Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2021.1186
Security update for flatpak, libostree, xdg-desktop-portal,
xdg-desktop-portal-gtk
9 April 2021
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: flatpak
libostree
xdg-desktop-portal
xdg-desktop-portal-gtk
Publisher: SUSE
Operating System: SUSE
Impact/Access: Execute Arbitrary Code/Commands -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2021-21261
Reference: ESB-2021.0416
ESB-2021.0409
ESB-2021.0341
Original Bulletin:
https://www.suse.com/support/update/announcement/2021/suse-su-20211094-1
- --------------------------BEGIN INCLUDED TEXT--------------------
SUSE Security Update: Security update for flatpak, libostree,
xdg-desktop-portal,
______________________________________________________________________________
Announcement ID: SUSE-SU-2021:1094-1
Rating: important
References: #1133120 #1133124 #1175899 #1180996
Cross-References: CVE-2021-21261
Affected Products:
SUSE Linux Enterprise Module for Desktop Applications 15-SP2
SUSE Linux Enterprise Module for Basesystem 15-SP2
______________________________________________________________________________
xdg-desktop-portal-gtk
An update that solves one vulnerability, contains one feature and has three
fixes is now available.
Description:
This update for flatpak, libostree, xdg-desktop-portal, xdg-desktop-portal-gtk
fixes the following issues:
libostree:
Update to version 2020.8
o Enable LTO. (bsc#1133120)
o This update contains scalability improvements and bugfixes.
o Caching-related HTTP headers are now supported on summaries and signatures,
so that they do not have to be re-downloaded if not changed in the
meanwhile.
o Summaries and delta have been reworked to allow more fine-grained fetching.
o Fixes several bugs related to atomic variables, HTTP timeouts, and 32-bit
architectures.
o Static deltas can now be signed to more easily support offline
verification.
o There's now support for multiple initramfs images; Is it possible to have a
"main" initramfs image and a secondary one which represents local
configuration.
o The documentation is now moved to https://ostreedev.github.io/ostree/
o Fix for an assertion failure when upgrading from systems before ostree
supported devicetree.
o ostree no longer hardlinks zero sized files to avoid hitting filesystem
maximum link counts.
o ostree now supports `/` and `/boot` being on the same filesystem.
o Improvements to the GObject Introspection metadata, some (cosmetic) static
analyzer fixes, a fix for the immutable bit on s390x, dropping a deprecated
bit in the systemd unit file.
o Fix a regression 2020.4 where the "readonly sysroot" changes incorrectly
left the sysroot read-only on systems that started out with a read-only `/`
(most of them, e.g. Fedora Silverblue/IoT at least).
o The default dracut config now enables reproducibility.
o There is a new ostree admin unlock `--transient`. This should to be a
foundation for further support for "live" updates.
o New `ed25519` signing support, powered by `libsodium`.
o stree commit gained a new `--base` argument, which significantly simplifies
constructing "derived" commits, particularly for systems using SELinux.
o Handling of the read-only sysroot was reimplemented to run in the initramfs
and be more reliable. Enabling the `readonly=true` flag in the repo config
is recommended.
o Several fixes in locking for the temporary "staging" directories OSTree
creates, particularly on NFS.
o A new `timestamp-check-from-rev` option was added for pulls, which makes
downgrade protection more reliable and will be used by Fedora CoreOS.
o Several fixes and enhancements made for "collection" pulls including a new
`--mirror` option.
o The ostree commit command learned a new `--mode-ro-executables` which
enforces `W^R` semantics on all executables.
o Added a new commit metadata key `OSTREE_COMMIT_META_KEY_ARCHITECTURE` to
help standardize the architecture of the OSTree commit. This could be used
on the client side for example to sanity-check that the commit matches the
architecture of the machine before deploying.
o Stop invalid usage of `%_libexecdir`: + Use `%{_prefix}/lib` where
appropriate. + Use `_systemdgeneratordir` for the systemd-generators. +
Define `_dracutmodulesdir` based on `dracut.pc`. Add BuildRequires(dracut)
for this to work.
xdg-desktop-portal:
Update to version 1.8.0:
o Ensure systemd rpm macros are called at install/uninstall times for systemd
user services.
o Add BuildRequires on systemd-rpm-macros.
o openuri: - Allow skipping the chooser for more URL tyles - Robustness fixes
o filechooser: - Return the current filter - Add a "directory" option -
Document the "writable" option
o camera: - Make the client node visible - Don't leak pipewire proxy
o Fix file descriptor leaks
o Testsuite improvements
o Updated translations.
o document: - Reduce the use of open fds - Add more tests and fix issues they
found - Expose directories with their proper name - Support exporting
directories - New fuse implementation
o background: Avoid a segfault
o screencast: Require pipewire 0.3
o Better support for snap and toolbox
o Require `/usr/bin/fusermount`: `xdg-document-portal` calls out to the
binary. (bsc#1175899) Without it, files or dirs can be selected, but
whatever is done with or in them, will not have any effect
o Fixes for `%_libexecdir` changing to `/usr/libexec`
xdg-desktop-portal-gtk:
Update to version 1.8.0:
o filechooser: - Return the current filter - Handle the "directory" option to
select directories - Only show preview when we have an image
o screenshot: Fix cancellation
o appchooser: Avoid a crash
o wallpaper: - Properly preview placement settings - Drop the lockscreen
option
o printing: Improve the notification
o Updated translations.
o settings: Fall back to gsettings for enable-animations
o screencast: Support Mutter version to 3 (New pipewire api ver 3).
flatpak:
o Update to version 1.10.2 (jsc#SLE-17238, ECO-3148)
o This is a security update which fixes a potential attack where a flatpak
application could use custom formated `.desktop` file to gain access to
files on the host system.
o Fix memory leaks
o Documentation and translations updates
o Spawn portal better handles non-utf8 filenames
o Fix flatpak build on systems with setuid bwrap
o Fix crash on updating apps with no deploy data
o Remove deprecated texinfo packaging macros.
o Support for the new repo format which should make updates faster and
download less data.
o The systemd generator snippets now call flatpak `--print-updated-env` in
place of a bunch of shell for better login performance.
o The `.profile` snippets now disable GVfs when calling flatpak to avoid
spawning a gvfs daemon when logging in via ssh.
o Flatpak now finds the pulseaudio sockets better in uncommon configurations.
o Sandboxes with network access it now also has access to the
`systemd-resolved` socket to do dns lookups.
o Flatpak supports unsetting environment variables in the sandbox using
`--unset-env`, and `--env=FOO=` now sets FOO to the empty string instead of
unsetting it.
o The spawn portal now has an option to share the pid namespace with the
sub-sandbox.
o This security update fixes a sandbox escape where a malicious application
can execute code outside the sandbox by controlling the environment of the
"flatpak run" command when spawning a sub-sandbox (bsc#1180996,
CVE-2021-21261)
o Fix support for ppc64.
o Move flatpak-bisect and flatpak-coredumpctl to devel subpackage, allow to
remove python3 dependency on main package.
o Enable LTO as gobject-introspection works fine with LTO. (bsc#1133124)
o Fixed progress reporting for OCI and extra-data.
o The in-memory summary cache is more efficient.
o Fixed authentication getting stuck in a loop in some cases.
o Fixed authentication error reporting.
o Extract OCI info for runtimes as well as apps.
o Fixed crash if anonymous authentication fails and `-y` is specified.
o flatpak info now only looks at the specified installation if one is
specified.
o Better error reporting for server HTTP errors during download.
o Uninstall now removes applications before the runtime it depends on.
o Avoid updating metadata from the remote when uninstalling.
o FlatpakTransaction now verifies all passed in refs to avoid.
o Added validation of collection id settings for remotes.
o Fix seccomp filters on s390.
o Robustness fixes to the spawn portal.
o Fix support for masking update in the system installation.
o Better support for distros with uncommon models of merged `/usr`.
o Cache responses from localed/AccountService.
o Fix hangs in cases where `xdg-dbus-proxy` fails to start.
o Fix double-free in cups socket detection.
o OCI authenticator now doesn't ask for auth in case of http errors.
o Fix invalid usage of `%{_libexecdir}` to reference systemd directories.
o Fixes for `%_libexecdir` changing to `/usr/libexec`
o Avoid calling authenticator in update if ref didn't change
o Don't fail transaction if ref is already installed (after transaction
start)
o Fix flatpak run handling of userns in the `--device=all` case
o Fix handling of extensions from different remotes
o Fix flatpak run `--no-session-bus`
o `FlatpakTransaction` has a new signal `install-authenticator` which clients
can handle to install authenticators needed for the transaction. This is
done in the CLI commands.
o Now the host timezone data is always exposed, fixing several apps that had
timezone issues.
o There's a new systemd unit (not installed by default) to automatically
detect plugged in usb sticks with sideload repos.
o By default the `gdm env.d` file is no longer installed because the systemd
generators work better.
o `create-usb` now exports partial commits by default
o Fix handling of docker media types in oci remotes
o Fix subjects in `remote-info --log` output
o This release is also able to host flatpak images on e.g. docker hub.
Patch Instructions:
To install this SUSE Security Update use the SUSE recommended installation
methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
o SUSE Linux Enterprise Module for Desktop Applications 15-SP2:
zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-SP2-2021-1094=1
o SUSE Linux Enterprise Module for Basesystem 15-SP2:
zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP2-2021-1094=1
Package List:
o SUSE Linux Enterprise Module for Desktop Applications 15-SP2 (aarch64
ppc64le s390x x86_64):
flatpak-1.10.2-4.6.1
flatpak-debuginfo-1.10.2-4.6.1
flatpak-debugsource-1.10.2-4.6.1
flatpak-devel-1.10.2-4.6.1
flatpak-zsh-completion-1.10.2-4.6.1
libflatpak0-1.10.2-4.6.1
libflatpak0-debuginfo-1.10.2-4.6.1
libostree-2020.8-3.3.2
libostree-debuginfo-2020.8-3.3.2
libostree-debugsource-2020.8-3.3.2
libostree-devel-2020.8-3.3.2
system-user-flatpak-1.10.2-4.6.1
typelib-1_0-Flatpak-1_0-1.10.2-4.6.1
typelib-1_0-OSTree-1_0-2020.8-3.3.2
xdg-desktop-portal-1.8.0-5.3.2
xdg-desktop-portal-debuginfo-1.8.0-5.3.2
xdg-desktop-portal-debugsource-1.8.0-5.3.2
xdg-desktop-portal-devel-1.8.0-5.3.2
xdg-desktop-portal-gtk-1.8.0-3.3.1
xdg-desktop-portal-gtk-debuginfo-1.8.0-3.3.1
xdg-desktop-portal-gtk-debugsource-1.8.0-3.3.1
o SUSE Linux Enterprise Module for Desktop Applications 15-SP2 (noarch):
xdg-desktop-portal-gtk-lang-1.8.0-3.3.1
xdg-desktop-portal-lang-1.8.0-5.3.2
o SUSE Linux Enterprise Module for Basesystem 15-SP2 (aarch64 ppc64le s390x
x86_64):
libostree-1-1-2020.8-3.3.2
libostree-1-1-debuginfo-2020.8-3.3.2
libostree-debuginfo-2020.8-3.3.2
libostree-debugsource-2020.8-3.3.2
References:
o https://www.suse.com/security/cve/CVE-2021-21261.html
o https://bugzilla.suse.com/1133120
o https://bugzilla.suse.com/1133124
o https://bugzilla.suse.com/1175899
o https://bugzilla.suse.com/1180996
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYG+TVuNLKJtyKPYoAQg6MQ/+Ov77YXqURUu2pq1VJ3p2aYO6Ti/O6HAa
qlZFTNtx1ZL6WI2XEU7UpYNmRZeFoObbx+i7s8QiGtn+v26B+k1FgXgogsNF3JJF
kgQlnFt2WBli4V0MUzEosu93mdIEUfhW4nq+Gi2ptGY8XG/mZs5FWInp9KIJhpTg
Q52CUEWVhAsiRuRC39bDoYRPa847sP8PEab8ML7rgNswIfGagqxGS7JEoI1k0fwG
UyrORQ+PQSgJI/18JXa5yyjNwmZIFWjTcYi/7QybzzyywRo8z4/nTDkwIataYwWz
v6PDePVWtsI6EyECNrzgagXZ3vn3aQaEAStoR/gUwIlu6jALC7q7l+1u+HGkA7ZT
WtE9eYq6y4tN0nA8Hub/u7WxJWS4BmbSPikcfV7zUXXevX9FL6R65u0iWKdqFfN4
ulx4wf3K9vTKOLM2einJhPoaDYOskAmfK7pjaqCx9p3160AqIGFhLYTKTfbErRlz
+geiKmSrVL/rZa9BcFh7yXMMzXwjYelMj9eKKwj0pL59PBb9HwWqkq5VRBjhHbSh
BtWb9lGKh4JIJYg7sU4LtnUrY7rSt84iAu7jqrNGVLxL530I8JFAhwL1ATIOx3s4
TX889JCVl2s2o3GbHe7/P5133ntUdey/VMBaZOzelDGLDL29GqCJr/UQLgnWDd5d
MFi7NGqMZ4M=
=sYen
-----END PGP SIGNATURE-----