[Pkg-utopia-maintainers] Bug#922059: flatpak: vulnerability similar to runc CVE-2019-5736 involving /proc/self/exe
Simon McVittie
smcv at debian.org
Mon Feb 11 16:10:07 GMT 2019
Package: flatpak
Version: 1.2.2-1
Severity: critical
Tags: security upstream patch
Justification: root security hole (?)
Control: found -1 1.2.0-1~bpo9+1
Control: found -1 0.8.9-0+deb9u1
Control: found -1 0.8.9-0+deb9u1~bpo8+1
Control: found -1 0.8.5-2+deb9u1
Flatpak upstream releases 1.2.3 and 1.0.7 fix a vulnerability similar to
runc vulnerability CVE-2019-5736. If a user installs a system-wide Flatpak
app or runtime that has an 'apply_extra' script, then the apply_extra
script is run in a sandbox, as root, with /proc mounted. A malicious app
or runtime could traverse /proc/self/exe to modify a host-side executable.
It is not completely clear to me *which* host-side executable. To be on
the safe side, I'm assuming that it's something that could lead to an
unsandboxed privilege escalation vulnerability. I don't currently have an
exploit that can be used to demonstrate this vulnerability.
Mitigation: the app or runtime would have to come from a trusted Flatpak
repository (such as Flathub) that was previously added as a system-wide
source of Flatpak apps by a root-equivalent user.
(Non-malicious apply_extra scripts are normally used to process "extra
data" files that had to be downloaded out-of-band, such as the archives
containing the proprietary Nvidia graphics drivers, which the Flathub
maintainers do not believe they are allowed to redistribute directly.)
For buster/sid, I'm preparing a 1.2.3-1 release that will fix this.
For stretch, 0.8.5 and 0.8.9 appear to be vulnerable. I don't think
upstream plan to release a 0.8.10 version, but the patch doesn't seem
difficult to backport (untested patch attached).
Do the security team want to issue a DSA for this, or should I be targeting
the next stretch point release?
References:
https://lists.freedesktop.org/archives/flatpak/2019-February/001476.html
https://github.com/flatpak/flatpak/releases/tag/1.2.3
https://lists.freedesktop.org/archives/flatpak/2019-February/001477.html
https://github.com/flatpak/flatpak/releases/tag/1.0.7
Thanks,
smcv
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Don-t-expose-proc-when-running-apply_extra.patch
Type: text/x-diff
Size: 2450 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-utopia-maintainers/attachments/20190211/86cb4753/attachment.patch>
More information about the Pkg-utopia-maintainers
mailing list