Bug 22562 - flatpak new security issue CVE-2018-6560
Summary: flatpak new security issue CVE-2018-6560
Status: NEW
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: mga6-64-ok
Keywords: has_procedure
Depends on:
Blocks:
 
Reported: 2018-02-10 21:37 CET by David Walser
Modified: 2018-02-17 11:12 CET (History)
3 users (show)

See Also:
Source RPM: flatpak-0.10.0-1.mga7.src.rpm
CVE:
Status comment: Fixed upstream in 0.10.3


Attachments

Description David Walser 2018-02-10 21:37:16 CET
openSUSE has issued an advisory on February 8:
https://lists.opensuse.org/opensuse-updates/2018-02/msg00019.html

The issue was fixed upstream in 0.10.3 on January 31:
https://github.com/flatpak/flatpak/releases/tag/0.10.3

Mageia 6 is also affected.
David Walser 2018-02-10 21:37:23 CET

Whiteboard: (none) => MGA6TOO

David Walser 2018-02-10 22:07:44 CET

Status comment: (none) => Fixed upstream in 0.10.3

Comment 1 David Walser 2018-02-10 22:24:49 CET
Fedora has issued an advisory for this on February 6:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/QOYBT2233N67VDJDQVQ3EPNW4GTUXVLF/
Comment 2 David Walser 2018-02-12 03:37:24 CET
flatpak-0.10.3-1.mga7 uploaded for Cauldron by Neal.

Version: Cauldron => 6
Whiteboard: MGA6TOO => (none)

Comment 3 Neal Gompa 2018-02-12 14:07:31 CET
bubblewrap-0.2.0-1.mga6, ostree-2018.1-1.mga6, flatpak-0.10.3-1.mga6, flatpak-builder-0.10.6-1.mga6, xdg-desktop-portal-0.9-1.mga6, xdg-desktop-portal-gtk-0.9-1.mga6, and appstream-glib-0.7.6-1.mga6 have been uploaded to updates_testing for this.
Comment 4 David Walser 2018-02-13 02:47:37 CET
Advisory:
========================

Updated flatpak packages fix security vulnerability:

A sandbox escape in the flatpak dbus proxy in the authentication phase
(CVE-2018-6560).

The flatpak has been upgraded to the latest stable version, 0.10.3, which fixes
this issue.  The bubblewrap, ostree, flatpak-builder, xdg-desktop-portal,
xdg-desktop-portal-gtk, and appstream-glib packages have also been upgraded to
support this updated.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6560
https://lists.opensuse.org/opensuse-updates/2018-02/msg00019.html
========================

Updated packages in core/updates_testing:
========================
ostree-2018.1-1.mga6
libostree1-2018.1-1.mga6
libostree-devel-2018.1-1.mga6
libostree-gir1.0-2018.1-1.mga6
ostree-grub2-2018.1-1.mga6
ostree-tests-2018.1-1.mga6
bubblewrap-0.2.0-1.mga6
appstream-util-0.7.6-1.mga6
libappstream-glib8-0.7.6-1.mga6
libappstream-builder8-0.7.6-1.mga6
libappstream-glib-gir1.0-0.7.6-1.mga6
libappstream-builder-gir1.0-0.7.6-1.mga6
libappstream-glib-devel-0.7.6-1.mga6
appstream-glib-i18n-0.7.6-1.mga6
flatpak-0.10.3-1.mga6
libflatpak-devel-0.10.3-1.mga6
libflatpak0-0.10.3-1.mga6
libflatpak-gir1.0-0.10.3-1.mga6
xdg-desktop-portal-0.9-1.mga6
xdg-desktop-portal-devel-0.9-1.mga6
flatpak-builder-0.10.6-1.mga6
xdg-desktop-portal-gtk-0.9-1.mga6

from SRPMS:
bubblewrap-0.2.0-1.mga6.src.rpm
ostree-2018.1-1.mga6.src.rpm
flatpak-0.10.3-1.mga6.src.rpm
flatpak-builder-0.10.6-1.mga6.src.rpm
xdg-desktop-portal-0.9-1.mga6.src.rpm
xdg-desktop-portal-gtk-0.9-1.mga6.src.rpm
appstream-glib-0.7.6-1.mga6.src.rpm

CC: (none) => ngompa13
Assignee: ngompa13 => qa-bugs

Comment 5 Brian Rockwell 2018-02-15 15:53:03 CET
wikipedia mentions libreoffice, gimp, blender, pitivi and linphone

does installing any of these take advantage of flatpak? Or is the testing in really building the deploy of the application?

CC: (none) => brtians1

Comment 6 Herman Viaene 2018-02-15 18:58:16 CET
MGA6-32 on Dell Latitude D600
No installation issues
First tried to use flatpak command, but that's a bit complicated. Searching for a GUI brings me to gnome-software.
Run that with strace shows that flatpak lib is called.  But in the process of looking for sources for items, it finds nothing because there are no sources defined. I can click on a button to get sources, but there is an error in the journal trying yum location for the mageia repo on Belnet, but that site is now very very slow to respond and there is curl error, and subsequently gnome-software segfaults.
So, I cann't see if flatpak sources get populated right now. Maybe tomorrow.

CC: (none) => herman.viaene

Comment 7 Herman Viaene 2018-02-16 11:57:21 CET
Today, gnome-software crashed first time while I tried it to force to find Software sources while it was still trying to list the applications.
On the second run, I let it first finish its list. It came up with a correct list of installed rpms, but no availables , no updates.
Making it search for software sources, just resulted in an empty list.
In the trace I can see it picks up the location of the MGA repos, but at the CLI I get errors in accessing gnome sites, and that seems the end of the search.
In the trace I see calls to the flatpak libs, but gnome-software never gets to the point to populatee its database.
The errrors:
10:27:00:0600 As  no path data for /var/cache/app-info/xmls
10:27:05:0970 Gs  failed to call gs_plugin_add_installed on shell-extensions: GDBus.Error:org.freedesktop.DBus.Error.ServiceUnknown: The name org.gnome.Shell was not provided by any .service files
10:27:06:0008 Gs  hiding category graphics featured applications: found only 0 to show, need at least 9
10:27:06:0036 Gs  hiding category games featured applications: found only 0 to show, need at least 9
10:27:06:0082 Gs  not handling error not-supported for action get-installed: GDBus.Error:org.freedesktop.DBus.Error.ServiceUnknown: The name org.gnome.Shell was not provided by any .service files
10:27:06:0119 Gs  failed to get featured apps: no apps to show
10:27:20:0783 Gs  failed to call gs_plugin_refresh on packagekit-refresh: cancelled by user action
10:27:25:0459 Gs  failed to call gs_plugin_refresh on packagekit-refresh: cancelled by user action

That is the end of the road for me.

@ Brian: what you found indicates that there might be flatpaks available to install LibreOffice. At least this I guess from your info.
Comment 8 claire robinson 2018-02-16 17:20:08 CET
Testing mga6 64

Flatpak is a kind of container software, sort of like docker, but oriented towards desktop applications which installs flatpaks and runs them in a self contained sandboxed environment - complete with their own libs, etc. 

You can add remote flatpak repositories and install flatpaks from there. There are a couple of talks on it at FOSDEM Youtube channel. 


Before
------
Adding the flathub remote repository
$ flatpak remote-add --if-not-exists flathub https://flathub.org/repo/flathub.flatpakrepo

Picked one of their packages to install - numptyphysics. It asks for root password to install each requirement.

$ flatpak install --from https://flathub.org/repo/appstream/io.thp.numptyphysics.flatpakref
Installing: io.thp.numptyphysics/x86_64/stable
Required runtime for io.thp.numptyphysics/x86_64/stable (org.freedesktop.Platform/x86_64/1.6) is not installed, searching...
Found in remote flathub, do you want to install it? [y/n]: y
Installing: org.freedesktop.Platform/x86_64/1.6 from flathub
[####################] 8 delta parts, 63 loose fetched; 133550 KiB transferred i

Installing: org.freedesktop.Platform.GL.default/i386/1.6 from flathub
[####################] 1 delta parts, 7 loose fetched; 54494 KiB transferred in 
Installing: org.freedesktop.Platform.GL.default/x86_64/1.6 from flathub
[####################] 1 delta parts, 7 loose fetched; 47837 KiB transferred in 
Installing: org.freedesktop.Platform.ffmpeg/x86_64/1.6 from flathub
[####################] 1 delta parts, 2 loose fetched; 2188 KiB transferred in 3
Installing: org.freedesktop.Platform.Locale/x86_64/1.6 from flathub
[####################] 4 metadata, 1 content objects fetched; 14 KiB transferred
Installing: io.thp.numptyphysics/x86_64/stable from flathub
[####################] 1 delta parts, 1 loose fetched; 1316 KiB transferred in 2

$ flatpak list
Ref                                            Options       
io.thp.numptyphysics/x86_64/stable             system,current
org.freedesktop.Platform.GL.default/i386/1.6   system,runtime
org.freedesktop.Platform.GL.default/x86_64/1.6 system,runtime
org.freedesktop.Platform.ffmpeg/x86_64/1.6     system,runtime
org.freedesktop.Platform/x86_64/1.6            system,runtime

$ flatpak run io.thp.numptyphysics

It opens as a normal application on the desktop. Played NumptyPhysics, which is quite fun.



After
-----
$ flatpak remotes
Name    Options
flathub system 

$ flatpak remote-ls flathub
Ref                                         
ca._0ldsk00l.Nestopia                       
ca.desrt.dconf-editor                       
ch.x29a.playitslowly                        
com.albiononline.AlbionOnline               
...etc

Played NumptyPhysics aain.
$ flatpak run io.thp.numptyphysics

Updated stuff
$ flatpak update io.thp.numptyphysics
Looking for updates...
Installing: org.freedesktop.Platform.VAAPI.Intel/x86_64/1.6 from flathub
[####################] 1 delta parts, 2 loose fetched; 2623 KiB transferred in 2
Updating: org.freedesktop.Platform.Locale/x86_64/1.6 from flathub
[####################] 4 delta parts, 120 loose fetched; 90180 KiB transferred i
Now at ab59ec512ad7.

Removed NumptyPhysics :(
$ flatpak uninstall io.thp.numptyphysics
Uninstalling: io.thp.numptyphysics/x86_64/stable


Didn't attempt to build a flatpak, which is rather more advanced.

Checked appstream (gnome software/plasma discover) with simple of appstream-util and using gnome-software to view available packages.

# appstream-util search flatpak
[00060] system/package/mageia-x86_64/addon/org.gnome.Software.Plugin.Flatpak/*
[00010] system/package/mageia-x86_64/desktop/org.gnome.Builder.desktop/*

Keywords: (none) => has_procedure
Whiteboard: (none) => mga6-64-ok

Comment 9 Herman Viaene 2018-02-17 11:12:29 CET
MGA6-32 on Dell Latitude D600 Mate
Replicated Claire's installation actions as above with the difference that I did all actions as root.
All seems OK until I try to run the program as a normal user:
The first time I get:
$ flatpak run io.thp.numptyphysics
[    0ms] [Os.cpp:176] Created dir /home/tester6/.var/app/io.thp.numptyphysics/data/numptyphysics
Failed to link shader: �
H�
H
After doing the update action as root (did not bring in anything)
$ flatpak run io.thp.numptyphysics

(process:18848): flatpak-WARNING **: Error writing credentials to socket: Error sending message: Broken pipe
Failed to link shader: �
H�
H
I wonder if installing as root is inappropriate here. Will do some googling.

Note You need to log in before you can comment on or make changes to this bug.