Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2021.1186 Security update for flatpak, libostree, xdg-desktop-portal, xdg-desktop-portal-gtk 9 April 2021 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: flatpak libostree xdg-desktop-portal xdg-desktop-portal-gtk Publisher: SUSE Operating System: SUSE Impact/Access: Execute Arbitrary Code/Commands -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2021-21261 Reference: ESB-2021.0416 ESB-2021.0409 ESB-2021.0341 Original Bulletin: https://www.suse.com/support/update/announcement/2021/suse-su-20211094-1 - --------------------------BEGIN INCLUDED TEXT-------------------- SUSE Security Update: Security update for flatpak, libostree, xdg-desktop-portal, ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1094-1 Rating: important References: #1133120 #1133124 #1175899 #1180996 Cross-References: CVE-2021-21261 Affected Products: SUSE Linux Enterprise Module for Desktop Applications 15-SP2 SUSE Linux Enterprise Module for Basesystem 15-SP2 ______________________________________________________________________________ xdg-desktop-portal-gtk An update that solves one vulnerability, contains one feature and has three fixes is now available. Description: This update for flatpak, libostree, xdg-desktop-portal, xdg-desktop-portal-gtk fixes the following issues: libostree: Update to version 2020.8 o Enable LTO. (bsc#1133120) o This update contains scalability improvements and bugfixes. o Caching-related HTTP headers are now supported on summaries and signatures, so that they do not have to be re-downloaded if not changed in the meanwhile. o Summaries and delta have been reworked to allow more fine-grained fetching. o Fixes several bugs related to atomic variables, HTTP timeouts, and 32-bit architectures. o Static deltas can now be signed to more easily support offline verification. o There's now support for multiple initramfs images; Is it possible to have a "main" initramfs image and a secondary one which represents local configuration. o The documentation is now moved to https://ostreedev.github.io/ostree/ o Fix for an assertion failure when upgrading from systems before ostree supported devicetree. o ostree no longer hardlinks zero sized files to avoid hitting filesystem maximum link counts. o ostree now supports `/` and `/boot` being on the same filesystem. o Improvements to the GObject Introspection metadata, some (cosmetic) static analyzer fixes, a fix for the immutable bit on s390x, dropping a deprecated bit in the systemd unit file. o Fix a regression 2020.4 where the "readonly sysroot" changes incorrectly left the sysroot read-only on systems that started out with a read-only `/` (most of them, e.g. Fedora Silverblue/IoT at least). o The default dracut config now enables reproducibility. o There is a new ostree admin unlock `--transient`. This should to be a foundation for further support for "live" updates. o New `ed25519` signing support, powered by `libsodium`. o stree commit gained a new `--base` argument, which significantly simplifies constructing "derived" commits, particularly for systems using SELinux. o Handling of the read-only sysroot was reimplemented to run in the initramfs and be more reliable. Enabling the `readonly=true` flag in the repo config is recommended. o Several fixes in locking for the temporary "staging" directories OSTree creates, particularly on NFS. o A new `timestamp-check-from-rev` option was added for pulls, which makes downgrade protection more reliable and will be used by Fedora CoreOS. o Several fixes and enhancements made for "collection" pulls including a new `--mirror` option. o The ostree commit command learned a new `--mode-ro-executables` which enforces `W^R` semantics on all executables. o Added a new commit metadata key `OSTREE_COMMIT_META_KEY_ARCHITECTURE` to help standardize the architecture of the OSTree commit. This could be used on the client side for example to sanity-check that the commit matches the architecture of the machine before deploying. o Stop invalid usage of `%_libexecdir`: + Use `%{_prefix}/lib` where appropriate. + Use `_systemdgeneratordir` for the systemd-generators. + Define `_dracutmodulesdir` based on `dracut.pc`. Add BuildRequires(dracut) for this to work. xdg-desktop-portal: Update to version 1.8.0: o Ensure systemd rpm macros are called at install/uninstall times for systemd user services. o Add BuildRequires on systemd-rpm-macros. o openuri: - Allow skipping the chooser for more URL tyles - Robustness fixes o filechooser: - Return the current filter - Add a "directory" option - Document the "writable" option o camera: - Make the client node visible - Don't leak pipewire proxy o Fix file descriptor leaks o Testsuite improvements o Updated translations. o document: - Reduce the use of open fds - Add more tests and fix issues they found - Expose directories with their proper name - Support exporting directories - New fuse implementation o background: Avoid a segfault o screencast: Require pipewire 0.3 o Better support for snap and toolbox o Require `/usr/bin/fusermount`: `xdg-document-portal` calls out to the binary. (bsc#1175899) Without it, files or dirs can be selected, but whatever is done with or in them, will not have any effect o Fixes for `%_libexecdir` changing to `/usr/libexec` xdg-desktop-portal-gtk: Update to version 1.8.0: o filechooser: - Return the current filter - Handle the "directory" option to select directories - Only show preview when we have an image o screenshot: Fix cancellation o appchooser: Avoid a crash o wallpaper: - Properly preview placement settings - Drop the lockscreen option o printing: Improve the notification o Updated translations. o settings: Fall back to gsettings for enable-animations o screencast: Support Mutter version to 3 (New pipewire api ver 3). flatpak: o Update to version 1.10.2 (jsc#SLE-17238, ECO-3148) o This is a security update which fixes a potential attack where a flatpak application could use custom formated `.desktop` file to gain access to files on the host system. o Fix memory leaks o Documentation and translations updates o Spawn portal better handles non-utf8 filenames o Fix flatpak build on systems with setuid bwrap o Fix crash on updating apps with no deploy data o Remove deprecated texinfo packaging macros. o Support for the new repo format which should make updates faster and download less data. o The systemd generator snippets now call flatpak `--print-updated-env` in place of a bunch of shell for better login performance. o The `.profile` snippets now disable GVfs when calling flatpak to avoid spawning a gvfs daemon when logging in via ssh. o Flatpak now finds the pulseaudio sockets better in uncommon configurations. o Sandboxes with network access it now also has access to the `systemd-resolved` socket to do dns lookups. o Flatpak supports unsetting environment variables in the sandbox using `--unset-env`, and `--env=FOO=` now sets FOO to the empty string instead of unsetting it. o The spawn portal now has an option to share the pid namespace with the sub-sandbox. o This security update fixes a sandbox escape where a malicious application can execute code outside the sandbox by controlling the environment of the "flatpak run" command when spawning a sub-sandbox (bsc#1180996, CVE-2021-21261) o Fix support for ppc64. o Move flatpak-bisect and flatpak-coredumpctl to devel subpackage, allow to remove python3 dependency on main package. o Enable LTO as gobject-introspection works fine with LTO. (bsc#1133124) o Fixed progress reporting for OCI and extra-data. o The in-memory summary cache is more efficient. o Fixed authentication getting stuck in a loop in some cases. o Fixed authentication error reporting. o Extract OCI info for runtimes as well as apps. o Fixed crash if anonymous authentication fails and `-y` is specified. o flatpak info now only looks at the specified installation if one is specified. o Better error reporting for server HTTP errors during download. o Uninstall now removes applications before the runtime it depends on. o Avoid updating metadata from the remote when uninstalling. o FlatpakTransaction now verifies all passed in refs to avoid. o Added validation of collection id settings for remotes. o Fix seccomp filters on s390. o Robustness fixes to the spawn portal. o Fix support for masking update in the system installation. o Better support for distros with uncommon models of merged `/usr`. o Cache responses from localed/AccountService. o Fix hangs in cases where `xdg-dbus-proxy` fails to start. o Fix double-free in cups socket detection. o OCI authenticator now doesn't ask for auth in case of http errors. o Fix invalid usage of `%{_libexecdir}` to reference systemd directories. o Fixes for `%_libexecdir` changing to `/usr/libexec` o Avoid calling authenticator in update if ref didn't change o Don't fail transaction if ref is already installed (after transaction start) o Fix flatpak run handling of userns in the `--device=all` case o Fix handling of extensions from different remotes o Fix flatpak run `--no-session-bus` o `FlatpakTransaction` has a new signal `install-authenticator` which clients can handle to install authenticators needed for the transaction. This is done in the CLI commands. o Now the host timezone data is always exposed, fixing several apps that had timezone issues. o There's a new systemd unit (not installed by default) to automatically detect plugged in usb sticks with sideload repos. o By default the `gdm env.d` file is no longer installed because the systemd generators work better. o `create-usb` now exports partial commits by default o Fix handling of docker media types in oci remotes o Fix subjects in `remote-info --log` output o This release is also able to host flatpak images on e.g. docker hub. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: o SUSE Linux Enterprise Module for Desktop Applications 15-SP2: zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-SP2-2021-1094=1 o SUSE Linux Enterprise Module for Basesystem 15-SP2: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP2-2021-1094=1 Package List: o SUSE Linux Enterprise Module for Desktop Applications 15-SP2 (aarch64 ppc64le s390x x86_64): flatpak-1.10.2-4.6.1 flatpak-debuginfo-1.10.2-4.6.1 flatpak-debugsource-1.10.2-4.6.1 flatpak-devel-1.10.2-4.6.1 flatpak-zsh-completion-1.10.2-4.6.1 libflatpak0-1.10.2-4.6.1 libflatpak0-debuginfo-1.10.2-4.6.1 libostree-2020.8-3.3.2 libostree-debuginfo-2020.8-3.3.2 libostree-debugsource-2020.8-3.3.2 libostree-devel-2020.8-3.3.2 system-user-flatpak-1.10.2-4.6.1 typelib-1_0-Flatpak-1_0-1.10.2-4.6.1 typelib-1_0-OSTree-1_0-2020.8-3.3.2 xdg-desktop-portal-1.8.0-5.3.2 xdg-desktop-portal-debuginfo-1.8.0-5.3.2 xdg-desktop-portal-debugsource-1.8.0-5.3.2 xdg-desktop-portal-devel-1.8.0-5.3.2 xdg-desktop-portal-gtk-1.8.0-3.3.1 xdg-desktop-portal-gtk-debuginfo-1.8.0-3.3.1 xdg-desktop-portal-gtk-debugsource-1.8.0-3.3.1 o SUSE Linux Enterprise Module for Desktop Applications 15-SP2 (noarch): xdg-desktop-portal-gtk-lang-1.8.0-3.3.1 xdg-desktop-portal-lang-1.8.0-5.3.2 o SUSE Linux Enterprise Module for Basesystem 15-SP2 (aarch64 ppc64le s390x x86_64): libostree-1-1-2020.8-3.3.2 libostree-1-1-debuginfo-2020.8-3.3.2 libostree-debuginfo-2020.8-3.3.2 libostree-debugsource-2020.8-3.3.2 References: o https://www.suse.com/security/cve/CVE-2021-21261.html o https://bugzilla.suse.com/1133120 o https://bugzilla.suse.com/1133124 o https://bugzilla.suse.com/1175899 o https://bugzilla.suse.com/1180996 - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYG+TVuNLKJtyKPYoAQg6MQ/+Ov77YXqURUu2pq1VJ3p2aYO6Ti/O6HAa qlZFTNtx1ZL6WI2XEU7UpYNmRZeFoObbx+i7s8QiGtn+v26B+k1FgXgogsNF3JJF kgQlnFt2WBli4V0MUzEosu93mdIEUfhW4nq+Gi2ptGY8XG/mZs5FWInp9KIJhpTg Q52CUEWVhAsiRuRC39bDoYRPa847sP8PEab8ML7rgNswIfGagqxGS7JEoI1k0fwG UyrORQ+PQSgJI/18JXa5yyjNwmZIFWjTcYi/7QybzzyywRo8z4/nTDkwIataYwWz v6PDePVWtsI6EyECNrzgagXZ3vn3aQaEAStoR/gUwIlu6jALC7q7l+1u+HGkA7ZT WtE9eYq6y4tN0nA8Hub/u7WxJWS4BmbSPikcfV7zUXXevX9FL6R65u0iWKdqFfN4 ulx4wf3K9vTKOLM2einJhPoaDYOskAmfK7pjaqCx9p3160AqIGFhLYTKTfbErRlz +geiKmSrVL/rZa9BcFh7yXMMzXwjYelMj9eKKwj0pL59PBb9HwWqkq5VRBjhHbSh BtWb9lGKh4JIJYg7sU4LtnUrY7rSt84iAu7jqrNGVLxL530I8JFAhwL1ATIOx3s4 TX889JCVl2s2o3GbHe7/P5133ntUdey/VMBaZOzelDGLDL29GqCJr/UQLgnWDd5d MFi7NGqMZ4M= =sYen -----END PGP SIGNATURE-----