Bug 23866

Summary: flatpak new security issue fixed upstream in 1.0.8
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: Neal Gompa <ngompa13>
Status: RESOLVED OLD QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: fri, mhrambo3501, sebsweb, shlomif
Version: 6   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Source RPM: flatpak-1.0.0-1.mga7.src.rpm CVE:
Status comment:
Bug Depends on: 24355    
Bug Blocks:    

Description David Walser 2018-11-20 23:42:16 CET 
Fedora has issued an advisory on November 18:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/YEDIAIR7F3AUCXO54XC6RE46RVPGA4YM/

It's an issue with creating setuid root files in app dirs.

Mageia 6 might also be affected.
Comment 1 Shlomi Fish 2019-01-02 21:49:41 CET 
flatpak 1.0.6 pushed to mga7.

CC: (none) => shlomif

Comment 2 David Walser 2019-01-02 23:00:50 CET 
Thank you!

Version: Cauldron => 6

Comment 3 Sébastien Morin 2019-01-09 20:09:23 CET 
Could you please consider updating flatpak to the current 1.1.2 version for Mga7?

CC: (none) => sebsweb

Comment 4 Neal Gompa 2019-01-11 02:32:21 CET 
(In reply to Sébastien Morin from comment #3)
> Could you please consider updating flatpak to the current 1.1.2 version for
> Mga7?

I don't want to accidentally ship with a non-stable series of Flatpak again like what accidentally happened for Mageia 6. If Flatpak 1.2 releases soon, I'll pull it in.
Comment 5 Neal Gompa 2019-01-11 02:32:43 CET 
Sorry, to clarify, "stable" refers to longterm stable series.
Comment 6 Sébastien Morin 2019-01-11 08:47:17 CET 
Ok! Thank you very much!
David Walser 2019-02-13 04:11:07 CET

Depends on: (none) => 24355

Comment 7 Sébastien Morin 2019-03-01 07:05:51 CET 
Hello,
it seems flatpak 1.2.3 was released a few weeks ago.
Is it a good candidate for Mga7 (and maybe also for a Mga6 backport) ?
Comment 8 David Walser 2019-03-12 15:39:44 CET 
1.0.7 has fixes related to CVE-2019-5736.

Fedora has issued an advisory for this on February 28:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/ZZ5H7RY4AI4DNSISDE6BZTZHYJFQQQZK/
Morgan Leijström 2019-03-13 00:39:54 CET

CC: (none) => fri

Comment 9 David Walser 2019-03-31 22:04:38 CEST 
1.0.8 fixes CVE-2019-10063.

Fedora has issued an advisory for this today (March 31):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/3GJNKDZO66IFQGFDHAHFT3LVJYMDDAOX/

Version: 6 => Cauldron
Summary: flatpak new security issue fixed upstream in 1.0.6 => flatpak new security issue fixed upstream in 1.0.8
Whiteboard: (none) => MGA6TOO

Comment 10 David Walser 2019-04-01 00:40:03 CEST 
flatpak-1.0.8-1.mga7 uploaded for Cauldron by Shlomi.

Version: Cauldron => 6
Whiteboard: MGA6TOO => (none)

Comment 11 Mike Rambo 2019-11-06 13:46:04 CET 
Mageia 6 is EOL.

CC: (none) => mrambo
Resolution: (none) => OLD
Status: NEW => RESOLVED