New upstream microrelease flatpak 1.0.8

This has been fixed in disco as per version 1.2.4-1. Is someone able to nominate this bug for bionic and cosmic, and mark the main bug as fixed released. (I don't have permission to nominate for series)

Hello Andrew, thanks for taking this update.

Could you confirm the sha256sum of the tarball you used while generating this?

I think the right approach for this update is going to be to upload a new package with new tarball, and edit the diff to keep only the debian/changelog hunk. It's important to make sure we use the same tarball that you tested.

Thanks

Hi,

I used pull-lp-source flatpak {bionic,cosmic}, then uscan --download-version 1.0.8 and uupdate, as there is a new upstream release with this fix.

For bionic these are the sha256sum's in my build folder

85e9f11188fde70fa6c4b1e17b1bc61d1ea5abf9fe4e0d956c3f421deaace4da flatpak_1.0.7-0ubuntu0.18.04.1.debian.tar.xz
e0e6626a6d475ab263e7eab93d945d88f37c055fc9083d349101829b61253590 flatpak_1.0.7.orig.tar.xz
f8e3f7ea885a95ab46684a3ae5d2b7f5bcebc120d2819468a3e08d14b5aef226 flatpak_1.0.8-0ubuntu0.18.04.1.debian.tar.xz
1b1b419e3b2e8e75b18eb6442f0eb585fe402cea529729c15bbaf2622d746c3c flatpak_1.0.8.orig.tar.xz
1b1b419e3b2e8e75b18eb6442f0eb585fe402cea529729c15bbaf2622d746c3c flatpak-1.0.8.tar.xz

For cosmic these are the sha256sum's in my build folder

d6634d222d6175e5aeba6e5b1ca2be61cfe3b02afe79dc390feac09e56efb673 flatpak_1.0.7-0ubuntu0.18.10.1.debian.tar.xz
e0e6626a6d475ab263e7eab93d945d88f37c055fc9083d349101829b61253590 flatpak_1.0.7.orig.tar.xz
b29bfb4b530d4c3d48d2024a40b698a33b072b2dec619364701d51cba106d51b flatpak_1.0.8-0ubuntu0.18.10.1.debian.tar.xz
1b1b419e3b2e8e75b18eb6442f0eb585fe402cea529729c15bbaf2622d746c3c flatpak_1.0.8.orig.tar.xz
1b1b419e3b2e8e75b18eb6442f0eb585fe402cea529729c15bbaf2622d746c3c flatpak-1.0.8.tar.xz

Let me know if you need more info :-)

Excellent, thanks Andrew.

Is there anything else I need to do to help this update ?

Hello Andrew, can you check/test if the packages bellow are working properly?
https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/+packages?field.name_filter=flatpak

Thanks Paulo, I'm afk on holiday at the moment, so will test this when I'm
back towards the end of the week, thanks!

On Fri, 3 May 2019, 01:35 Paulo Flabiano Smorigo, <
<email address hidden>> wrote:

> Hello Andrew, can you check/test if the packages bellow are working
> properly?
>
> https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/+packages?field.name_filter=flatpak
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1821811
>
> Title:
> New upstream microrelease flatpak 1.0.8
>
> Status in flatpak package in Ubuntu:
> Fix Released
> Status in flatpak source package in Bionic:
> New
> Status in flatpak source package in Cosmic:
> New
>
> Bug description:
> This is a request to SRU the latest microrelease of flatpak into
> bionic and cosmic. Which is also a security update for CVE-2019-10063.
>
> Debian bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=925541
> Upstream bug https://github.com/flatpak/flatpak/issues/2782
>
> [Impact]
>
> New upstream microrelease of flatpak, which brings a security fix for
> CVE-2019-10063.
>
> Bionic is currently at 1.0.7, whereas 1.0.8 is available upstream.
> Cosmic is currently at 1.0.7, whereas 1.0.8 is available upstream.
>
> Disco needs to be synced to >= 1.2.3-2 (is someone able to sync
> 1.2.4-1 from unstable ? ) bug 1822024 has this request.
>
> [Test Case]
>
> No test case has been mentioned in the Debian bug, in the upstream
> pull request it looks like the snapd exploit might be able to be used
> https://www.exploit-db.com/exploits/46594 but the code change is
> minimal so I have not tried this yet.
>
> [Regression Potential]
>
> Flatpak has a test suite, which is run on build across all
> architectures and passes.
>
> There is also a manual test plan
> https://wiki.ubuntu.com/Process/Merges/TestPlan/flatpak. I have
> confirmed that 1.0.8 passes with this test plan on both bionic and
> cosmic.
>
> Flatpak has autopkgtests enabled
> http://autopkgtest.ubuntu.com/packages/f/flatpak which is passing on
> bionic and cosmic.
>
> Regression potential is low, and upstream is very responsive to any
> issues raised.
>
> [Other information]
>
> Debian and upstream comments about the vulnerability.
>
> "flatpak versions since 0.8.1 (and Debian's 0.8.0-2, which has backports
> of the upstream changes that became 0.8.1) attempt to prevent malicious
> apps from escalating their privileges by injecting commands into the
> controlling terminal with the TIOCSTI ioctl (CVE-2017-5226).
>
> This fix was incomplete: on 64-bit platforms, seccomp looks at the whole
> 64-bit word, but the kernel only looks at the low 32 bits. This means we
> also have to block commands like (0x1234567800000000 | TIOCSTI).
> CVE-2019-10063 has been allocated for this vulnerability, which closely
> resembles CVE-2019-7303 in snapd.
>
> Mitigation: as usual with Flatpak sandbox bypasses, this can only be
> exploited if you install a malicious app from a trusted source. The
> sandbox parameters used for most apps are currently sufficiently weak
> ...

Paulo, I have tested the following flatpak versions on bionic and cosmic, they appear to work correctly and the debdiffs match the ones I generated - so LGTM :-)

$ apt policy flatpak
flatpak:
  Installed: 1.0.8-0ubuntu0.18.04.1
  Candidate: 1.0.8-0ubuntu0.18.04.1
  Version table:
 *** 1.0.8-0ubuntu0.18.04.1 500
        500 http://ppa.launchpad.net/ubuntu-security-proposed/ppa/ubuntu bionic/main amd64 Packages
        100 /var/lib/dpkg/status
     1.0.7-0ubuntu0.18.04.1 500
        500 http://gb.archive.ubuntu.com/ubuntu bionic-updates/universe amd64 Packages
        500 http://security.ubuntu.com/ubuntu bionic-security/universe amd64 Packages
     0.11.3-3 500

$ apt policy flatpak
flatpak:
  Installed: 1.0.8-0ubuntu0.18.10.1
  Candidate: 1.0.8-0ubuntu0.18.10.1
  Version table:
 *** 1.0.8-0ubuntu0.18.10.1 500
        500 http://ppa.launchpad.net/ubuntu-security-proposed/ppa/ubuntu cosmic/main amd64 Packages
        100 /var/lib/dpkg/status
     1.0.7-0ubuntu0.18.10.1 500
        500 http://gb.archive.ubuntu.com/ubuntu cosmic-updates/universe amd64 Packages
        500 http://security.ubuntu.com/ubuntu cosmic-security/universe amd64 Packages
     1.0.4-1 500
        500 http://gb.archive.ubuntu.com/ubuntu cosmic/universe amd64 Packages
        500 http://gb.archive.ubuntu.com/ubuntu bionic/universe amd64 Packages

This bug was fixed in the package flatpak - 1.0.8-0ubuntu0.18.10.1

---------------
flatpak (1.0.8-0ubuntu0.18.10.1) cosmic-security; urgency=medium

  * Update to 1.0.8 (LP: #1821811)
  * New upstream release
    - SECURITY UPDATE: seccomp: Reject all ioctls that the kernel will
      interpret as TIOCSTI, including those where the high 32 bits in
      a 64-bit word are nonzero.
    - CVE-2019-10063

 -- Andrew Hayzen <email address hidden> Thu, 28 Mar 2019 21:57:34 +0000

This bug was fixed in the package flatpak - 1.0.8-0ubuntu0.18.04.1

---------------
flatpak (1.0.8-0ubuntu0.18.04.1) bionic-security; urgency=medium

  * Update to 1.0.8 (LP: #1821811)
  * New upstream release
    - SECURITY UPDATE: seccomp: Reject all ioctls that the kernel will
      interpret as TIOCSTI, including those where the high 32 bits in
      a 64-bit word are nonzero.
    - CVE-2019-10063

 -- Andrew Hayzen <email address hidden> Wed, 27 Mar 2019 21:21:48 +0000