Bug#925595: unblock: flatpak/1.2.4-1 (pre-approval) or 1.2.3-2 (unblock)
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
I would like to follow the 1.2.x stable-branch of flatpak in buster for
as long as it's maintained upstream, similar to what I did with 0.8.x
in stretch. Are the release team happy with this in principle?
In the short term, this means uploading flatpak 1.2.4 to unstable. It
fixes CVE-2019-10063 (incomplete defence against command injection with
TIOCSTI) and some non-security bugs. I attach a proposed diff: may I
upload this if my tests are successful?
If 1.2.4 is not acceptable, please unblock 1.2.3-2 instead, to fix
CVE-2019-10063 but not the non-security bugs (I already uploaded that
version). I've attached the debdiff for that too.
See also #925569, the corresponding stable-update.
Thanks,
smcv
Filtered through
filterdiff -p1 -x doc/reference/html/'**' -x aclocal.m4 -x 'po/*.po' -x 'po/*.pot' -x configure:
NEWS | 19 +++++++++++++++++++
app/flatpak-builtins-list.c | 2 +-
app/flatpak-cli-transaction.c | 2 +-
common/flatpak-context.c | 5 +++--
common/flatpak-dir.c | 3 +--
common/flatpak-run.c | 30 ++++++++++++++++++++++--------
common/flatpak-utils-private.h | 4 ++++
common/flatpak-utils.c | 8 ++++++++
common/flatpak-version-macros.h | 2 +-
configure.ac | 2 +-
debian/changelog | 24 +++++++++++++++++++++++-
po/cs.gmo |binary
po/de.gmo |binary
po/es.gmo |binary
po/gl.gmo |binary
po/hu.gmo |binary
po/id.gmo |binary
po/pl.gmo |binary
po/pt_BR.gmo |binary
po/ru.gmo |binary
po/sk.gmo |binary
po/sv.gmo |binary
po/tr.gmo |binary
po/uk.gmo |binary
po/zh_TW.gmo |binary
tests/package_version.txt | 2 +-
26 files changed, 85 insertions(+), 18 deletions(-)
Original/unfiltered diffstat:
NEWS | 19 ++++
aclocal.m4 | 194 ++++++++++++++++----------------
app/flatpak-builtins-list.c | 2 +-
app/flatpak-cli-transaction.c | 2 +-
common/flatpak-context.c | 5 +-
common/flatpak-dir.c | 3 +-
common/flatpak-run.c | 30 +++--
common/flatpak-utils-private.h | 4 +
common/flatpak-utils.c | 8 ++
common/flatpak-version-macros.h | 2 +-
configure | 26 ++---
configure.ac | 2 +-
debian/changelog | 24 +++-
doc/reference/html/FlatpakBundleRef.html | 4 +-
doc/reference/html/FlatpakInstallation.html | 4 +-
doc/reference/html/FlatpakInstalledRef.html | 60 +++++++++-
doc/reference/html/FlatpakInstance.html | 4 +-
doc/reference/html/FlatpakRef.html | 4 +-
doc/reference/html/FlatpakRelatedRef.html | 4 +-
doc/reference/html/FlatpakRemote.html | 6 +-
doc/reference/html/FlatpakRemoteRef.html | 4 +-
doc/reference/html/FlatpakTransaction.html | 4 +-
doc/reference/html/FlatpakTransactionOperation.html | 4 +-
doc/reference/html/FlatpakTransactionProgress.html | 4 +-
doc/reference/html/annotation-glossary.html | 4 +-
doc/reference/html/api-index-full.html | 20 +++-
doc/reference/html/ch01.html | 4 +-
doc/reference/html/flatpak-Error-codes.html | 4 +-
doc/reference/html/flatpak-Version-information.html | 6 +-
doc/reference/html/flatpak.devhelp2 | 4 +
doc/reference/html/index.html | 6 +-
doc/reference/html/object-tree.html | 4 +-
po/cs.gmo | Bin 76830 -> 76885 bytes
po/cs.po | 339 ++++++++++++++++++++++++++++----------------------------
po/de.gmo | Bin 41316 -> 41316 bytes
po/de.po | 337 ++++++++++++++++++++++++++++---------------------------
po/es.gmo | Bin 39897 -> 39897 bytes
po/es.po | 337 ++++++++++++++++++++++++++++---------------------------
po/flatpak.pot | 339 ++++++++++++++++++++++++++++----------------------------
po/gl.gmo | Bin 39989 -> 39989 bytes
po/gl.po | 337 ++++++++++++++++++++++++++++---------------------------
po/hu.gmo | Bin 49228 -> 49228 bytes
po/hu.po | 337 ++++++++++++++++++++++++++++---------------------------
po/id.gmo | Bin 79657 -> 79657 bytes
po/id.po | 337 ++++++++++++++++++++++++++++---------------------------
po/pl.gmo | Bin 91568 -> 91634 bytes
po/pl.po | 339 ++++++++++++++++++++++++++++----------------------------
po/pt_BR.gmo | Bin 58332 -> 58332 bytes
po/pt_BR.po | 337 ++++++++++++++++++++++++++++---------------------------
po/ru.gmo | Bin 60415 -> 60415 bytes
po/ru.po | 337 ++++++++++++++++++++++++++++---------------------------
po/sk.gmo | Bin 11107 -> 11107 bytes
po/sk.po | 337 ++++++++++++++++++++++++++++---------------------------
po/sv.gmo | Bin 43671 -> 43671 bytes
po/sv.po | 337 ++++++++++++++++++++++++++++---------------------------
po/tr.gmo | Bin 34503 -> 34503 bytes
po/tr.po | 337 ++++++++++++++++++++++++++++---------------------------
po/uk.gmo | Bin 99647 -> 99647 bytes
po/uk.po | 337 ++++++++++++++++++++++++++++---------------------------
po/zh_TW.gmo | Bin 67730 -> 67730 bytes
po/zh_TW.po | 337 ++++++++++++++++++++++++++++---------------------------
tests/package_version.txt | 2 +-
62 files changed, 2878 insertions(+), 2660 deletions(-)
diff --git a/NEWS b/NEWS
index 82234cd8..bed1b394 100644
--- a/NEWS
+++ b/NEWS
@@ -1,6 +1,25 @@
+Changes in 1.2.4
+================
+
+This release fixes CVE-2019-10063.
+
+It has been discovered that the previous fix for CVE-2017-5226, which uses
+seccomp to prevent sandboxed apps from using the (dangerous) TIOCSTI ioctl
+was only incomplete on 64bit arches. This is now fixed.
+
+ * seccomp: Only compare the low 32bit of the TIOCSTI ioctl args.
+ * Support multiple nvidia cards on the machine
+ * Fix support for systems where XDG_RUNTIME_DIR is /var/run which is a symlink
+ like gentoo.
+ * Fix potential crash when updating apps.
+ * flatpak list --arch now works correctly again.
+ * Update translations
+
Changes in 1.2.3
================
+This release fixes CVE-2019-8308.
+
The CVE-2019-5736 runc vulnerability is about using /proc/self/exe
to modify the host side binary from the sandbox. This mostly does not
affect flatpak since the flatpak sandbox is not run with root permissions.
diff --git a/app/flatpak-builtins-list.c b/app/flatpak-builtins-list.c
index cb309da9..1ae6405e 100644
--- a/app/flatpak-builtins-list.c
+++ b/app/flatpak-builtins-list.c
@@ -214,7 +214,7 @@ print_table_for_refs (gboolean print_apps,
parts = g_strsplit (ref, "/", -1);
partial_ref = strchr (ref, '/') + 1;
- if (arch != NULL && strcmp (arch, parts[1]) != 0)
+ if (arch != NULL && strcmp (arch, parts[2]) != 0)
continue;
deploy = flatpak_dir_load_deployed (dir, ref, NULL, cancellable, NULL);
diff --git a/app/flatpak-cli-transaction.c b/app/flatpak-cli-transaction.c
index 3a1888b2..9f58cc4b 100644
--- a/app/flatpak-cli-transaction.c
+++ b/app/flatpak-cli-transaction.c
@@ -374,7 +374,7 @@ new_operation (FlatpakTransaction *transaction,
if (self->n_ops == 1)
text = g_strdup (_("Installing…"));
else
- text = g_strdup_printf (("Installing %d/%d…"), self->op, self->n_ops);
+ text = g_strdup_printf (_("Installing %d/%d…"), self->op, self->n_ops);
break;
case FLATPAK_TRANSACTION_OPERATION_UPDATE:
diff --git a/common/flatpak-context.c b/common/flatpak-context.c
index 695173f1..6e4d5646 100644
--- a/common/flatpak-context.c
+++ b/common/flatpak-context.c
@@ -653,7 +653,7 @@ get_xdg_user_dir_from_string (const char *filesystem,
if (config_key)
*config_key = NULL;
if (dir)
- *dir = g_get_user_runtime_dir ();
+ *dir = flatpak_get_real_xdg_runtime_dir ();
return TRUE;
}
@@ -2087,8 +2087,9 @@ flatpak_context_append_bwrap_filesystem (FlatpakContext *context,
if (app_id_dir != NULL)
{
+ g_autofree char *user_runtime_dir = flatpak_get_real_xdg_runtime_dir ();
g_autofree char *run_user_app_dst = g_strdup_printf ("/run/user/%d/app/%s", getuid (), app_id);
- g_autofree char *run_user_app_src = g_build_filename (g_get_user_runtime_dir (), "app", app_id, NULL);
+ g_autofree char *run_user_app_src = g_build_filename (user_runtime_dir, "app", app_id, NULL);
if (glnx_shutil_mkdir_p_at (AT_FDCWD,
run_user_app_src,
diff --git a/common/flatpak-dir.c b/common/flatpak-dir.c
index 6f0526d2..79fa361d 100644
--- a/common/flatpak-dir.c
+++ b/common/flatpak-dir.c
@@ -574,13 +574,12 @@ flatpak_load_deploy_data (GFile *deploy_dir,
GError **error)
{
g_autoptr(GFile) data_file = NULL;
- g_autoptr(GError) my_error = NULL;
char *data = NULL;
gsize data_size;
g_autoptr(GVariant) deploy_data = NULL;
data_file = g_file_get_child (deploy_dir, "deploy");
- if (!g_file_load_contents (data_file, cancellable, &data, &data_size, NULL, &my_error))
+ if (!g_file_load_contents (data_file, cancellable, &data, &data_size, NULL, error))
return NULL;
deploy_data = g_variant_ref_sink (g_variant_new_from_data (FLATPAK_DEPLOY_DATA_GVARIANT_FORMAT,
diff --git a/common/flatpak-run.c b/common/flatpak-run.c
index 16faf9b7..68719ec3 100644
--- a/common/flatpak-run.c
+++ b/common/flatpak-run.c
@@ -234,6 +234,7 @@ static gboolean
flatpak_run_add_wayland_args (FlatpakBwrap *bwrap)
{
const char *wayland_display;
+ g_autofree char *user_runtime_dir = flatpak_get_real_xdg_runtime_dir ();
g_autofree char *wayland_socket = NULL;
g_autofree char *sandbox_wayland_socket = NULL;
gboolean res = FALSE;
@@ -243,7 +244,7 @@ flatpak_run_add_wayland_args (FlatpakBwrap *bwrap)
if (!wayland_display)
wayland_display = "wayland-0";
- wayland_socket = g_build_filename (g_get_user_runtime_dir (), wayland_display, NULL);
+ wayland_socket = g_build_filename (user_runtime_dir, wayland_display, NULL);
sandbox_wayland_socket = g_strdup_printf ("/run/user/%d/%s", getuid (), wayland_display);
if (stat (wayland_socket, &statbuf) == 0 &&
@@ -400,12 +401,13 @@ flatpak_run_add_pulseaudio_args (FlatpakBwrap *bwrap)
{
g_autofree char *pulseaudio_server = flatpak_run_get_pulseaudio_server ();
g_autofree char *pulseaudio_socket = NULL;
+ g_autofree char *user_runtime_dir = flatpak_get_real_xdg_runtime_dir ();
if (pulseaudio_server)
pulseaudio_socket = flatpak_run_parse_pulse_server (pulseaudio_server);
if (!pulseaudio_socket)
- pulseaudio_socket = g_build_filename (g_get_user_runtime_dir (), "pulse/native", NULL);
+ pulseaudio_socket = g_build_filename (user_runtime_dir, "pulse/native", NULL);
flatpak_bwrap_unset_env (bwrap, "PULSE_SERVER");
@@ -455,7 +457,8 @@ flatpak_run_add_journal_args (FlatpakBwrap *bwrap)
static char *
create_proxy_socket (char *template)
{
- g_autofree char *proxy_socket_dir = g_build_filename (g_get_user_runtime_dir (), ".dbus-proxy", NULL);
+ g_autofree char *user_runtime_dir = flatpak_get_real_xdg_runtime_dir ();
+ g_autofree char *proxy_socket_dir = g_build_filename (user_runtime_dir, ".dbus-proxy", NULL);
g_autofree char *proxy_socket = g_build_filename (proxy_socket_dir, template, NULL);
int fd;
@@ -687,7 +690,7 @@ add_bwrap_wrapper (FlatpakBwrap *bwrap,
g_auto(GLnxDirFdIterator) dir_iter = { 0 };
struct dirent *dent;
- g_autofree char *user_runtime_dir = realpath (g_get_user_runtime_dir (), NULL);
+ g_autofree char *user_runtime_dir = flatpak_get_real_xdg_runtime_dir ();
g_autofree char *proxy_socket_dir = g_build_filename (user_runtime_dir, ".dbus-proxy/", NULL);
app_info_fd = open (app_info_path, O_RDONLY | O_CLOEXEC);
@@ -1076,7 +1079,6 @@ flatpak_run_add_environment_args (FlatpakBwrap *bwrap,
"/dev/umplock",
/* nvidia */
"/dev/nvidiactl",
- "/dev/nvidia0",
"/dev/nvidia-modeset",
/* nvidia OpenCL/CUDA */
"/dev/nvidia-uvm",
@@ -1088,6 +1090,16 @@ flatpak_run_add_environment_args (FlatpakBwrap *bwrap,
if (g_file_test (dri_devices[i], G_FILE_TEST_EXISTS))
flatpak_bwrap_add_args (bwrap, "--dev-bind", dri_devices[i], dri_devices[i], NULL);
}
+
+ /* Each Nvidia card gets its own device.
+ This is a fairly arbitrary limit but ASUS sells mining boards supporting 20 in theory. */
+ char nvidia_dev[14]; /* /dev/nvidia plus up to 2 digits */
+ for (i = 0; i < 20; i++)
+ {
+ g_snprintf (nvidia_dev, sizeof (nvidia_dev), "/dev/nvidia%d", i);
+ if (g_file_test (nvidia_dev, G_FILE_TEST_EXISTS))
+ flatpak_bwrap_add_args (bwrap, "--dev-bind", nvidia_dev, nvidia_dev, NULL);
+ }
}
if (context->devices & FLATPAK_CONTEXT_DEVICE_KVM)
@@ -1685,7 +1697,8 @@ flatpak_run_gc_ids (void)
static char *
flatpak_run_allocate_id (int *lock_fd_out)
{
- g_autofree char *base_dir = g_build_filename (g_get_user_runtime_dir (), ".flatpak", NULL);
+ g_autofree char *user_runtime_dir = flatpak_get_real_xdg_runtime_dir ();
+ g_autofree char *base_dir = g_build_filename (user_runtime_dir, ".flatpak", NULL);
int count;
g_mkdir_with_parents (base_dir, 0755);
@@ -1950,12 +1963,13 @@ flatpak_run_add_app_info_args (FlatpakBwrap *bwrap,
g_autofree char *instance_id_host_dir = NULL;
g_autofree char *instance_id_sandbox_dir = NULL;
g_autofree char *instance_id_lock_file = NULL;
+ g_autofree char *user_runtime_dir = flatpak_get_real_xdg_runtime_dir ();
instance_id = flatpak_run_allocate_id (&lock_fd);
if (instance_id == NULL)
return flatpak_fail_error (error, FLATPAK_ERROR_SETUP_FAILED, _("Unable to allocate instance id"));
- instance_id_host_dir = g_build_filename (g_get_user_runtime_dir (), ".flatpak", instance_id, NULL);
+ instance_id_host_dir = g_build_filename (user_runtime_dir, ".flatpak", instance_id, NULL);
instance_id_sandbox_dir = g_strdup_printf ("/run/user/%d/.flatpak/%s", getuid (), instance_id);
instance_id_lock_file = g_build_filename (instance_id_sandbox_dir, ".ref", NULL);
@@ -2380,7 +2394,7 @@ setup_seccomp (FlatpakBwrap *bwrap,
{SCMP_SYS (clone), &SCMP_A0 (SCMP_CMP_MASKED_EQ, CLONE_NEWUSER, CLONE_NEWUSER)},
/* Don't allow faking input to the controlling tty (CVE-2017-5226) */
- {SCMP_SYS (ioctl), &SCMP_A1 (SCMP_CMP_EQ, (int) TIOCSTI)},
+ {SCMP_SYS (ioctl), &SCMP_A1 (SCMP_CMP_MASKED_EQ, 0xFFFFFFFFu, (int) TIOCSTI)},
};
struct
diff --git a/common/flatpak-utils-private.h b/common/flatpak-utils-private.h
index 401fb60f..6d6d4672 100644
--- a/common/flatpak-utils-private.h
+++ b/common/flatpak-utils-private.h
@@ -90,6 +90,10 @@ void flatpak_debug2 (const char *format,
gint flatpak_strcmp0_ptr (gconstpointer a,
gconstpointer b);
+/* Sometimes this is /var/run which is a symlink, causing weird issues when we pass
+ * it as a path into the sandbox */
+char * flatpak_get_real_xdg_runtime_dir (void);
+
gboolean flatpak_has_path_prefix (const char *str,
const char *prefix);
diff --git a/common/flatpak-utils.c b/common/flatpak-utils.c
index d41f975a..a2740db1 100644
--- a/common/flatpak-utils.c
+++ b/common/flatpak-utils.c
@@ -223,6 +223,14 @@ flatpak_strcmp0_ptr (gconstpointer a,
return g_strcmp0 (*(char * const *) a, *(char * const *) b);
}
+/* Sometimes this is /var/run which is a symlink, causing weird issues when we pass
+ * it as a path into the sandbox */
+char *
+flatpak_get_real_xdg_runtime_dir (void)
+{
+ return realpath (g_get_user_runtime_dir (), NULL);
+}
+
/* Compares if str has a specific path prefix. This differs
from a regular prefix in two ways. First of all there may
be multiple slashes separating the path elements, and
diff --git a/common/flatpak-version-macros.h b/common/flatpak-version-macros.h
index b9f53648..cc086ae1 100644
--- a/common/flatpak-version-macros.h
+++ b/common/flatpak-version-macros.h
@@ -44,7 +44,7 @@
*
* The micro version.
*/
-#define FLATPAK_MICRO_VERSION (3)
+#define FLATPAK_MICRO_VERSION (4)
/**
* FLATPAK_CHECK_VERSION:
diff --git a/configure.ac b/configure.ac
index c46a38fe..24866b8f 100644
--- a/configure.ac
+++ b/configure.ac
@@ -15,7 +15,7 @@ AC_PREREQ([2.63])
m4_define([flatpak_major_version], [1])
m4_define([flatpak_minor_version], [2])
-m4_define([flatpak_micro_version], [3])
+m4_define([flatpak_micro_version], [4])
m4_define([flatpak_extra_version], [])
m4_define([flatpak_interface_age], [0])
m4_define([flatpak_binary_age],
diff --git a/debian/changelog b/debian/changelog
index 9ff5c0ff..966a43dd 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,9 +1,31 @@
+flatpak (1.2.4-1) UNRELEASED; urgency=medium
+
+ * New upstream stable release
+ - Canonicalize XDG_RUNTIME_DIR if it's a symlink
+ - Support device nodes for multiple Nvidia graphics cards if the
+ proprietary driver is used
+ - Fix a crash when certain errors occur while updating apps
+ - Fix "flatpak list --arch"
+ - Make "Installing %d/%d..." translatable
+ * d/p/run-Only-compare-the-lowest-32-ioctl-arg-bits-for-TIOCSTI.patch:
+ Drop patch, applied upstream
+
+ -- Simon McVittie <smcv@debian.org> Wed, 27 Mar 2019 10:20:36 +0000
+
+flatpak (1.2.3-2) unstable; urgency=high
+
+ * seccomp: Reject all ioctls that the kernel will interpret as TIOCSTI,
+ including those where the high 32 bits in a 64-bit word are nonzero.
+ (Closes: #925541, CVE-2019-10063)
+
+ -- Simon McVittie <smcv@debian.org> Tue, 26 Mar 2019 20:38:36 +0000
+
flatpak (1.2.3-1) unstable; urgency=high
* New upstream stable release
- Security update: do not let the apply_extra script for a system
installation modify the host-side executable via /proc/self/exe,
- similar to CVE-2019-5736 in runc (Closes: #922059)
+ similar to CVE-2019-5736 in runc (Closes: #922059; CVE-2019-8308)
-- Simon McVittie <smcv@debian.org> Mon, 11 Feb 2019 16:17:09 +0000
diff --git a/po/cs.gmo b/po/cs.gmo
index af2ff253..ffcd36f3 100644
Binary files a/po/cs.gmo and b/po/cs.gmo differ
diff --git a/po/de.gmo b/po/de.gmo
index 02f5e740..15354612 100644
Binary files a/po/de.gmo and b/po/de.gmo differ
diff --git a/po/es.gmo b/po/es.gmo
index 9dd56e20..963bfc90 100644
Binary files a/po/es.gmo and b/po/es.gmo differ
diff --git a/po/gl.gmo b/po/gl.gmo
index 9e4fd2c1..28f64d7f 100644
Binary files a/po/gl.gmo and b/po/gl.gmo differ
diff --git a/po/hu.gmo b/po/hu.gmo
index a37ff301..16cabe89 100644
Binary files a/po/hu.gmo and b/po/hu.gmo differ
diff --git a/po/id.gmo b/po/id.gmo
index 2cc426f2..e4c914ef 100644
Binary files a/po/id.gmo and b/po/id.gmo differ
diff --git a/po/pl.gmo b/po/pl.gmo
index cf14e93f..ba879fa9 100644
Binary files a/po/pl.gmo and b/po/pl.gmo differ
diff --git a/po/pt_BR.gmo b/po/pt_BR.gmo
index ae08756d..fb58f998 100644
Binary files a/po/pt_BR.gmo and b/po/pt_BR.gmo differ
diff --git a/po/ru.gmo b/po/ru.gmo
index aea25ad1..2a3f3cd6 100644
Binary files a/po/ru.gmo and b/po/ru.gmo differ
diff --git a/po/sk.gmo b/po/sk.gmo
index cb9f753e..ae0d2c1f 100644
Binary files a/po/sk.gmo and b/po/sk.gmo differ
diff --git a/po/sv.gmo b/po/sv.gmo
index 1424678c..5b2714b7 100644
Binary files a/po/sv.gmo and b/po/sv.gmo differ
diff --git a/po/tr.gmo b/po/tr.gmo
index 56f7e331..b8bdb297 100644
Binary files a/po/tr.gmo and b/po/tr.gmo differ
diff --git a/po/uk.gmo b/po/uk.gmo
index 5f56d999..cdef8363 100644
Binary files a/po/uk.gmo and b/po/uk.gmo differ
diff --git a/po/zh_TW.gmo b/po/zh_TW.gmo
index 45fc090b..acd85bed 100644
Binary files a/po/zh_TW.gmo and b/po/zh_TW.gmo differ
diff --git a/tests/package_version.txt b/tests/package_version.txt
index 0495c4a8..e8ea05db 100644
--- a/tests/package_version.txt
+++ b/tests/package_version.txt
@@ -1 +1 @@
-1.2.3
+1.2.4
diffstat for flatpak-1.2.3 flatpak-1.2.3
changelog | 10 ++-
patches/run-Only-compare-the-lowest-32-ioctl-arg-bits-for-TIOCSTI.patch | 32 ++++++++++
patches/series | 1
3 files changed, 42 insertions(+), 1 deletion(-)
diff -Nru flatpak-1.2.3/debian/changelog flatpak-1.2.3/debian/changelog
--- flatpak-1.2.3/debian/changelog 2019-02-11 16:17:09.000000000 +0000
+++ flatpak-1.2.3/debian/changelog 2019-03-26 20:38:36.000000000 +0000
@@ -1,9 +1,17 @@
+flatpak (1.2.3-2) unstable; urgency=high
+
+ * seccomp: Reject all ioctls that the kernel will interpret as TIOCSTI,
+ including those where the high 32 bits in a 64-bit word are nonzero.
+ (Closes: #925541, CVE-2019-10063)
+
+ -- Simon McVittie <smcv@debian.org> Tue, 26 Mar 2019 20:38:36 +0000
+
flatpak (1.2.3-1) unstable; urgency=high
* New upstream stable release
- Security update: do not let the apply_extra script for a system
installation modify the host-side executable via /proc/self/exe,
- similar to CVE-2019-5736 in runc (Closes: #922059)
+ similar to CVE-2019-5736 in runc (Closes: #922059; CVE-2019-8308)
-- Simon McVittie <smcv@debian.org> Mon, 11 Feb 2019 16:17:09 +0000
diff -Nru flatpak-1.2.3/debian/patches/run-Only-compare-the-lowest-32-ioctl-arg-bits-for-TIOCSTI.patch flatpak-1.2.3/debian/patches/run-Only-compare-the-lowest-32-ioctl-arg-bits-for-TIOCSTI.patch
--- flatpak-1.2.3/debian/patches/run-Only-compare-the-lowest-32-ioctl-arg-bits-for-TIOCSTI.patch 1970-01-01 01:00:00.000000000 +0100
+++ flatpak-1.2.3/debian/patches/run-Only-compare-the-lowest-32-ioctl-arg-bits-for-TIOCSTI.patch 2019-03-26 20:38:36.000000000 +0000
@@ -0,0 +1,32 @@
+From: Ryan Gonzalez <rymg19@gmail.com>
+Date: Mon, 25 Mar 2019 13:00:15 -0500
+Subject: run: Only compare the lowest 32 ioctl arg bits for TIOCSTI
+
+Closes #2782.
+
+Closes: #2783
+Approved by: alexlarsson
+
+(cherry picked from commit a9107feeb4b8275b78965b36bf21b92d5724699e)
+
+Origin: upstream, 1.2.4, commit:8e0aaf4b70d6d7c02c331c655e1a05763485085e
+Bug: https://github.com/flatpak/flatpak/issues/2782
+Bug-Debian: https://bugs.debian.org/925541
+Bug-CVE: CVE-2019-10063
+---
+ common/flatpak-run.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/common/flatpak-run.c b/common/flatpak-run.c
+index 16faf9b..ed76ed2 100644
+--- a/common/flatpak-run.c
++++ b/common/flatpak-run.c
+@@ -2380,7 +2380,7 @@ setup_seccomp (FlatpakBwrap *bwrap,
+ {SCMP_SYS (clone), &SCMP_A0 (SCMP_CMP_MASKED_EQ, CLONE_NEWUSER, CLONE_NEWUSER)},
+
+ /* Don't allow faking input to the controlling tty (CVE-2017-5226) */
+- {SCMP_SYS (ioctl), &SCMP_A1 (SCMP_CMP_EQ, (int) TIOCSTI)},
++ {SCMP_SYS (ioctl), &SCMP_A1 (SCMP_CMP_MASKED_EQ, 0xFFFFFFFFu, (int) TIOCSTI)},
+ };
+
+ struct
diff -Nru flatpak-1.2.3/debian/patches/series flatpak-1.2.3/debian/patches/series
--- flatpak-1.2.3/debian/patches/series 2019-02-11 16:17:09.000000000 +0000
+++ flatpak-1.2.3/debian/patches/series 2019-03-26 20:38:36.000000000 +0000
@@ -1 +1,2 @@
+run-Only-compare-the-lowest-32-ioctl-arg-bits-for-TIOCSTI.patch
debian/Use-Python-3-for-test-web-server.patch
Reply to: