23866 – flatpak new security issue fixed upstream in 1.0.8

Bug 23866 - flatpak new security issue fixed upstream in 1.0.8

Summary: flatpak new security issue fixed upstream in 1.0.8

Status:	RESOLVED OLD

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	6
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	Neal Gompa
QA Contact:	Sec team

URL:
Whiteboard:
Keywords:

Depends on:	24355
Blocks:
	Show dependency tree / graph

Reported:	2018-11-20 23:42 CET by David Walser
Modified:	2019-11-06 13:46 CET (History)
CC List:	4 users (show)

See Also:
Source RPM:	flatpak-1.0.0-1.mga7.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2018-11-20 23:42:16 CET

Fedora has issued an advisory on November 18:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/YEDIAIR7F3AUCXO54XC6RE46RVPGA4YM/

It's an issue with creating setuid root files in app dirs.

Mageia 6 might also be affected.

Comment 1 Shlomi Fish 2019-01-02 21:49:41 CET

flatpak 1.0.6 pushed to mga7.

CC: (none) => shlomif

Comment 2 David Walser 2019-01-02 23:00:50 CET

Thank you!

Version: Cauldron => 6

Comment 3 Sébastien Morin 2019-01-09 20:09:23 CET

Could you please consider updating flatpak to the current 1.1.2 version for Mga7?

CC: (none) => sebsweb

Comment 4 Neal Gompa 2019-01-11 02:32:21 CET

(In reply to Sébastien Morin from comment #3)
> Could you please consider updating flatpak to the current 1.1.2 version for
> Mga7?

I don't want to accidentally ship with a non-stable series of Flatpak again like what accidentally happened for Mageia 6. If Flatpak 1.2 releases soon, I'll pull it in.

Comment 5 Neal Gompa 2019-01-11 02:32:43 CET

Sorry, to clarify, "stable" refers to longterm stable series.

Comment 6 Sébastien Morin 2019-01-11 08:47:17 CET

Ok! Thank you very much!

David Walser 2019-02-13 04:11:07 CET

Depends on: (none) => 24355

Comment 7 Sébastien Morin 2019-03-01 07:05:51 CET

Hello,
it seems flatpak 1.2.3 was released a few weeks ago.
Is it a good candidate for Mga7 (and maybe also for a Mga6 backport) ?

Comment 8 David Walser 2019-03-12 15:39:44 CET

1.0.7 has fixes related to CVE-2019-5736.

Fedora has issued an advisory for this on February 28:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/ZZ5H7RY4AI4DNSISDE6BZTZHYJFQQQZK/

Morgan Leijström 2019-03-13 00:39:54 CET

CC: (none) => fri

Comment 9 David Walser 2019-03-31 22:04:38 CEST

1.0.8 fixes CVE-2019-10063.

Fedora has issued an advisory for this today (March 31):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/3GJNKDZO66IFQGFDHAHFT3LVJYMDDAOX/

Version: 6 => Cauldron
Summary: flatpak new security issue fixed upstream in 1.0.6 => flatpak new security issue fixed upstream in 1.0.8
Whiteboard: (none) => MGA6TOO

Comment 10 David Walser 2019-04-01 00:40:03 CEST

flatpak-1.0.8-1.mga7 uploaded for Cauldron by Shlomi.

Version: Cauldron => 6
Whiteboard: MGA6TOO => (none)

Comment 11 Mike Rambo 2019-11-06 13:46:04 CET

Mageia 6 is EOL.

CC: (none) => mrambo
Resolution: (none) => OLD
Status: NEW => RESOLVED

Note You need to log in before you can comment on or make changes to this bug.