Sicherheit: Ausführen beliebiger Kommandos in flatpak

Lesezeichen hinzufügen

SUSE Security Update: Security update for flatpak, libostree,
xdg-desktop-portal, xdg-desktop-portal-gtk
______________________________________________________________________________

Announcement ID: SUSE-SU-2021:1094-1
Rating: important
References: #1133120 #1133124 #1175899 #1180996 SLE-7171

Cross-References: CVE-2021-21261
CVSS scores:
CVE-2021-21261 (NVD) : 8.8
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
CVE-2021-21261 (SUSE): 7.3
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N

Affected Products:
SUSE Linux Enterprise Module for Desktop Applications
15-SP2
SUSE Linux Enterprise Module for Basesystem 15-SP2
______________________________________________________________________________

An update that solves one vulnerability, contains one
feature and has three fixes is now available.

Description:

This update for flatpak, libostree, xdg-desktop-portal,
xdg-desktop-portal-gtk fixes the following issues:

libostree:

Update to version 2020.8

- Enable LTO. (bsc#1133120)

- This update contains scalability improvements and bugfixes.
- Caching-related HTTP headers are now supported on summaries and
signatures, so that they do not have to be re-downloaded if not changed
in the meanwhile.
- Summaries and delta have been reworked to allow more fine-grained
fetching.
- Fixes several bugs related to atomic variables, HTTP timeouts, and
32-bit architectures.
- Static deltas can now be signed to more easily support offline
verification.
- There's now support for multiple initramfs images; Is it possible to
have a "main" initramfs image and a secondary one which represents
local
configuration.
- The documentation is now moved to https://ostreedev.github.io/ostree/
- Fix for an assertion failure when upgrading from systems before ostree
supported devicetree.
- ostree no longer hardlinks zero sized files to avoid hitting filesystem
maximum link counts.
- ostree now supports `/` and `/boot` being on the same filesystem.
- Improvements to the GObject Introspection metadata, some (cosmetic)
static analyzer fixes, a fix for the immutable bit on s390x, dropping a
deprecated bit in the systemd unit file.
- Fix a regression 2020.4 where the "readonly sysroot" changes
incorrectly
left the sysroot read-only
on systems that started out with a read-only `/` (most of them, e.g.
Fedora Silverblue/IoT at least).
- The default dracut config now enables reproducibility.
- There is a new ostree admin unlock `--transient`. This should to be a
foundation for further support for "live" updates.
- New `ed25519` signing support, powered by `libsodium`.
- stree commit gained a new `--base` argument, which significantly
simplifies constructing "derived" commits, particularly for
systems
using SELinux.
- Handling of the read-only sysroot was reimplemented to run in the
initramfs and be more reliable. Enabling the `readonly=true` flag in the
repo config is recommended.
- Several fixes in locking for the temporary "staging" directories
OSTree
creates, particularly on NFS.
- A new `timestamp-check-from-rev` option was added for pulls, which makes
downgrade protection more reliable and will be used by Fedora CoreOS.
- Several fixes and enhancements made for "collection" pulls
including a
new `--mirror` option.
- The ostree commit command learned a new `--mode-ro-executables` which
enforces `W^R` semantics
on all executables.
- Added a new commit metadata key `OSTREE_COMMIT_META_KEY_ARCHITECTURE`
to help standardize the architecture of the OSTree commit. This could be
used on the client side for example to sanity-check that the commit
matches the architecture of the machine before deploying.
- Stop invalid usage of `%_libexecdir`:
+ Use `%{_prefix}/lib` where appropriate.
+ Use `_systemdgeneratordir` for the systemd-generators.
+ Define `_dracutmodulesdir` based on `dracut.pc`. Add
BuildRequires(dracut) for this to work.

xdg-desktop-portal:

Update to version 1.8.0:

- Ensure systemd rpm macros are called at install/uninstall times for
systemd user services.
- Add BuildRequires on systemd-rpm-macros.
- openuri:
- Allow skipping the chooser for more URL tyles
- Robustness fixes
- filechooser:
- Return the current filter
- Add a "directory" option
- Document the "writable" option
- camera:
- Make the client node visible
- Don't leak pipewire proxy
- Fix file descriptor leaks
- Testsuite improvements
- Updated translations.
- document:
- Reduce the use of open fds
- Add more tests and fix issues they found
- Expose directories with their proper name
- Support exporting directories
- New fuse implementation
- background: Avoid a segfault
- screencast: Require pipewire 0.3
- Better support for snap and toolbox
- Require `/usr/bin/fusermount`: `xdg-document-portal` calls out to the
binary. (bsc#1175899) Without it, files or dirs can be selected, but
whatever is done with or in them, will not have any effect
- Fixes for `%_libexecdir` changing to `/usr/libexec`

xdg-desktop-portal-gtk:

Update to version 1.8.0:

- filechooser:
- Return the current filter
- Handle the "directory" option to select directories
- Only show preview when we have an image
- screenshot: Fix cancellation
- appchooser: Avoid a crash
- wallpaper:
- Properly preview placement settings
- Drop the lockscreen option
- printing: Improve the notification
- Updated translations.
- settings: Fall back to gsettings for enable-animations
- screencast: Support Mutter version to 3 (New pipewire api ver 3).

flatpak:

- Update to version 1.10.2 (jsc#SLE-17238, ECO-3148)

- This is a security update which fixes a potential attack where a
flatpak application could use custom formated `.desktop` file to gain
access to files on the host system.
- Fix memory leaks
- Documentation and translations updates
- Spawn portal better handles non-utf8 filenames
- Fix flatpak build on systems with setuid bwrap
- Fix crash on updating apps with no deploy data
- Remove deprecated texinfo packaging macros.
- Support for the new repo format which should make updates faster and
download less data.
- The systemd generator snippets now call flatpak `--print-updated-env` in
place of a bunch of shell for better login performance.
- The `.profile` snippets now disable GVfs when calling flatpak to avoid
spawning a gvfs daemon when logging in via ssh.
- Flatpak now finds the pulseaudio sockets better in uncommon
configurations.
- Sandboxes with network access it now also has access to the
`systemd-resolved` socket to do dns lookups.
- Flatpak supports unsetting environment variables in the sandbox using
`--unset-env`, and `--env=FOO=` now sets FOO to the empty string instead
of unsetting it.
- The spawn portal now has an option to share the pid namespace with the
sub-sandbox.
- This security update fixes a sandbox escape where a malicious
application can execute code outside the sandbox by controlling the
environment of the "flatpak run" command when spawning a
sub-sandbox
(bsc#1180996, CVE-2021-21261)
- Fix support for ppc64.
- Move flatpak-bisect and flatpak-coredumpctl to devel subpackage, allow
to remove python3 dependency on main package.
- Enable LTO as gobject-introspection works fine with LTO. (bsc#1133124)
- Fixed progress reporting for OCI and extra-data.
- The in-memory summary cache is more efficient.
- Fixed authentication getting stuck in a loop in some cases.
- Fixed authentication error reporting.
- Extract OCI info for runtimes as well as apps.
- Fixed crash if anonymous authentication fails and `-y` is specified.
- flatpak info now only looks at the specified installation if one is
specified.
- Better error reporting for server HTTP errors during download.
- Uninstall now removes applications before the runtime it depends on.
- Avoid updating metadata from the remote when uninstalling.
- FlatpakTransaction now verifies all passed in refs to avoid.
- Added validation of collection id settings for remotes.
- Fix seccomp filters on s390.
- Robustness fixes to the spawn portal.
- Fix support for masking update in the system installation.
- Better support for distros with uncommon models of merged `/usr`.
- Cache responses from localed/AccountService.
- Fix hangs in cases where `xdg-dbus-proxy` fails to start.
- Fix double-free in cups socket detection.
- OCI authenticator now doesn't ask for auth in case of http errors.
- Fix invalid usage of `%{_libexecdir}` to reference systemd directories.
- Fixes for `%_libexecdir` changing to `/usr/libexec`
- Avoid calling authenticator in update if ref didn't change
- Don't fail transaction if ref is already installed (after transaction
start)
- Fix flatpak run handling of userns in the `--device=all` case
- Fix handling of extensions from different remotes
- Fix flatpak run `--no-session-bus`
- `FlatpakTransaction` has a new signal `install-authenticator` which
clients can handle to install authenticators needed for the transaction.
This is done in the CLI commands.
- Now the host timezone data is always exposed, fixing several apps that
had timezone issues.
- There's a new systemd unit (not installed by default) to
automatically
detect plugged in usb sticks with sideload repos.
- By default the `gdm env.d` file is no longer installed because the
systemd generators work better.
- `create-usb` now exports partial commits by default
- Fix handling of docker media types in oci remotes
- Fix subjects in `remote-info --log` output
- This release is also able to host flatpak images on e.g. docker hub.

Patch Instructions:

To install this SUSE Security Update use the SUSE recommended installation
methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- SUSE Linux Enterprise Module for Desktop Applications 15-SP2:

zypper in -t patch
SUSE-SLE-Module-Desktop-Applications-15-SP2-2021-1094=1

- SUSE Linux Enterprise Module for Basesystem 15-SP2:

zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP2-2021-1094=1

Package List:

- SUSE Linux Enterprise Module for Desktop Applications 15-SP2 (aarch64
ppc64le s390x x86_64):

flatpak-1.10.2-4.6.1
flatpak-debuginfo-1.10.2-4.6.1
flatpak-debugsource-1.10.2-4.6.1
flatpak-devel-1.10.2-4.6.1
flatpak-zsh-completion-1.10.2-4.6.1
libflatpak0-1.10.2-4.6.1
libflatpak0-debuginfo-1.10.2-4.6.1
libostree-2020.8-3.3.2
libostree-debuginfo-2020.8-3.3.2
libostree-debugsource-2020.8-3.3.2
libostree-devel-2020.8-3.3.2
system-user-flatpak-1.10.2-4.6.1
typelib-1_0-Flatpak-1_0-1.10.2-4.6.1
typelib-1_0-OSTree-1_0-2020.8-3.3.2
xdg-desktop-portal-1.8.0-5.3.2
xdg-desktop-portal-debuginfo-1.8.0-5.3.2
xdg-desktop-portal-debugsource-1.8.0-5.3.2
xdg-desktop-portal-devel-1.8.0-5.3.2
xdg-desktop-portal-gtk-1.8.0-3.3.1
xdg-desktop-portal-gtk-debuginfo-1.8.0-3.3.1
xdg-desktop-portal-gtk-debugsource-1.8.0-3.3.1

- SUSE Linux Enterprise Module for Desktop Applications 15-SP2 (noarch):

xdg-desktop-portal-gtk-lang-1.8.0-3.3.1
xdg-desktop-portal-lang-1.8.0-5.3.2

- SUSE Linux Enterprise Module for Basesystem 15-SP2 (aarch64 ppc64le s390x
x86_64):

libostree-1-1-2020.8-3.3.2
libostree-1-1-debuginfo-2020.8-3.3.2
libostree-debuginfo-2020.8-3.3.2
libostree-debugsource-2020.8-3.3.2

References:

https://www.suse.com/security/cve/CVE-2021-21261.html
https://bugzilla.suse.com/1133120
https://bugzilla.suse.com/1133124
https://bugzilla.suse.com/1175899
https://bugzilla.suse.com/1180996