[Pkg-utopia-maintainers] Bug#1033160: bullseye-pu: package flatpak/1.10.8-0+deb11u1

Sat Mar 18 16:20:50 GMT 2023

Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian.org at packages.debian.org
Usertags: pu
X-Debbugs-Cc: flatpak at packages.debian.org
Control: affects -1 + src:flatpak

[ Reason ]
New upstream stable release fixing a security issue.

[ Impact ]
The same two CVEs that were fixed in 1.14.4-1 (#1033078), which the
security team have indicated are not going to get a DSA:

CVE-2023-28101: A malicious Flatpak app could prevent the flatpak(1) CLI
from displaying its permissions as intended, by having crafted permissions
or other metadata containing terminal escape sequences or other special
characters. (#1033098)

CVE-2023-28100: A malicious Flatpak app could execute code outside the
sandbox if run from a Linux virtual console. (#1033099)

Additionally, the new upstream stable release has some other bug fixes
backported from 1.12.x and 1.14.x for:
- temporary directories not being cleaned up if an upgrade is cancelled,
  in particular if it's blocked by parental controls (libmalcontent);
- the `flatpak history` command, which didn't previously work in bullseye;
- a build bug fix which isn't directly relevant to bullseye, but was
  necessary to get the upstream release out, and is harmless in bullseye

[ Tests ]
The automated test suite is run at build-time and by autopkgtest,
and still passes. It includes tests for the two CVE issues and the
`flatpak history` fixes. Coverage on buildds and lxc is not great,
because we're unable to actually run Flatpak apps in that environment,
but I ran the autopkgtest in autopkgtest-virt-qemu before upload (which
does get full coverage) and that also passes.

The new upstream stable release also adds unit test coverage for the
seccomp filter changes in previous security updates (CVE-2021-41133,
etc.), which were previously backported without automated tests.

A manual smoke-test on my partner's Debian 11 system was successful.

[ Risks ]
The security fixes are new, but are narrowly-targeted and seem rather safe.

The other changes have been in testing/unstable and in bullseye-backports
for a long time without regression reports.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
The attached debdiff has been filtered to remove Autotools noise. The
diffstat is unfiltered.

* app/flatpak-builtins-info.c, app/flatpak-builtins-remote-info.c,
  app/flatpak-cli-transaction.c, common/flatpak-context.c,
  common/flatpak-utils.c, common/flatpak-utils-private.h: CVE-2023-28101

* common/flatpak-run.c: CVE-2023-28100

* configure.ac, Makefile.am: unrelated bug fix for ability to compile with
  newer gpgme (unnecessary for bullseye, but necessary to get the
  upstream release out)

* app/flatpak-builtins-history.c, app/flatpak-main.c: unrelated bug fixes
  for `flatpak history` backported from the version in testing/unstable

* common/flatpak-dir.c: unrelated bug fix for a temporary directory not
  being cleaned up if an upgrade is cancelled

* tests: Test coverage for CVE-2023-28101, CVE-2023-28100, previous
  CVE fixes, and the history bugfix
-------------- next part --------------
A non-text attachment was scrubbed...
Name: flatpak_1.10.8-0+deb11u1.diff
Type: text/x-diff
Size: 56477 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-utopia-maintainers/attachments/20230318/b0c9ae58/attachment-0001.diff>