[Pkg-utopia-maintainers] Bug#865413: flatpak: Flatpak security issue #845 involving setuid/world-writable files

[Salvatore Bonaccorso]

Control: retitle flatpak: CVE-2017-9780: Flatpak security issue #845 involving setuid/world-writable files

Hi Simon,

On Wed, Jun 21, 2017 at 09:46:21AM +0100, Simon McVittie wrote:
> Package: flatpak
> Version: 0.8.5-2
> Severity: critical
> Tags: security fixed-upstream
> Forwarded: https://github.com/flatpak/flatpak/issues/845
> Justification: potentially (in worst case) root security hole
> 
> The Flatpak developers recently released version 0.8.7 fixing a security
> issue. A third-party app repository could include malicious apps that
> contain files with inappropriate permissions, for example setuid or
> world-writable. Older Flatpak versions would deploy the files with those
> permissions, which would let a local attacker run the setuid executable
> or write to the world-writable location.
> 
> In the case of the "system helper", files deployed as part of the app
> are owned by root, so in the worst case they could be setuid root.
> 
> Mitigations:
> * If you are running apps from a third party already, then there is
>   already a trust relationship (the app is sandboxed, but the sandbox
>   is not very strict in practice, and the third-party vendor chooses
>   what permissions the app will have)
> * The default polkit policies will not allow apps to be installed
>   system-wide unless a privileged (root-equivalent) user has added
>   the third-party app repository, which indicates that the privileged
>   user trusts the operator of that repository
> * The attacker exploiting the wrong permissions needs to be local
> 
> It seems that upstream consider this to be a minor security issue due
> to those mitigations.

I requested a CVE for this issue, and it got assigned CVE-2017-9780.
Since you are more in in the source package, can you do a post to
oss-security so other are informed as well (in case not anyway already
known?).

Regards,
Salvatore