Bug#1069285: trixie-pu: package flatpak/1.14.6-1~deb13u1
Package: release.debian.org
Severity: normal
Tags: trixie
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: flatpak@packages.debian.org
Control: affects -1 + src:flatpak
[ Reason ]
Fix CVE-2024-32462, a sandbox escape vulnerability, without having to
wait for the whole 64-bit time_t transition.
[ Impact ]
If not fixed, malicious or compromised Flatpak apps can execute arbitrary
code on the host system. (Severity: grave)
The new upstream release also fixes one high-visibility non-security bug:
after some infrastructure changes on Flathub, the flatpak(1) CLI currently
mis-displays apps' developer names as though they were the name of the app,
for example showing org.chromium.Chromium as "The Chromium Authors" instead
of the correct "Chromium Web Browser". The proposed version corrects this.
(Severity: important)
[ Tests ]
Flatpak has a rather large test suite, which still passes. Unfortunately,
most tests have to be skipped when running under schroot or lxc because
those frameworks don't allow creating a nested user namespace, but I do
run the autopkgtest suite under autopkgtest-virt-qemu before uploading.
There is new automated test coverage for CVE-2024-32462 and for the
mis-display of app names.
I'll do a smoke-test on a trixie GNOME VM (install an app, run an app,
and verify that CVE-2024-32462 is fixed) before uploading.
[ Risks ]
Low risk, targeted changes only.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in testing
[x] the issue is verified as fixed in unstable
[ Changes ]
Lightly filtered debdiff attached.
* app/flatpak-builtins-build.c,
common/flatpak-run.c:
Fix CVE-2024-32462
* common/flatpak-appdata.c:
Fix the developer name bug described above
* common/flatpak-version-macros.h,
configure,
configure.ac,
NEWS,
tests/package_version.txt:
New upstream version
* debian/control:
Change real|transitional dependencies to real package name only
* doc/reference/html/*.html:
Regenerated for the new upstream release (and re-regenerated during build)
Filtered from debdiff
* ltmain.sh:
The new upstream release was generated on Debian 12 rather than on
testing/unstable (normally I would filter this out of the debdiff,
but I'm being extra-vigilant right now after the discovery of the
xz backdoor). This file is deleted and re-created during build anyway.
* po/flatpak.pot,
po/*.po:
Regenerated for the new upstream release (different line numbering)
Filtered from debdiff
* tests/make-test-app.sh,
tests/test-info.sh:
Regression test for the developer name bug
* tests/test-run.sh:
Regression test for CVE-2024-32462
Filtered: filterdiff -p1 -x'po/*.po' -x'po/*.pot' -x'doc/reference/html/*.html'
diffstat for flatpak-1.14.5 flatpak-1.14.6
NEWS | 15
app/flatpak-builtins-build.c | 3
common/flatpak-appdata.c | 13
common/flatpak-dir.c | 1
common/flatpak-run.c | 5
common/flatpak-version-macros.h | 2
configure | 26
configure.ac | 2
debian/changelog | 19
debian/control | 4
doc/reference/html/FlatpakBundleRef.html | 44
doc/reference/html/FlatpakInstallation.html | 706 +++++-----
doc/reference/html/FlatpakInstalledRef.html | 88 -
doc/reference/html/FlatpakInstance.html | 22
doc/reference/html/FlatpakRef.html | 8
doc/reference/html/FlatpakRelatedRef.html | 44
doc/reference/html/FlatpakRemote.html | 62
doc/reference/html/FlatpakRemoteRef.html | 38
doc/reference/html/FlatpakTransaction.html | 310 ++--
doc/reference/html/FlatpakTransactionOperation.html | 28
doc/reference/html/FlatpakTransactionProgress.html | 22
doc/reference/html/flatpak-Error-codes.html | 2
doc/reference/html/flatpak-Version-information.html | 2
doc/reference/html/gdbus-org.freedesktop.Flatpak.Authenticator.html | 22
doc/reference/html/gdbus-org.freedesktop.Flatpak.AuthenticatorRequest.html | 4
doc/reference/html/gdbus-org.freedesktop.Flatpak.Development.html | 8
doc/reference/html/gdbus-org.freedesktop.portal.Flatpak.UpdateMonitor.html | 56
doc/reference/html/gdbus-org.freedesktop.portal.Flatpak.html | 303 ++++
doc/reference/html/index.html | 2
doc/reference/html/object-tree.html | 2
ltmain.sh | 28
po/cs.po | 186 +-
po/da.po | 186 +-
po/de.po | 186 +-
po/en_GB.po | 186 +-
po/es.po | 186 +-
po/flatpak.pot | 188 +-
po/fr.po | 186 +-
po/gl.po | 186 +-
po/hi.po | 186 +-
po/hr.po | 186 +-
po/hu.po | 186 +-
po/id.po | 186 +-
po/oc.po | 186 +-
po/pl.po | 186 +-
po/pt.po | 186 +-
po/pt_BR.po | 186 +-
po/ro.po | 186 +-
po/ru.po | 186 +-
po/sk.po | 186 +-
po/sv.po | 186 +-
po/tr.po | 186 +-
po/uk.po | 186 +-
po/zh_CN.po | 186 +-
po/zh_TW.po | 186 +-
tests/make-test-app.sh | 3
tests/package_version.txt | 2
tests/test-info.sh | 8
tests/test-run.sh | 11
59 files changed, 3362 insertions(+), 3019 deletions(-)
diff -Nru flatpak-1.14.5/app/flatpak-builtins-build.c flatpak-1.14.6/app/flatpak-builtins-build.c
--- flatpak-1.14.5/app/flatpak-builtins-build.c 2022-11-17 18:26:13.000000000 +0000
+++ flatpak-1.14.6/app/flatpak-builtins-build.c 2024-04-17 18:19:04.000000000 +0100
@@ -587,7 +587,8 @@
if (!flatpak_bwrap_bundle_args (bwrap, 1, -1, FALSE, error))
return FALSE;
- flatpak_bwrap_add_args (bwrap, command, NULL);
+ flatpak_bwrap_add_args (bwrap, "--", command, NULL);
+
flatpak_bwrap_append_argsv (bwrap,
&argv[rest_argv_start + 2],
rest_argc - 2);
diff -Nru flatpak-1.14.5/common/flatpak-appdata.c flatpak-1.14.6/common/flatpak-appdata.c
--- flatpak-1.14.5/common/flatpak-appdata.c 2022-11-17 18:26:13.000000000 +0000
+++ flatpak-1.14.6/common/flatpak-appdata.c 2024-04-17 18:19:04.000000000 +0100
@@ -43,6 +43,7 @@
gboolean in_text;
gboolean in_component;
gboolean in_content_rating;
+ gboolean in_developer;
char *lang;
guint64 timestamp;
const char *id; /* interned */
@@ -119,7 +120,7 @@
{
data->in_text = TRUE;
}
- else if (g_str_equal (element_name, "name") ||
+ else if ((!data->in_developer && g_str_equal (element_name, "name")) ||
g_str_equal (element_name, "summary"))
{
const char *lang = NULL;
@@ -259,6 +260,10 @@
g_warning ("Ignoring content attribute missing id attribute");
}
}
+ else if (g_str_equal (element_name, "developer"))
+ {
+ data->in_developer = TRUE;
+ }
}
static void
@@ -294,7 +299,7 @@
{
component->id = g_steal_pointer (&text);
}
- else if (g_str_equal (element_name, "name"))
+ else if (!data->in_developer && g_str_equal (element_name, "name"))
{
g_hash_table_insert (component->names, g_steal_pointer (&data->lang), g_steal_pointer (&text));
}
@@ -316,6 +321,10 @@
g_assert (component->content_rating != NULL);
g_hash_table_insert (component->content_rating, (gpointer) data->id, (gpointer) g_intern_string (text));
}
+ else if (g_str_equal (element_name, "developer"))
+ {
+ data->in_developer = FALSE;
+ }
}
static void
diff -Nru flatpak-1.14.5/common/flatpak-dir.c flatpak-1.14.6/common/flatpak-dir.c
--- flatpak-1.14.5/common/flatpak-dir.c 2023-12-08 10:46:34.000000000 +0000
+++ flatpak-1.14.6/common/flatpak-dir.c 2024-04-17 18:19:04.000000000 +0100
@@ -7071,6 +7071,7 @@
"--proc", "/proc",
"--dev", "/dev",
"--bind", basedir, basedir,
+ "--",
NULL);
#endif
flatpak_bwrap_add_args (bwrap,
diff -Nru flatpak-1.14.5/common/flatpak-run.c flatpak-1.14.6/common/flatpak-run.c
--- flatpak-1.14.5/common/flatpak-run.c 2023-12-08 10:49:39.000000000 +0000
+++ flatpak-1.14.6/common/flatpak-run.c 2024-04-17 18:19:04.000000000 +0100
@@ -1299,6 +1299,9 @@
if (!flatpak_bwrap_bundle_args (bwrap, 1, -1, FALSE, error))
return FALSE;
+ /* End of options: the next argument will be the executable name */
+ flatpak_bwrap_add_arg (bwrap, "--");
+
return TRUE;
}
@@ -4682,7 +4685,7 @@
if (!flatpak_bwrap_bundle_args (bwrap, 1, -1, FALSE, error))
return FALSE;
- flatpak_bwrap_add_arg (bwrap, command);
+ flatpak_bwrap_add_args (bwrap, "--", command, NULL);
if (!add_rest_args (bwrap, app_id,
exports, (flags & FLATPAK_RUN_FLAG_FILE_FORWARDING) != 0,
diff -Nru flatpak-1.14.5/common/flatpak-version-macros.h flatpak-1.14.6/common/flatpak-version-macros.h
--- flatpak-1.14.5/common/flatpak-version-macros.h 2023-12-08 12:15:32.000000000 +0000
+++ flatpak-1.14.6/common/flatpak-version-macros.h 2024-04-17 19:18:45.000000000 +0100
@@ -45,7 +45,7 @@
*
* The micro version.
*/
-#define FLATPAK_MICRO_VERSION (5)
+#define FLATPAK_MICRO_VERSION (6)
/**
* FLATPAK_CHECK_VERSION:
diff -Nru flatpak-1.14.5/configure flatpak-1.14.6/configure
--- flatpak-1.14.5/configure 2023-12-08 12:15:27.000000000 +0000
+++ flatpak-1.14.6/configure 2024-04-17 19:17:50.000000000 +0100
@@ -1,6 +1,6 @@
#! /bin/sh
# Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.71 for Flatpak 1.14.5.
+# Generated by GNU Autoconf 2.71 for Flatpak 1.14.6.
#
# Report bugs to <https://github.com/flatpak/flatpak/issues>.
#
@@ -621,8 +621,8 @@
# Identity of this package.
PACKAGE_NAME='Flatpak'
PACKAGE_TARNAME='flatpak'
-PACKAGE_VERSION='1.14.5'
-PACKAGE_STRING='Flatpak 1.14.5'
+PACKAGE_VERSION='1.14.6'
+PACKAGE_STRING='Flatpak 1.14.6'
PACKAGE_BUGREPORT='https://github.com/flatpak/flatpak/issues'
PACKAGE_URL='http://flatpak.org/'
@@ -1642,7 +1642,7 @@
# Omit some internal or obsolete options to make the list less imposing.
# This message is too long to be a string in the A/UX 3.1 sh.
cat <<_ACEOF
-\`configure' configures Flatpak 1.14.5 to adapt to many kinds of systems.
+\`configure' configures Flatpak 1.14.6 to adapt to many kinds of systems.
Usage: $0 [OPTION]... [VAR=VALUE]...
@@ -1713,7 +1713,7 @@
if test -n "$ac_init_help"; then
case $ac_init_help in
- short | recursive ) echo "Configuration of Flatpak 1.14.5:";;
+ short | recursive ) echo "Configuration of Flatpak 1.14.6:";;
esac
cat <<\_ACEOF
@@ -2005,7 +2005,7 @@
test -n "$ac_init_help" && exit $ac_status
if $ac_init_version; then
cat <<\_ACEOF
-Flatpak configure 1.14.5
+Flatpak configure 1.14.6
generated by GNU Autoconf 2.71
Copyright (C) 2021 Free Software Foundation, Inc.
@@ -2356,7 +2356,7 @@
This file contains any messages produced by compilers while
running configure, to aid debugging if configure makes a mistake.
-It was created by Flatpak $as_me 1.14.5, which was
+It was created by Flatpak $as_me 1.14.6, which was
generated by GNU Autoconf 2.71. Invocation command line was
$ $0$ac_configure_args_raw
@@ -14115,7 +14115,7 @@
# Define the identity of the package.
PACKAGE='flatpak'
- VERSION='1.14.5'
+ VERSION='1.14.6'
# Some tools Automake needs.
@@ -21921,10 +21921,10 @@
FLATPAK_MAJOR_VERSION=1
FLATPAK_MINOR_VERSION=14
-FLATPAK_MICRO_VERSION=5
+FLATPAK_MICRO_VERSION=6
FLATPAK_EXTRA_VERSION=
FLATPAK_INTERFACE_AGE=0
-FLATPAK_VERSION=1.14.5
+FLATPAK_VERSION=1.14.6
@@ -21953,7 +21953,7 @@
-LT_VERSION_INFO="11405:0:11405"
+LT_VERSION_INFO="11406:0:11406"
LT_CURRENT_MINUS_AGE=0
@@ -22599,7 +22599,7 @@
# report actual input values of CONFIG_FILES etc. instead of their
# values after options handling.
ac_log="
-This file was extended by Flatpak $as_me 1.14.5, which was
+This file was extended by Flatpak $as_me 1.14.6, which was
generated by GNU Autoconf 2.71. Invocation command line was
CONFIG_FILES = $CONFIG_FILES
@@ -22668,7 +22668,7 @@
cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
ac_cs_config='$ac_cs_config_escaped'
ac_cs_version="\\
-Flatpak config.status 1.14.5
+Flatpak config.status 1.14.6
configured by $0, generated by GNU Autoconf 2.71,
with options \\"\$ac_cs_config\\"
diff -Nru flatpak-1.14.5/configure.ac flatpak-1.14.6/configure.ac
--- flatpak-1.14.5/configure.ac 2023-12-08 12:15:05.000000000 +0000
+++ flatpak-1.14.6/configure.ac 2024-04-17 18:28:16.000000000 +0100
@@ -15,7 +15,7 @@
m4_define([flatpak_major_version], [1])
m4_define([flatpak_minor_version], [14])
-m4_define([flatpak_micro_version], [5])
+m4_define([flatpak_micro_version], [6])
m4_define([flatpak_extra_version], [])
m4_define([flatpak_interface_age], [0])
m4_define([flatpak_binary_age],
diff -Nru flatpak-1.14.5/debian/changelog flatpak-1.14.6/debian/changelog
--- flatpak-1.14.5/debian/changelog 2023-12-08 12:25:50.000000000 +0000
+++ flatpak-1.14.6/debian/changelog 2024-04-19 11:00:13.000000000 +0100
@@ -1,3 +1,22 @@
+flatpak (1.14.6-1~deb13u1) trixie; urgency=high
+
+ * Rebuild for trixie
+
+ -- Simon McVittie <smcv@debian.org> Fri, 19 Apr 2024 11:00:13 +0100
+
+flatpak (1.14.6-1) unstable; urgency=high
+
+ * New upstream stable release 1.14.6
+ - Don't allow an executable name to be misinterpreted as a command-line
+ option for bwrap(1). This prevents a sandbox escape where a malicious
+ or compromised app could ask xdg-desktop-portal to generate a .desktop
+ file with access to files outside the sandbox. (CVE-2024-32462)
+ - Don't parse `<developer><name/></developer>` as the application name
+ * d/control: Drop alternative dependencies on transitional policykit-1.
+ polkitd was released in Debian 12 and Ubuntu 22.04.
+
+ -- Simon McVittie <smcv@debian.org> Wed, 17 Apr 2024 19:34:28 +0100
+
flatpak (1.14.5-1) unstable; urgency=medium
* New upstream stable release
diff -Nru flatpak-1.14.5/debian/control flatpak-1.14.6/debian/control
--- flatpak-1.14.5/debian/control 2023-12-08 12:25:50.000000000 +0000
+++ flatpak-1.14.6/debian/control 2024-04-19 11:00:13.000000000 +0100
@@ -52,7 +52,7 @@
libzstd-dev,
ostree (>= 2020.8) <!nocheck>,
pkgconf,
- polkitd <!nocheck> | policykit-1 <!nocheck>,
+ polkitd <!nocheck>,
procps,
python3:any,
python3-pyparsing,
@@ -87,7 +87,7 @@
gtk-update-icon-cache,
libpam-systemd,
p11-kit,
- polkitd | policykit-1,
+ polkitd,
shared-mime-info,
xdg-desktop-portal (>= 1.6),
xdg-desktop-portal-gtk (>= 1.6) | xdg-desktop-portal-backend,
diff -Nru flatpak-1.14.5/ltmain.sh flatpak-1.14.6/ltmain.sh
--- flatpak-1.14.5/ltmain.sh 2023-12-08 10:49:53.000000000 +0000
+++ flatpak-1.14.6/ltmain.sh 2024-04-17 19:17:44.000000000 +0100
@@ -31,7 +31,7 @@
PROGRAM=libtool
PACKAGE=libtool
-VERSION="2.4.7 Debian-2.4.7-7"
+VERSION="2.4.7 Debian-2.4.7-5"
package_revision=2.4.7
@@ -572,15 +572,27 @@
# ---------------------
# Append VALUE onto the existing contents of VAR.
+ # We should try to minimise forks, especially on Windows where they are
+ # unreasonably slow, so skip the feature probes when bash or zsh are
+ # being used:
+ if test set = "${BASH_VERSION+set}${ZSH_VERSION+set}"; then
+ : ${_G_HAVE_ARITH_OP="yes"}
+ : ${_G_HAVE_XSI_OPS="yes"}
+ # The += operator was introduced in bash 3.1
+ case $BASH_VERSION in
+ [12].* | 3.0 | 3.0*) ;;
+ *)
+ : ${_G_HAVE_PLUSEQ_OP="yes"}
+ ;;
+ esac
+ fi
+
# _G_HAVE_PLUSEQ_OP
# Can be empty, in which case the shell is probed, "yes" if += is
# useable or anything else if it does not work.
- if test -z "$_G_HAVE_PLUSEQ_OP" && \
- __PLUSEQ_TEST="a" && \
- __PLUSEQ_TEST+=" b" 2>/dev/null && \
- test "a b" = "$__PLUSEQ_TEST"; then
- _G_HAVE_PLUSEQ_OP=yes
- fi
+ test -z "$_G_HAVE_PLUSEQ_OP" \
+ && (eval 'x=a; x+=" b"; test "a b" = "$x"') 2>/dev/null \
+ && _G_HAVE_PLUSEQ_OP=yes
if test yes = "$_G_HAVE_PLUSEQ_OP"
then
@@ -2296,7 +2308,7 @@
compiler: $LTCC
compiler flags: $LTCFLAGS
linker: $LD (gnu? $with_gnu_ld)
- version: $progname $scriptversion Debian-2.4.7-7
+ version: $progname $scriptversion Debian-2.4.7-5
automake: `($AUTOMAKE --version) 2>/dev/null |$SED 1q`
autoconf: `($AUTOCONF --version) 2>/dev/null |$SED 1q`
diff -Nru flatpak-1.14.5/NEWS flatpak-1.14.6/NEWS
--- flatpak-1.14.5/NEWS 2023-12-08 12:15:04.000000000 +0000
+++ flatpak-1.14.6/NEWS 2024-04-17 18:28:07.000000000 +0100
@@ -1,3 +1,18 @@
+Changes in 1.14.6
+~~~~~~~~~~~~~~~~~
+
+Security fixes:
+
+ * Don't allow an executable name to be misinterpreted as a command-line
+ option for bwrap(1). This prevents a sandbox escape where a malicious
+ or compromised app could ask xdg-desktop-portal to generate a .desktop
+ file with access to files outside the sandbox. (CVE-2024-32462)
+
+Other bug fixes:
+
+ * Don't parse `<developer><name/></developer>` as the application name
+ (#5700)
+
Changes in 1.14.5
~~~~~~~~~~~~~~~~~
Released: 2023-12-08
diff -Nru flatpak-1.14.5/tests/make-test-app.sh flatpak-1.14.6/tests/make-test-app.sh
--- flatpak-1.14.5/tests/make-test-app.sh 2023-03-15 17:37:23.000000000 +0000
+++ flatpak-1.14.6/tests/make-test-app.sh 2024-04-17 18:19:04.000000000 +0100
@@ -130,6 +130,9 @@
<name>Hello world test app: $APP_ID</name>
<summary>Print a greeting</summary>
<description><p>This is a test app.</p></description>
+ <developer>
+ <name>Developer name</name>
+ </developer>
<categories>
<category>Utility</category>
</categories>
diff -Nru flatpak-1.14.5/tests/package_version.txt flatpak-1.14.6/tests/package_version.txt
--- flatpak-1.14.5/tests/package_version.txt 2023-12-08 12:15:33.000000000 +0000
+++ flatpak-1.14.6/tests/package_version.txt 2024-04-17 19:22:04.000000000 +0100
@@ -1 +1 @@
-1.14.5
+1.14.6
diff -Nru flatpak-1.14.5/tests/test-info.sh flatpak-1.14.6/tests/test-info.sh
--- flatpak-1.14.5/tests/test-info.sh 2023-03-16 09:55:13.000000000 +0000
+++ flatpak-1.14.6/tests/test-info.sh 2024-04-17 18:19:04.000000000 +0100
@@ -6,7 +6,7 @@
skip_revokefs_without_fuse
-echo "1..8"
+echo "1..9"
INCLUDE_SPECIAL_CHARACTER=1 setup_repo
install_repo
@@ -62,3 +62,9 @@
assert_file_has_content info "^hidden$"
ok "info --file-access"
+
+${FLATPAK} info org.test.Hello > info
+
+assert_file_has_content info "^Hello world test app: org\.test\.Hello - Print a greeting$"
+
+ok "info (name header)"
diff -Nru flatpak-1.14.5/tests/test-run.sh flatpak-1.14.6/tests/test-run.sh
--- flatpak-1.14.5/tests/test-run.sh 2022-11-17 18:26:13.000000000 +0000
+++ flatpak-1.14.6/tests/test-run.sh 2024-04-17 18:20:38.000000000 +0100
@@ -24,7 +24,7 @@
skip_without_bwrap
skip_revokefs_without_fuse
-echo "1..20"
+echo "1..21"
# Use stable rather than master as the branch so we can test that the run
# command automatically finds the branch correctly
@@ -76,6 +76,15 @@
ok "hello"
+# This should try and fail to run e.g. /usr/bin/--tmpfs, which will
+# exit with status 127 because there is no such executable.
+# It should not pass "--tmpfs /blah hello.sh" as bwrap options.
+exit_status=0
+run --command=--tmpfs org.test.Hello /blah hello.sh >&2 || exit_status=$?
+assert_not_streq "$exit_status" 0
+
+ok "avoided CVE-2024-32462"
+
# XDG_RUNTIME_DIR is set to <temp directory>/runtime by libtest.sh,
# so we always have the necessary setup to reproduce #4372
assert_not_streq "$XDG_RUNTIME_DIR" "/run/user/$(id -u)"
Reply to: