[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#925569: stretch-pu: package flatpak/0.8.9-0+deb9u3



Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org@packages.debian.org
Usertags: pu

I've prepared a flatpak update for stable to fix CVE-2019-10063 in
the next point release. The security team told me they don't intend to
release a DSA for this.

May I upload?

I've uploaded 1.2.3-2 to unstable to fix the same thing, although I'm
hoping to replace it with a new upstream release.

Thanks,
    smcv
diffstat for flatpak-0.8.9 flatpak-0.8.9

 changelog                                                               |   11 +++
 patches/run-Only-compare-the-lowest-32-ioctl-arg-bits-for-TIOCSTI.patch |   32 ++++++++++
 patches/series                                                          |    1 
 3 files changed, 43 insertions(+), 1 deletion(-)

diff -Nru flatpak-0.8.9/debian/changelog flatpak-0.8.9/debian/changelog
--- flatpak-0.8.9/debian/changelog	2019-02-11 21:13:02.000000000 +0000
+++ flatpak-0.8.9/debian/changelog	2019-03-26 21:11:16.000000000 +0000
@@ -1,10 +1,19 @@
+flatpak (0.8.9-0+deb9u3) stretch; urgency=medium
+
+  * d/p/run-Only-compare-the-lowest-32-ioctl-arg-bits-for-TIOCSTI.patch:
+    Reject all ioctls that the kernel will interpret as TIOCSTI,
+    including those where the high 32 bits in a 64-bit word are nonzero.
+    (Closes: #925541, CVE-2019-10063)
+
+ -- Simon McVittie <smcv@debian.org>  Tue, 26 Mar 2019 21:11:16 +0000
+
 flatpak (0.8.9-0+deb9u2) stretch-security; urgency=medium
 
   * d/p/Don-t-expose-proc-when-running-apply_extra.patch:
     Backport patch from upstream v1.2.3: do not let the apply_extra
     script for a system installation modify the host-side executable
     via /proc/self/exe, similar to CVE-2019-5736 in runc
-    (Closes: #922059)
+    (Closes: #922059; CVE-2019-8308)
 
  -- Simon McVittie <smcv@debian.org>  Mon, 11 Feb 2019 21:13:02 +0000
 
diff -Nru flatpak-0.8.9/debian/patches/run-Only-compare-the-lowest-32-ioctl-arg-bits-for-TIOCSTI.patch flatpak-0.8.9/debian/patches/run-Only-compare-the-lowest-32-ioctl-arg-bits-for-TIOCSTI.patch
--- flatpak-0.8.9/debian/patches/run-Only-compare-the-lowest-32-ioctl-arg-bits-for-TIOCSTI.patch	1970-01-01 01:00:00.000000000 +0100
+++ flatpak-0.8.9/debian/patches/run-Only-compare-the-lowest-32-ioctl-arg-bits-for-TIOCSTI.patch	2019-03-26 21:11:16.000000000 +0000
@@ -0,0 +1,32 @@
+From: Ryan Gonzalez <rymg19@gmail.com>
+Date: Mon, 25 Mar 2019 13:00:15 -0500
+Subject: run: Only compare the lowest 32 ioctl arg bits for TIOCSTI
+
+Closes #2782.
+
+Closes: #2783
+Approved by: alexlarsson
+
+(cherry picked from commit a9107feeb4b8275b78965b36bf21b92d5724699e)
+
+Origin: upstream, 1.2.4, commit:8e0aaf4b70d6d7c02c331c655e1a05763485085e
+Bug: https://github.com/flatpak/flatpak/issues/2782
+Bug-Debian: https://bugs.debian.org/925541
+Bug-CVE: CVE-2019-10063
+---
+ common/flatpak-run.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/common/flatpak-run.c b/common/flatpak-run.c
+index 9a69f7b..b3ed2ea 100644
+--- a/common/flatpak-run.c
++++ b/common/flatpak-run.c
+@@ -3866,7 +3866,7 @@ setup_seccomp (GPtrArray  *argv_array,
+     {SCMP_SYS (clone), &SCMP_A0 (SCMP_CMP_MASKED_EQ, CLONE_NEWUSER, CLONE_NEWUSER)},
+ 
+     /* Don't allow faking input to the controlling tty (CVE-2017-5226) */
+-    {SCMP_SYS (ioctl), &SCMP_A1(SCMP_CMP_EQ, (int)TIOCSTI)},
++    {SCMP_SYS (ioctl), &SCMP_A1 (SCMP_CMP_MASKED_EQ, 0xFFFFFFFFu, (int) TIOCSTI)},
+   };
+ 
+   struct
diff -Nru flatpak-0.8.9/debian/patches/series flatpak-0.8.9/debian/patches/series
--- flatpak-0.8.9/debian/patches/series	2019-02-11 21:13:02.000000000 +0000
+++ flatpak-0.8.9/debian/patches/series	2019-03-26 21:11:16.000000000 +0000
@@ -1 +1,2 @@
 Don-t-expose-proc-when-running-apply_extra.patch
+run-Only-compare-the-lowest-32-ioctl-arg-bits-for-TIOCSTI.patch

Reply to: