--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: stretch-pu: package flatpak/0.8.9-0+deb9u3
- From: Simon McVittie <smcv@debian.org>
- Date: Tue, 26 Mar 2019 22:04:55 +0000
- Message-id: <20190326220455.GA15179@espresso.pseudorandom.co.uk>
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org@packages.debian.org
Usertags: pu
I've prepared a flatpak update for stable to fix CVE-2019-10063 in
the next point release. The security team told me they don't intend to
release a DSA for this.
May I upload?
I've uploaded 1.2.3-2 to unstable to fix the same thing, although I'm
hoping to replace it with a new upstream release.
Thanks,
smcv
diffstat for flatpak-0.8.9 flatpak-0.8.9
changelog | 11 +++
patches/run-Only-compare-the-lowest-32-ioctl-arg-bits-for-TIOCSTI.patch | 32 ++++++++++
patches/series | 1
3 files changed, 43 insertions(+), 1 deletion(-)
diff -Nru flatpak-0.8.9/debian/changelog flatpak-0.8.9/debian/changelog
--- flatpak-0.8.9/debian/changelog 2019-02-11 21:13:02.000000000 +0000
+++ flatpak-0.8.9/debian/changelog 2019-03-26 21:11:16.000000000 +0000
@@ -1,10 +1,19 @@
+flatpak (0.8.9-0+deb9u3) stretch; urgency=medium
+
+ * d/p/run-Only-compare-the-lowest-32-ioctl-arg-bits-for-TIOCSTI.patch:
+ Reject all ioctls that the kernel will interpret as TIOCSTI,
+ including those where the high 32 bits in a 64-bit word are nonzero.
+ (Closes: #925541, CVE-2019-10063)
+
+ -- Simon McVittie <smcv@debian.org> Tue, 26 Mar 2019 21:11:16 +0000
+
flatpak (0.8.9-0+deb9u2) stretch-security; urgency=medium
* d/p/Don-t-expose-proc-when-running-apply_extra.patch:
Backport patch from upstream v1.2.3: do not let the apply_extra
script for a system installation modify the host-side executable
via /proc/self/exe, similar to CVE-2019-5736 in runc
- (Closes: #922059)
+ (Closes: #922059; CVE-2019-8308)
-- Simon McVittie <smcv@debian.org> Mon, 11 Feb 2019 21:13:02 +0000
diff -Nru flatpak-0.8.9/debian/patches/run-Only-compare-the-lowest-32-ioctl-arg-bits-for-TIOCSTI.patch flatpak-0.8.9/debian/patches/run-Only-compare-the-lowest-32-ioctl-arg-bits-for-TIOCSTI.patch
--- flatpak-0.8.9/debian/patches/run-Only-compare-the-lowest-32-ioctl-arg-bits-for-TIOCSTI.patch 1970-01-01 01:00:00.000000000 +0100
+++ flatpak-0.8.9/debian/patches/run-Only-compare-the-lowest-32-ioctl-arg-bits-for-TIOCSTI.patch 2019-03-26 21:11:16.000000000 +0000
@@ -0,0 +1,32 @@
+From: Ryan Gonzalez <rymg19@gmail.com>
+Date: Mon, 25 Mar 2019 13:00:15 -0500
+Subject: run: Only compare the lowest 32 ioctl arg bits for TIOCSTI
+
+Closes #2782.
+
+Closes: #2783
+Approved by: alexlarsson
+
+(cherry picked from commit a9107feeb4b8275b78965b36bf21b92d5724699e)
+
+Origin: upstream, 1.2.4, commit:8e0aaf4b70d6d7c02c331c655e1a05763485085e
+Bug: https://github.com/flatpak/flatpak/issues/2782
+Bug-Debian: https://bugs.debian.org/925541
+Bug-CVE: CVE-2019-10063
+---
+ common/flatpak-run.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/common/flatpak-run.c b/common/flatpak-run.c
+index 9a69f7b..b3ed2ea 100644
+--- a/common/flatpak-run.c
++++ b/common/flatpak-run.c
+@@ -3866,7 +3866,7 @@ setup_seccomp (GPtrArray *argv_array,
+ {SCMP_SYS (clone), &SCMP_A0 (SCMP_CMP_MASKED_EQ, CLONE_NEWUSER, CLONE_NEWUSER)},
+
+ /* Don't allow faking input to the controlling tty (CVE-2017-5226) */
+- {SCMP_SYS (ioctl), &SCMP_A1(SCMP_CMP_EQ, (int)TIOCSTI)},
++ {SCMP_SYS (ioctl), &SCMP_A1 (SCMP_CMP_MASKED_EQ, 0xFFFFFFFFu, (int) TIOCSTI)},
+ };
+
+ struct
diff -Nru flatpak-0.8.9/debian/patches/series flatpak-0.8.9/debian/patches/series
--- flatpak-0.8.9/debian/patches/series 2019-02-11 21:13:02.000000000 +0000
+++ flatpak-0.8.9/debian/patches/series 2019-03-26 21:11:16.000000000 +0000
@@ -1 +1,2 @@
Don-t-expose-proc-when-running-apply_extra.patch
+run-Only-compare-the-lowest-32-ioctl-arg-bits-for-TIOCSTI.patch
--- End Message ---