Security update for flatpak SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2022:2990-1 Final 1 1 2022-09-01T13:47:39Z current 2022-09-01T13:47:39Z 2022-09-01T13:47:39Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for flatpak This update for flatpak fixes the following issues: - CVE-2021-21381: Fixed an issue where a sandboxed application could read and write arbitrary host files via special tokens in the .desktop file (bsc#1183459). - CVE-2021-21261: Fixed a sandbox escape issue via the flatpak-portal service (bsc#1180996). Non-security fixes: - openh264 extension needs to use 'extra_data'. (bsc#1155688) The update will provide the support for extra_data' in extensions and will provide a list of versions that are supported. This will be useful for the extra_data for extensions because that will require it to say that it is supported for version > 1.2.5 in the 1.2 series and > 1.4.2 otherwise. The update will includes fixes for a segfault in the function that lists the installed references (flatpak_installation_list_installed_refs). When an appstream update is cancelled while downloading icons, the update will show a proper fail. Before this fix the next update attempt will see an up-to-date timestamp, think everyhing is ok and not download the missing icons. The update will introduce checks in the OCI (Open Container Initiative format) updates for validating if it is gpg verified. The update will install the required runtime for the installed extension. The update will prevent a crash if the 'FlatpakDir' can't ensure it has a repo configured. The update will prevent the removal of local extensions considered remote and not locally related. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2022-2990,SUSE-SLE-Product-HPC-15-SP1-ESPOS-2022-2990,SUSE-SLE-Product-HPC-15-SP1-LTSS-2022-2990,SUSE-SLE-Product-SLES-15-SP1-BCL-2022-2990,SUSE-SLE-Product-SLES-15-SP1-LTSS-2022-2990,SUSE-SLE-Product-SLES_SAP-15-SP1-2022-2990,SUSE-Storage-6-2022-2990 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2022/suse-su-20222990-1/ Link for SUSE-SU-2022:2990-1 https://lists.suse.com/pipermail/sle-security-updates/2022-September/012061.html E-Mail link for SUSE-SU-2022:2990-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1155688 SUSE Bug 1155688 https://bugzilla.suse.com/1180996 SUSE Bug 1180996 https://bugzilla.suse.com/1183459 SUSE Bug 1183459 https://www.suse.com/security/cve/CVE-2021-21261/ SUSE CVE CVE-2021-21261 page https://www.suse.com/security/cve/CVE-2021-21381/ SUSE CVE CVE-2021-21381 page SUSE Enterprise Storage 6 SUSE Linux Enterprise High Performance Computing 15 SP1-ESPOS SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS SUSE Linux Enterprise Server 15 SP1-BCL SUSE Linux Enterprise Server 15 SP1-LTSS SUSE Linux Enterprise Server for SAP Applications 15 SP1 flatpak-1.2.3-150100.4.5.2 flatpak-devel-1.2.3-150100.4.5.2 flatpak-zsh-completion-1.2.3-150100.4.5.2 libflatpak0-1.2.3-150100.4.5.2 typelib-1_0-Flatpak-1_0-1.2.3-150100.4.5.2 flatpak-1.2.3-150100.4.5.2 as a component of SUSE Enterprise Storage 6 flatpak-devel-1.2.3-150100.4.5.2 as a component of SUSE Enterprise Storage 6 flatpak-zsh-completion-1.2.3-150100.4.5.2 as a component of SUSE Enterprise Storage 6 libflatpak0-1.2.3-150100.4.5.2 as a component of SUSE Enterprise Storage 6 typelib-1_0-Flatpak-1_0-1.2.3-150100.4.5.2 as a component of SUSE Enterprise Storage 6 flatpak-1.2.3-150100.4.5.2 as a component of SUSE Linux Enterprise High Performance Computing 15 SP1-ESPOS flatpak-devel-1.2.3-150100.4.5.2 as a component of SUSE Linux Enterprise High Performance Computing 15 SP1-ESPOS flatpak-zsh-completion-1.2.3-150100.4.5.2 as a component of SUSE Linux Enterprise High Performance Computing 15 SP1-ESPOS libflatpak0-1.2.3-150100.4.5.2 as a component of SUSE Linux Enterprise High Performance Computing 15 SP1-ESPOS typelib-1_0-Flatpak-1_0-1.2.3-150100.4.5.2 as a component of SUSE Linux Enterprise High Performance Computing 15 SP1-ESPOS flatpak-1.2.3-150100.4.5.2 as a component of SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS flatpak-devel-1.2.3-150100.4.5.2 as a component of SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS flatpak-zsh-completion-1.2.3-150100.4.5.2 as a component of SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS libflatpak0-1.2.3-150100.4.5.2 as a component of SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS typelib-1_0-Flatpak-1_0-1.2.3-150100.4.5.2 as a component of SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS flatpak-1.2.3-150100.4.5.2 as a component of SUSE Linux Enterprise Server 15 SP1-BCL flatpak-devel-1.2.3-150100.4.5.2 as a component of SUSE Linux Enterprise Server 15 SP1-BCL flatpak-zsh-completion-1.2.3-150100.4.5.2 as a component of SUSE Linux Enterprise Server 15 SP1-BCL libflatpak0-1.2.3-150100.4.5.2 as a component of SUSE Linux Enterprise Server 15 SP1-BCL typelib-1_0-Flatpak-1_0-1.2.3-150100.4.5.2 as a component of SUSE Linux Enterprise Server 15 SP1-BCL flatpak-1.2.3-150100.4.5.2 as a component of SUSE Linux Enterprise Server 15 SP1-LTSS flatpak-devel-1.2.3-150100.4.5.2 as a component of SUSE Linux Enterprise Server 15 SP1-LTSS flatpak-zsh-completion-1.2.3-150100.4.5.2 as a component of SUSE Linux Enterprise Server 15 SP1-LTSS libflatpak0-1.2.3-150100.4.5.2 as a component of SUSE Linux Enterprise Server 15 SP1-LTSS typelib-1_0-Flatpak-1_0-1.2.3-150100.4.5.2 as a component of SUSE Linux Enterprise Server 15 SP1-LTSS flatpak-1.2.3-150100.4.5.2 as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP1 flatpak-devel-1.2.3-150100.4.5.2 as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP1 flatpak-zsh-completion-1.2.3-150100.4.5.2 as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP1 libflatpak0-1.2.3-150100.4.5.2 as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP1 typelib-1_0-Flatpak-1_0-1.2.3-150100.4.5.2 as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP1 Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. A bug was discovered in the `flatpak-portal` service that can allow sandboxed applications to execute arbitrary code on the host system (a sandbox escape). This sandbox-escape bug is present in versions from 0.11.4 and before fixed versions 1.8.5 and 1.10.0. The Flatpak portal D-Bus service (`flatpak-portal`, also known by its D-Bus service name `org.freedesktop.portal.Flatpak`) allows apps in a Flatpak sandbox to launch their own subprocesses in a new sandbox instance, either with the same security settings as the caller or with more restrictive security settings. For example, this is used in Flatpak-packaged web browsers such as Chromium to launch subprocesses that will process untrusted web content, and give those subprocesses a more restrictive sandbox than the browser itself. In vulnerable versions, the Flatpak portal service passes caller-specified environment variables to non-sandboxed processes on the host system, and in particular to the `flatpak run` command that is used to launch the new sandbox instance. A malicious or compromised Flatpak app could set environment variables that are trusted by the `flatpak run` command, and use them to execute arbitrary code that is not in a sandbox. As a workaround, this vulnerability can be mitigated by preventing the `flatpak-portal` service from starting, but that mitigation will prevent many Flatpak apps from working correctly. This is fixed in versions 1.8.5 and 1.10.0. CVE-2021-21261 SUSE Enterprise Storage 6:flatpak-1.2.3-150100.4.5.2 SUSE Enterprise Storage 6:flatpak-devel-1.2.3-150100.4.5.2 SUSE Enterprise Storage 6:flatpak-zsh-completion-1.2.3-150100.4.5.2 SUSE Enterprise Storage 6:libflatpak0-1.2.3-150100.4.5.2 SUSE Enterprise Storage 6:typelib-1_0-Flatpak-1_0-1.2.3-150100.4.5.2 SUSE Linux Enterprise High Performance Computing 15 SP1-ESPOS:flatpak-1.2.3-150100.4.5.2 SUSE Linux Enterprise High Performance Computing 15 SP1-ESPOS:flatpak-devel-1.2.3-150100.4.5.2 SUSE Linux Enterprise High Performance Computing 15 SP1-ESPOS:flatpak-zsh-completion-1.2.3-150100.4.5.2 SUSE Linux Enterprise High Performance Computing 15 SP1-ESPOS:libflatpak0-1.2.3-150100.4.5.2 SUSE Linux Enterprise High Performance Computing 15 SP1-ESPOS:typelib-1_0-Flatpak-1_0-1.2.3-150100.4.5.2 SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS:flatpak-1.2.3-150100.4.5.2 SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS:flatpak-devel-1.2.3-150100.4.5.2 SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS:flatpak-zsh-completion-1.2.3-150100.4.5.2 SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS:libflatpak0-1.2.3-150100.4.5.2 SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS:typelib-1_0-Flatpak-1_0-1.2.3-150100.4.5.2 SUSE Linux Enterprise Server 15 SP1-BCL:flatpak-1.2.3-150100.4.5.2 SUSE Linux Enterprise Server 15 SP1-BCL:flatpak-devel-1.2.3-150100.4.5.2 SUSE Linux Enterprise Server 15 SP1-BCL:flatpak-zsh-completion-1.2.3-150100.4.5.2 SUSE Linux Enterprise Server 15 SP1-BCL:libflatpak0-1.2.3-150100.4.5.2 SUSE Linux Enterprise Server 15 SP1-BCL:typelib-1_0-Flatpak-1_0-1.2.3-150100.4.5.2 SUSE Linux Enterprise Server 15 SP1-LTSS:flatpak-1.2.3-150100.4.5.2 SUSE Linux Enterprise Server 15 SP1-LTSS:flatpak-devel-1.2.3-150100.4.5.2 SUSE Linux Enterprise Server 15 SP1-LTSS:flatpak-zsh-completion-1.2.3-150100.4.5.2 SUSE Linux Enterprise Server 15 SP1-LTSS:libflatpak0-1.2.3-150100.4.5.2 SUSE Linux Enterprise Server 15 SP1-LTSS:typelib-1_0-Flatpak-1_0-1.2.3-150100.4.5.2 SUSE Linux Enterprise Server for SAP Applications 15 SP1:flatpak-1.2.3-150100.4.5.2 SUSE Linux Enterprise Server for SAP Applications 15 SP1:flatpak-devel-1.2.3-150100.4.5.2 SUSE Linux Enterprise Server for SAP Applications 15 SP1:flatpak-zsh-completion-1.2.3-150100.4.5.2 SUSE Linux Enterprise Server for SAP Applications 15 SP1:libflatpak0-1.2.3-150100.4.5.2 SUSE Linux Enterprise Server for SAP Applications 15 SP1:typelib-1_0-Flatpak-1_0-1.2.3-150100.4.5.2 important 7.2 AV:L/AC:L/Au:N/C:C/I:C/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2022/suse-su-20222990-1/ https://www.suse.com/security/cve/CVE-2021-21261.html CVE-2021-21261 https://bugzilla.suse.com/1180996 SUSE Bug 1180996 Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. In Flatpack since version 0.9.4 and before version 1.10.2 has a vulnerability in the "file forwarding" feature which can be used by an attacker to gain access to files that would not ordinarily be allowed by the app's permissions. By putting the special tokens `@@` and/or `@@u` in the Exec field of a Flatpak app's .desktop file, a malicious app publisher can trick flatpak into behaving as though the user had chosen to open a target file with their Flatpak app, which automatically makes that file available to the Flatpak app. This is fixed in version 1.10.2. A minimal solution is the first commit "`Disallow @@ and @@U usage in desktop files`". The follow-up commits "`dir: Reserve the whole @@ prefix`" and "`dir: Refuse to export .desktop files with suspicious uses of @@ tokens`" are recommended, but not strictly required. As a workaround, avoid installing Flatpak apps from untrusted sources, or check the contents of the exported `.desktop` files in `exports/share/applications/*.desktop` (typically `~/.local/share/flatpak/exports/share/applications/*.desktop` and `/var/lib/flatpak/exports/share/applications/*.desktop`) to make sure that literal filenames do not follow `@@` or `@@u`. CVE-2021-21381 SUSE Enterprise Storage 6:flatpak-1.2.3-150100.4.5.2 SUSE Enterprise Storage 6:flatpak-devel-1.2.3-150100.4.5.2 SUSE Enterprise Storage 6:flatpak-zsh-completion-1.2.3-150100.4.5.2 SUSE Enterprise Storage 6:libflatpak0-1.2.3-150100.4.5.2 SUSE Enterprise Storage 6:typelib-1_0-Flatpak-1_0-1.2.3-150100.4.5.2 SUSE Linux Enterprise High Performance Computing 15 SP1-ESPOS:flatpak-1.2.3-150100.4.5.2 SUSE Linux Enterprise High Performance Computing 15 SP1-ESPOS:flatpak-devel-1.2.3-150100.4.5.2 SUSE Linux Enterprise High Performance Computing 15 SP1-ESPOS:flatpak-zsh-completion-1.2.3-150100.4.5.2 SUSE Linux Enterprise High Performance Computing 15 SP1-ESPOS:libflatpak0-1.2.3-150100.4.5.2 SUSE Linux Enterprise High Performance Computing 15 SP1-ESPOS:typelib-1_0-Flatpak-1_0-1.2.3-150100.4.5.2 SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS:flatpak-1.2.3-150100.4.5.2 SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS:flatpak-devel-1.2.3-150100.4.5.2 SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS:flatpak-zsh-completion-1.2.3-150100.4.5.2 SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS:libflatpak0-1.2.3-150100.4.5.2 SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS:typelib-1_0-Flatpak-1_0-1.2.3-150100.4.5.2 SUSE Linux Enterprise Server 15 SP1-BCL:flatpak-1.2.3-150100.4.5.2 SUSE Linux Enterprise Server 15 SP1-BCL:flatpak-devel-1.2.3-150100.4.5.2 SUSE Linux Enterprise Server 15 SP1-BCL:flatpak-zsh-completion-1.2.3-150100.4.5.2 SUSE Linux Enterprise Server 15 SP1-BCL:libflatpak0-1.2.3-150100.4.5.2 SUSE Linux Enterprise Server 15 SP1-BCL:typelib-1_0-Flatpak-1_0-1.2.3-150100.4.5.2 SUSE Linux Enterprise Server 15 SP1-LTSS:flatpak-1.2.3-150100.4.5.2 SUSE Linux Enterprise Server 15 SP1-LTSS:flatpak-devel-1.2.3-150100.4.5.2 SUSE Linux Enterprise Server 15 SP1-LTSS:flatpak-zsh-completion-1.2.3-150100.4.5.2 SUSE Linux Enterprise Server 15 SP1-LTSS:libflatpak0-1.2.3-150100.4.5.2 SUSE Linux Enterprise Server 15 SP1-LTSS:typelib-1_0-Flatpak-1_0-1.2.3-150100.4.5.2 SUSE Linux Enterprise Server for SAP Applications 15 SP1:flatpak-1.2.3-150100.4.5.2 SUSE Linux Enterprise Server for SAP Applications 15 SP1:flatpak-devel-1.2.3-150100.4.5.2 SUSE Linux Enterprise Server for SAP Applications 15 SP1:flatpak-zsh-completion-1.2.3-150100.4.5.2 SUSE Linux Enterprise Server for SAP Applications 15 SP1:libflatpak0-1.2.3-150100.4.5.2 SUSE Linux Enterprise Server for SAP Applications 15 SP1:typelib-1_0-Flatpak-1_0-1.2.3-150100.4.5.2 important 5.8 AV:N/AC:M/Au:N/C:P/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2022/suse-su-20222990-1/ https://www.suse.com/security/cve/CVE-2021-21381.html CVE-2021-21381 https://bugzilla.suse.com/1183459 SUSE Bug 1183459