox escape).

    The Flatpak portal D-Bus service (flatpak-portal, also known by its
    D-Bus service name org.freedesktop.portal.Flatpak) allows apps in a
    Flatpak sandbox to launch their own subprocesses in a new sandbox
    instance, either with the same security settings as the caller or
    with more restrictive security settings. For example, this is used in Flatpak-packaged web browsers such as Chromium to launch subprocesses
    that will process untrusted web content, and give those subprocesses a
    more restrictive sandbox than the browser itself.

    In vulnerable versions, the Flatpak portal service passes caller-specified environment variables to non-sandboxed processes on the host system,
    and in particular to the flatpak run command that is used to launch the
    new sandbox instance. A malicious or compromised Flatpak app could set environment variables that are trusted by the flatpak run command, and
    use them to execute arbitrary code that is not in a sandbox.

    For the stable distribution (buster), this problem has been fixed in
    version 1.2.5-0+deb10u2.

    We recommend that you upgrade your flatpak packages.

    For the detailed security status of flatpak please refer to
    its security tracker page at: https://security-tracker.debian.org/tracker/flatpak

    Further information about Debian Security Advisories, how to apply
    these updates to your system and frequently asked questions can be
    found at: https://www.debian.org/security/

    Mailing list: debian-security-announce@lists.debian.org
    -----BEGIN PGP SIGNATURE-----

    iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmAAmBkACgkQEMKTtsN8 TjaFEg//YeEuy4oZF92s5zixRRX3xh4lAAiIRGgQwyifM66M/Clfb72+TLZqARqQ pE2pRQQbi57yyEWQJCQPW+gBqEXHVHZg6fvShHEL1IMcAyLGjvs7gFCZMUYdH1t6 UGf39UTl+/rXHX3M8Dp1DteHubgmQUJCicOz5AEr8cAj9sYsnjdcifeMZof20ceH WuNqMwtOZTnULuV8CjhCfGyFqjXUsOH0wF+JmyCYPvo86EwE+QTJYNUYLm2Iz4p3 q82cIkaeuRYIuL+BN15HzVNn6xoYVNhRj2TDLUlTk2vvRkya/Van8lMebb0w2Lnx cozDmYy1kzO8XmyJ42IdvFvnU8Wj4xz7bdDq0dwHXOqfh6jASugymuNSfhBJ+R9i eCiKD/66a+8viLde6XdS1kEx6Dws5vgVVcdGuxAaGbWKq9bSgcUXgeBK4UrQsqY6 3vgagq2bF3+XrHTRPomAcgV/YSX/BMWIzEuinF2C4BT/YzNHnPWYWclPEl+HWScJ YaBE1/4rY6ZjL+82nqBBAugfD+Wm+jj6j48yZTlTDAV8wcaxAelEKl2thMQn1XJa GmVtDPXJCb/ACDWdQVXEGKf+AEm5Umi5mVDJMmg6Ge7CTFJVryziDtH0VpslRhvc 0dymqMsWq8zp9NxiH2DOUCjYrgDalN+pJoV1bmpqkYxMqr9XcTA=
    =QLYS
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)