[Pkg-utopia-maintainers] Bug#1069285: trixie-pu: package flatpak/1.14.6-1~deb13u1

Simon McVittie smcv at debian.org
Fri Apr 19 11:49:11 BST 2024 

Package: release.debian.org
Severity: normal
Tags: trixie
User: release.debian.org at packages.debian.org
Usertags: pu
X-Debbugs-Cc: flatpak at packages.debian.org
Control: affects -1 + src:flatpak

[ Reason ]
Fix CVE-2024-32462, a sandbox escape vulnerability, without having to
wait for the whole 64-bit time_t transition.

[ Impact ]
If not fixed, malicious or compromised Flatpak apps can execute arbitrary
code on the host system. (Severity: grave)

The new upstream release also fixes one high-visibility non-security bug:
after some infrastructure changes on Flathub, the flatpak(1) CLI currently
mis-displays apps' developer names as though they were the name of the app,
for example showing org.chromium.Chromium as "The Chromium Authors" instead
of the correct "Chromium Web Browser". The proposed version corrects this.
(Severity: important)

[ Tests ]
Flatpak has a rather large test suite, which still passes. Unfortunately,
most tests have to be skipped when running under schroot or lxc because
those frameworks don't allow creating a nested user namespace, but I do
run the autopkgtest suite under autopkgtest-virt-qemu before uploading.

There is new automated test coverage for CVE-2024-32462 and for the
mis-display of app names.

I'll do a smoke-test on a trixie GNOME VM (install an app, run an app,
and verify that CVE-2024-32462 is fixed) before uploading.

[ Risks ]
Low risk, targeted changes only.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing
  [x] the issue is verified as fixed in unstable

[ Changes ]
Lightly filtered debdiff attached.

* app/flatpak-builtins-build.c,
  common/flatpak-run.c:
  Fix CVE-2024-32462

* common/flatpak-appdata.c:
  Fix the developer name bug described above

* common/flatpak-version-macros.h,
  configure,
  configure.ac,
  NEWS,
  tests/package_version.txt:
  New upstream version

* debian/control:
  Change real|transitional dependencies to real package name only

* doc/reference/html/*.html:
  Regenerated for the new upstream release (and re-regenerated during build)
  Filtered from debdiff

* ltmain.sh:
  The new upstream release was generated on Debian 12 rather than on
  testing/unstable (normally I would filter this out of the debdiff,
  but I'm being extra-vigilant right now after the discovery of the
  xz backdoor). This file is deleted and re-created during build anyway.

* po/flatpak.pot,
  po/*.po:
  Regenerated for the new upstream release (different line numbering)
  Filtered from debdiff

* tests/make-test-app.sh,
  tests/test-info.sh:
  Regression test for the developer name bug

* tests/test-run.sh:
  Regression test for CVE-2024-32462
-------------- next part --------------
A non-text attachment was scrubbed...
Name: flatpak_1.14.6-1~deb13u1.diff
Type: text/x-diff
Size: 19620 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-utopia-maintainers/attachments/20240419/87034f52/attachment-0001.diff>

More information about the Pkg-utopia-maintainers mailing list