Security update for flatpak, libostree, xdg-desktop-portal, xdg-desktop-portal-gtk SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2021:1094-1 Final 1 1 2021-04-07T12:11:43Z current 2021-04-07T12:11:43Z 2021-04-07T12:11:43Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for flatpak, libostree, xdg-desktop-portal, xdg-desktop-portal-gtk This update for flatpak, libostree, xdg-desktop-portal, xdg-desktop-portal-gtk fixes the following issues: libostree: Update to version 2020.8 - Enable LTO. (bsc#1133120) - This update contains scalability improvements and bugfixes. - Caching-related HTTP headers are now supported on summaries and signatures, so that they do not have to be re-downloaded if not changed in the meanwhile. - Summaries and delta have been reworked to allow more fine-grained fetching. - Fixes several bugs related to atomic variables, HTTP timeouts, and 32-bit architectures. - Static deltas can now be signed to more easily support offline verification. - There's now support for multiple initramfs images; Is it possible to have a 'main' initramfs image and a secondary one which represents local configuration. - The documentation is now moved to https://ostreedev.github.io/ostree/ - Fix for an assertion failure when upgrading from systems before ostree supported devicetree. - ostree no longer hardlinks zero sized files to avoid hitting filesystem maximum link counts. - ostree now supports `/` and `/boot` being on the same filesystem. - Improvements to the GObject Introspection metadata, some (cosmetic) static analyzer fixes, a fix for the immutable bit on s390x, dropping a deprecated bit in the systemd unit file. - Fix a regression 2020.4 where the 'readonly sysroot' changes incorrectly left the sysroot read-only on systems that started out with a read-only `/` (most of them, e.g. Fedora Silverblue/IoT at least). - The default dracut config now enables reproducibility. - There is a new ostree admin unlock `--transient`. This should to be a foundation for further support for 'live' updates. - New `ed25519` signing support, powered by `libsodium`. - stree commit gained a new `--base` argument, which significantly simplifies constructing 'derived' commits, particularly for systems using SELinux. - Handling of the read-only sysroot was reimplemented to run in the initramfs and be more reliable. Enabling the `readonly=true` flag in the repo config is recommended. - Several fixes in locking for the temporary 'staging' directories OSTree creates, particularly on NFS. - A new `timestamp-check-from-rev` option was added for pulls, which makes downgrade protection more reliable and will be used by Fedora CoreOS. - Several fixes and enhancements made for 'collection' pulls including a new `--mirror` option. - The ostree commit command learned a new `--mode-ro-executables` which enforces `W^R` semantics on all executables. - Added a new commit metadata key `OSTREE_COMMIT_META_KEY_ARCHITECTURE` to help standardize the architecture of the OSTree commit. This could be used on the client side for example to sanity-check that the commit matches the architecture of the machine before deploying. - Stop invalid usage of `%_libexecdir`: + Use `%{_prefix}/lib` where appropriate. + Use `_systemdgeneratordir` for the systemd-generators. + Define `_dracutmodulesdir` based on `dracut.pc`. Add BuildRequires(dracut) for this to work. xdg-desktop-portal: Update to version 1.8.0: - Ensure systemd rpm macros are called at install/uninstall times for systemd user services. - Add BuildRequires on systemd-rpm-macros. - openuri: - Allow skipping the chooser for more URL tyles - Robustness fixes - filechooser: - Return the current filter - Add a 'directory' option - Document the 'writable' option - camera: - Make the client node visible - Don't leak pipewire proxy - Fix file descriptor leaks - Testsuite improvements - Updated translations. - document: - Reduce the use of open fds - Add more tests and fix issues they found - Expose directories with their proper name - Support exporting directories - New fuse implementation - background: Avoid a segfault - screencast: Require pipewire 0.3 - Better support for snap and toolbox - Require `/usr/bin/fusermount`: `xdg-document-portal` calls out to the binary. (bsc#1175899) Without it, files or dirs can be selected, but whatever is done with or in them, will not have any effect - Fixes for `%_libexecdir` changing to `/usr/libexec` xdg-desktop-portal-gtk: Update to version 1.8.0: - filechooser: - Return the current filter - Handle the 'directory' option to select directories - Only show preview when we have an image - screenshot: Fix cancellation - appchooser: Avoid a crash - wallpaper: - Properly preview placement settings - Drop the lockscreen option - printing: Improve the notification - Updated translations. - settings: Fall back to gsettings for enable-animations - screencast: Support Mutter version to 3 (New pipewire api ver 3). flatpak: - Update to version 1.10.2 (jsc#SLE-17238, ECO-3148) - This is a security update which fixes a potential attack where a flatpak application could use custom formated `.desktop` file to gain access to files on the host system. - Fix memory leaks - Documentation and translations updates - Spawn portal better handles non-utf8 filenames - Fix flatpak build on systems with setuid bwrap - Fix crash on updating apps with no deploy data - Remove deprecated texinfo packaging macros. - Support for the new repo format which should make updates faster and download less data. - The systemd generator snippets now call flatpak `--print-updated-env` in place of a bunch of shell for better login performance. - The `.profile` snippets now disable GVfs when calling flatpak to avoid spawning a gvfs daemon when logging in via ssh. - Flatpak now finds the pulseaudio sockets better in uncommon configurations. - Sandboxes with network access it now also has access to the `systemd-resolved` socket to do dns lookups. - Flatpak supports unsetting environment variables in the sandbox using `--unset-env`, and `--env=FOO=` now sets FOO to the empty string instead of unsetting it. - The spawn portal now has an option to share the pid namespace with the sub-sandbox. - This security update fixes a sandbox escape where a malicious application can execute code outside the sandbox by controlling the environment of the 'flatpak run' command when spawning a sub-sandbox (bsc#1180996, CVE-2021-21261) - Fix support for ppc64. - Move flatpak-bisect and flatpak-coredumpctl to devel subpackage, allow to remove python3 dependency on main package. - Enable LTO as gobject-introspection works fine with LTO. (bsc#1133124) - Fixed progress reporting for OCI and extra-data. - The in-memory summary cache is more efficient. - Fixed authentication getting stuck in a loop in some cases. - Fixed authentication error reporting. - Extract OCI info for runtimes as well as apps. - Fixed crash if anonymous authentication fails and `-y` is specified. - flatpak info now only looks at the specified installation if one is specified. - Better error reporting for server HTTP errors during download. - Uninstall now removes applications before the runtime it depends on. - Avoid updating metadata from the remote when uninstalling. - FlatpakTransaction now verifies all passed in refs to avoid. - Added validation of collection id settings for remotes. - Fix seccomp filters on s390. - Robustness fixes to the spawn portal. - Fix support for masking update in the system installation. - Better support for distros with uncommon models of merged `/usr`. - Cache responses from localed/AccountService. - Fix hangs in cases where `xdg-dbus-proxy` fails to start. - Fix double-free in cups socket detection. - OCI authenticator now doesn't ask for auth in case of http errors. - Fix invalid usage of `%{_libexecdir}` to reference systemd directories. - Fixes for `%_libexecdir` changing to `/usr/libexec` - Avoid calling authenticator in update if ref didn't change - Don't fail transaction if ref is already installed (after transaction start) - Fix flatpak run handling of userns in the `--device=all` case - Fix handling of extensions from different remotes - Fix flatpak run `--no-session-bus` - `FlatpakTransaction` has a new signal `install-authenticator` which clients can handle to install authenticators needed for the transaction. This is done in the CLI commands. - Now the host timezone data is always exposed, fixing several apps that had timezone issues. - There's a new systemd unit (not installed by default) to automatically detect plugged in usb sticks with sideload repos. - By default the `gdm env.d` file is no longer installed because the systemd generators work better. - `create-usb` now exports partial commits by default - Fix handling of docker media types in oci remotes - Fix subjects in `remote-info --log` output - This release is also able to host flatpak images on e.g. docker hub. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2021-1094,SUSE-SLE-Module-Basesystem-15-SP2-2021-1094,SUSE-SLE-Module-Desktop-Applications-15-SP2-2021-1094 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2021/suse-su-20211094-1/ Link for SUSE-SU-2021:1094-1 https://lists.suse.com/pipermail/sle-security-updates/2021-April/008592.html E-Mail link for SUSE-SU-2021:1094-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1133120 SUSE Bug 1133120 https://bugzilla.suse.com/1133124 SUSE Bug 1133124 https://bugzilla.suse.com/1175899 SUSE Bug 1175899 https://bugzilla.suse.com/1180996 SUSE Bug 1180996 https://www.suse.com/security/cve/CVE-2021-21261/ SUSE CVE CVE-2021-21261 page SUSE Linux Enterprise Module for Basesystem 15 SP2 SUSE Linux Enterprise Module for Desktop Applications 15 SP2 flatpak-1.10.2-4.6.1 flatpak-devel-1.10.2-4.6.1 flatpak-zsh-completion-1.10.2-4.6.1 libflatpak0-1.10.2-4.6.1 libostree-2020.8-3.3.2 libostree-1-1-2020.8-3.3.2 libostree-devel-2020.8-3.3.2 libostree-grub2-2020.8-3.3.2 system-user-flatpak-1.10.2-4.6.1 typelib-1_0-Flatpak-1_0-1.10.2-4.6.1 typelib-1_0-OSTree-1_0-2020.8-3.3.2 xdg-desktop-portal-1.8.0-5.3.2 xdg-desktop-portal-devel-1.8.0-5.3.2 xdg-desktop-portal-gtk-1.8.0-3.3.1 xdg-desktop-portal-gtk-lang-1.8.0-3.3.1 xdg-desktop-portal-lang-1.8.0-5.3.2 libostree-1-1-2020.8-3.3.2 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP2 flatpak-1.10.2-4.6.1 as a component of SUSE Linux Enterprise Module for Desktop Applications 15 SP2 flatpak-devel-1.10.2-4.6.1 as a component of SUSE Linux Enterprise Module for Desktop Applications 15 SP2 flatpak-zsh-completion-1.10.2-4.6.1 as a component of SUSE Linux Enterprise Module for Desktop Applications 15 SP2 libflatpak0-1.10.2-4.6.1 as a component of SUSE Linux Enterprise Module for Desktop Applications 15 SP2 libostree-2020.8-3.3.2 as a component of SUSE Linux Enterprise Module for Desktop Applications 15 SP2 libostree-devel-2020.8-3.3.2 as a component of SUSE Linux Enterprise Module for Desktop Applications 15 SP2 system-user-flatpak-1.10.2-4.6.1 as a component of SUSE Linux Enterprise Module for Desktop Applications 15 SP2 typelib-1_0-Flatpak-1_0-1.10.2-4.6.1 as a component of SUSE Linux Enterprise Module for Desktop Applications 15 SP2 typelib-1_0-OSTree-1_0-2020.8-3.3.2 as a component of SUSE Linux Enterprise Module for Desktop Applications 15 SP2 xdg-desktop-portal-1.8.0-5.3.2 as a component of SUSE Linux Enterprise Module for Desktop Applications 15 SP2 xdg-desktop-portal-devel-1.8.0-5.3.2 as a component of SUSE Linux Enterprise Module for Desktop Applications 15 SP2 xdg-desktop-portal-gtk-1.8.0-3.3.1 as a component of SUSE Linux Enterprise Module for Desktop Applications 15 SP2 xdg-desktop-portal-gtk-lang-1.8.0-3.3.1 as a component of SUSE Linux Enterprise Module for Desktop Applications 15 SP2 xdg-desktop-portal-lang-1.8.0-5.3.2 as a component of SUSE Linux Enterprise Module for Desktop Applications 15 SP2 Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. A bug was discovered in the `flatpak-portal` service that can allow sandboxed applications to execute arbitrary code on the host system (a sandbox escape). This sandbox-escape bug is present in versions from 0.11.4 and before fixed versions 1.8.5 and 1.10.0. The Flatpak portal D-Bus service (`flatpak-portal`, also known by its D-Bus service name `org.freedesktop.portal.Flatpak`) allows apps in a Flatpak sandbox to launch their own subprocesses in a new sandbox instance, either with the same security settings as the caller or with more restrictive security settings. For example, this is used in Flatpak-packaged web browsers such as Chromium to launch subprocesses that will process untrusted web content, and give those subprocesses a more restrictive sandbox than the browser itself. In vulnerable versions, the Flatpak portal service passes caller-specified environment variables to non-sandboxed processes on the host system, and in particular to the `flatpak run` command that is used to launch the new sandbox instance. A malicious or compromised Flatpak app could set environment variables that are trusted by the `flatpak run` command, and use them to execute arbitrary code that is not in a sandbox. As a workaround, this vulnerability can be mitigated by preventing the `flatpak-portal` service from starting, but that mitigation will prevent many Flatpak apps from working correctly. This is fixed in versions 1.8.5 and 1.10.0. CVE-2021-21261 SUSE Linux Enterprise Module for Basesystem 15 SP2:libostree-1-1-2020.8-3.3.2 SUSE Linux Enterprise Module for Desktop Applications 15 SP2:flatpak-1.10.2-4.6.1 SUSE Linux Enterprise Module for Desktop Applications 15 SP2:flatpak-devel-1.10.2-4.6.1 SUSE Linux Enterprise Module for Desktop Applications 15 SP2:flatpak-zsh-completion-1.10.2-4.6.1 SUSE Linux Enterprise Module for Desktop Applications 15 SP2:libflatpak0-1.10.2-4.6.1 SUSE Linux Enterprise Module for Desktop Applications 15 SP2:libostree-2020.8-3.3.2 SUSE Linux Enterprise Module for Desktop Applications 15 SP2:libostree-devel-2020.8-3.3.2 SUSE Linux Enterprise Module for Desktop Applications 15 SP2:system-user-flatpak-1.10.2-4.6.1 SUSE Linux Enterprise Module for Desktop Applications 15 SP2:typelib-1_0-Flatpak-1_0-1.10.2-4.6.1 SUSE Linux Enterprise Module for Desktop Applications 15 SP2:typelib-1_0-OSTree-1_0-2020.8-3.3.2 SUSE Linux Enterprise Module for Desktop Applications 15 SP2:xdg-desktop-portal-1.8.0-5.3.2 SUSE Linux Enterprise Module for Desktop Applications 15 SP2:xdg-desktop-portal-devel-1.8.0-5.3.2 SUSE Linux Enterprise Module for Desktop Applications 15 SP2:xdg-desktop-portal-gtk-1.8.0-3.3.1 SUSE Linux Enterprise Module for Desktop Applications 15 SP2:xdg-desktop-portal-gtk-lang-1.8.0-3.3.1 SUSE Linux Enterprise Module for Desktop Applications 15 SP2:xdg-desktop-portal-lang-1.8.0-5.3.2 important 7.2 AV:L/AC:L/Au:N/C:C/I:C/A:C 7.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2021/suse-su-20211094-1/ https://www.suse.com/security/cve/CVE-2021-21261.html CVE-2021-21261 https://bugzilla.suse.com/1180996 SUSE Bug 1180996