Bug 27126 - flatpak new security issue fixed upstream in 1.8.5 (CVE-2021-21261)
Summary: flatpak new security issue fixed upstream in 1.8.5 (CVE-2021-21261)
Status: NEW
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: Neal Gompa
QA Contact: Sec team
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2020-08-17 19:53 CEST by Jose Manuel López
Modified: 2021-02-25 17:35 CET (History)
6 users (show)

See Also:
Source RPM: flatpak-1.4.1-1.mga7.src.rpm
CVE:
Status comment: Fixed upstream in 1.8.5


Attachments

Description Jose Manuel López 2020-08-17 19:53:30 CEST
Description of problem: The Mageia Flatpak version is outdated, the current version in Mageia is 1.4.1 and the last version is 1.8.1. There are some applications that don't works fine, and I reported these bugs in respective sites. They have asked me wich flatpak version and operative system I have. When I have seen the flatpak version of Mageia, I have asked me..Could be that bugs be it by this version outdated?

Version-Release number of selected component (if applicable): Mageia 7.1 and Flatpak 1.4.1


How reproducible: Install Flatpak and check the version


Steps to Reproduce:
1. Install flatpak and check the version.
2. The current version in Mageia is 1.4.1
3. The version in official github site is 1.8.1
Comment 1 Lewis Smith 2020-08-17 20:50:13 CEST
Thank you for the comment. You suspect that problems you are having with Flatpak might be due to our version being out of date.

It looks as if it applies also to Cauldron, so changing the Version accordingly.
 flatpak-1.4.1-1.mga7.src.rpm
 flatpak-1.6.2-1.mga8.src.rpm

Assigning to Neal, the package maintainer.

Version: 7 => Cauldron
Whiteboard: (none) => MGA7TOO
Source RPM: Flatpak => flatpak-1.4.1-1.mga7.src.rpm, flatpak-1.6.2-1.mga8.src.rpm
Assignee: bugsquad => ngompa13

Comment 2 Olav Vitters 2020-08-18 10:04:12 CEST
Neal: I forgot to check who owns it. I'm updating it to 1.8.1 in Cauldron. There's a few new BuildRequires.

CC: (none) => olav

Comment 3 Neal Gompa 2020-08-18 10:09:59 CEST
That's fine, Olav, but make sure you rebuild GNOME Software and Plasma Discover with the new libflatpak afterward, because despite the "stable" ABI for libflatpak, they tend to randomly crash and fail in odd ways if they aren't rebuilt against new libflatpak. This rule basically only matters when doing minor version upgrades, as patch versions are usually safe.
Comment 4 Neal Gompa 2020-08-18 10:10:35 CEST
Oh, and all the portals need to be updated too, since they closely track the interfaces and behaviors of flatpak itself.
Comment 5 Olav Vitters 2020-08-18 11:16:41 CEST
The KDE portal and Discover package has warnings not to rebuild it. Seems a bit silly, but I'm going to send a message to dev about that.
Comment 6 Nicolas Lécureuil 2020-08-18 11:22:22 CEST
please go ahead with this change :-)

CC: (none) => mageia

Comment 7 Olav Vitters 2020-08-18 11:31:37 CEST
Thanks! Also, sorry for being a bit harsh here about the instructions. When I linked to the bug I forgot how I wrote that.
Comment 8 Jose Manuel López 2020-08-21 12:06:47 CEST
Hi!

Since Mageia 8 Beta 1, I have installed Discover and flatpak 1.8.1. I can confirm from here, that the problem I had with the applications: Spotify, Deltachat and Element, has been solved and now they work perfectly.

So the bugs it reported are due to flatpak and its dependencies outdated I guess.
Comment 9 Jose Manuel López 2020-08-21 12:07:22 CEST
But if you want to use these applications or others without errors in Mageia 7 you will have to update it.
Comment 10 Morgan Leijström 2020-08-21 12:57:09 CEST
Related: do not forget
Bug 25978 - Package flatpak-tests require flatpak-libs which does not exist

CC: (none) => fri

Comment 11 Jose Manuel López 2020-08-24 11:41:04 CEST
But, In Mageia 7 I haven't have problems with the flatpak instalation.

The problem is that some applications no works fine because the flatpack version is outdated. I can confirm this, because in Mga8 I haven't this bug installing the same applications.
Comment 12 Aurelien Oudelet 2020-08-24 11:49:30 CEST
@Jose,
Have you done

$ flatpak update

in order to update all Frameworks ?


I haven't seen any error with Mageia 8b1.
I haven't mga7 installed on any PC.
Comment 13 Jose Manuel López 2020-08-27 16:46:14 CEST
I have tried this, appears in konsole:

[jose@localhost ~]$ flatpak update
Looking for updates…
GLib-GIO-Message: 16:36:37.895: Using the 'memory' GSettings backend.  Your settings will not be saved or shared with other applications.
Nothing to do.
[jose@localhost ~]$

The apps Spotify and Element has been installed with discover and in Mageia 7 don't works.

The same apps in Mageia 8 works fine installed from discover.
Comment 14 Aurelien Oudelet 2020-08-27 17:02:21 CEST
And doing flatpak update as root too?

Source RPM: flatpak-1.4.1-1.mga7.src.rpm, flatpak-1.6.2-1.mga8.src.rpm => flatpak-1.4.1-1.mga7.src.rpm

Comment 15 Olav Vitters 2020-08-27 18:07:45 CEST
(In reply to Jose Manuel López from comment #13)
> I have tried this, appears in konsole:
> 
> [jose@localhost ~]$ flatpak update
> Looking for updates…
> GLib-GIO-Message: 16:36:37.895: Using the 'memory' GSettings backend.  Your
> settings will not be saved or shared with other applications.

This message is odd. I'd expect dconf to be installed and working. Not sure if it's logical due to Flatpak. Normally it would causing all kinds of issues.
Comment 16 Morgan Leijström 2020-08-27 22:19:15 CEST
It updates here om a mga7, updated including updates testing repos.

[morgan@svarten ~]$ flatpak update
Looking for updates…


        ID                                              Arch         Gren        Remote         Hämta
 1. [✓] org.freedesktop.Platform                        x86_64       19.08       flathub          9,6 MB / 238,5 MB
 2. [✓] org.freedesktop.Platform.Locale                 x86_64       19.08       flathub         16,6 kB / 318,3 MB
 3. [✓] org.signal.Signal                               x86_64       stable      flathub        105,7 MB / 134,9 MB
 4. [✓] org.kde.Platform                                x86_64       5.14        flathub         53,4 MB / 362,5 MB
 5. [✓] org.freedesktop.Platform.GL.default             x86_64       19.08       flathub         23,2 MB / 89,1 MB
 6. [✓] org.freedesktop.Platform.GL.nvidia-430-64       x86_64       1.4         flathub         71,3 MB / 71,8 MB
 7. [✓] org.kde.Platform.Locale                         x86_64       5.14        flathub        255,7 kB / 337,6 MB
 8. [✓] org.qelectrotech.QElectroTech                   x86_64       master      qet-devel        5,2 MB / 16,5 MB

Updates complete.
Info: org.gnome.Platform is end-of-life, with reason: The GNOME 3.32 runtime is no longer supported as of 11th March 2020. Please ask your application developer to migrate to a supported platform.
Info: org.gnome.Platform.Locale is end-of-life, with reason: The GNOME 3.32 runtime is no longer supported as of 11th March 2020. Please ask your application developer to migrate to a supported platform.


        ID                                          Arch           Gren          Remote         Hämta
 1. [✓] org.gnome.Platform                          x86_64         3.36          flathub        40,5 MB / 324,5 MB
 2. [✓] org.gnome.Platform.Locale                   x86_64         3.36          flathub        88,0 kB / 323,0 MB
 3. [✓] org.freedesktop.Platform.GL.default         x86_64         19.08         flathub        23,2 MB / 89,1 MB

Updates complete.


Gotta go now. Will try Spotify later.
Comment 17 Morgan Leijström 2020-08-27 23:50:24 CEST
Installed spotify: seem to launch OK but silently (in double meaning ;) ) fail to play music.
In termimnal from where i launched it: 
/app/extra/share/spotify/spotify: /app/lib/libcurl-gnutls.so.4: no version information available (required by /app/extra/share/spotify/spotify)
/proc/self/exe: /app/lib/libcurl-gnutls.so.4: no version information available (required by /proc/self/exe)
Comment 18 Jose Manuel López 2020-09-01 11:27:59 CEST
I have already tried to do everything that is mentioned and the applications do not work in Mageia 7 and the current version of flatpak.
Comment 19 Aurelien Oudelet 2020-09-07 16:02:57 CEST
Same conclusion.

Flatpak is broken in Mageia 7. Mageia 8 Cauldron is OK! therefore.

This is same output trying launch Spotify in Mageia 7 (Install is ok).

/app/extra/bin/spotify: /app/lib/libcurl-gnutls.so.4: no version information available (required by /app/extra/bin/spotify)
Gtk-Message: 15:55:39.885: Failed to load module "canberra-gtk-module"
/app/extra/share/spotify/spotify: /app/lib/libcurl-gnutls.so.4: no version information available (required by /app/extra/share/spotify/spotify)
/proc/self/exe: /app/lib/libcurl-gnutls.so.4: no version information available (required by /proc/self/exe)
/proc/self/exe: /app/lib/libcurl-gnutls.so.4: no version information available (required by /proc/self/exe)

Seems there are outdated files. Flatpak 1.8 in M8 is OK. So please update or backport it for our users in M7.

Priority: Normal => High
Whiteboard: MGA7TOO => Cauldron updated OK
Target Milestone: --- => Mageia 7
Version: Cauldron => 7
Severity: normal => critical

Comment 20 Aurelien Oudelet 2020-09-07 16:07:03 CEST
Flatpak version of Spotify seems to not have access to Internet.
It complains about Firewall blocking network or bad proxy settings.

But even deactivate shorewall, it has no Internet access.
Therefore, seems there is a bad permission issue, that should be resolved by updating flatpak.
Comment 21 Dave Hodgins 2020-09-07 17:01:14 CEST
Note that to open the firewall, the command to use is "shorewall clear", not
stopping shorewall.

CC: (none) => davidwhodgins

Comment 22 Aurelien Oudelet 2020-09-07 17:11:07 CEST
Yeah Dave,
I already did that way before stopping shorewall.

It seems flatpak app can't have internet access, like if they don't have permission / right to do so.
Morgan Leijström 2020-09-18 18:48:16 CEST

See Also: (none) => https://bugs.mageia.org/show_bug.cgi?id=25544

Comment 23 Aurelien Oudelet 2020-09-19 18:09:12 CEST
Hi,
This is High priority bug for a good reason.

Making Mageia even better than ever is best direction.
In order to do right thing, this bug should be examined and fixed as soon as possible.

Packagers, please make the status to Assigned when you are working on this.
Feel free to reassign the bug if bad-triaged. Also, if bug is old, please close it.

On October 1st 2020, we will drop priority to normal.
Comment 24 Jose Manuel López 2020-09-19 22:52:30 CEST
In Mageia 8 it works properly, it will be necessary to evaluate whether it is corrected for Mageia 7 or already waited for it to leave the Mageia 8 cauldron.
Comment 25 Dan Fandrich 2020-12-11 18:22:17 CET
FWIW, trying to install org.chromium.Chromium on mga7 results in:

Error: org.chromium.Chromium needs a later flatpak version
error: Failed to install org.chromium.Chromium: app/org.chromium.Chromium/x86_64/stable needs a later flatpak version (1.8.2)

CC: (none) => dan

Comment 26 Lewis Smith 2020-12-11 19:39:46 CET
Re comments 2-7, 15: @Olav, Neal
That was all back in August. Any advance on this? It is clearly causing angst for Mageia 7 users, who will be around for some time yet.
Comment 27 Aurelien Oudelet 2020-12-22 17:10:55 CET
On this day, M7 Plasma x86_64, fully updated.
$ uname -a
Linux localhost 5.9.16-desktop-1.mga7 #1 SMP Mon Dec 21 16:51:55 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux

$ flatpak --version
Flatpak 1.4.1

$ flatpak install com.spotify.client
Looking for matches…
Found similar ref(s) for ‘com.spotify.client’ in remote ‘flathub’ (system).
Use this remote? [Y/n]: 
Found ref ‘app/com.spotify.Client/x86_64/stable’ in remote ‘flathub’ (system).
Use this ref? [Y/n]: 
Skipping: com.spotify.Client/x86_64/stable is already installed
[aurelien@localhost ~]$ 
[aurelien@localhost ~]$ flatpak run com.spotify.Client
[aurelien@localhost ~]$ /app/extra/bin/spotify: /app/lib/libcurl-gnutls.so.4: no version information available (required by /app/extra/bin/spotify)
[spotifywm] attached to spotify
Gtk-Message: 16:51:08.593: Failed to load module "canberra-gtk-module"
[spotifywm] spotify window found
/app/extra/share/spotify/spotify: /app/lib/libcurl-gnutls.so.4: no version information available (required by /app/extra/share/spotify/spotify)
/app/extra/share/spotify/spotify: /app/lib/libcurl-gnutls.so.4: no version information available (required by /app/extra/share/spotify/spotify)
[spotifywm] attached to spotify
[spotifywm] attached to spotify
[spotifywm] spotify window found
/proc/self/exe: /app/lib/libcurl-gnutls.so.4: no version information available (required by /proc/self/exe)
[spotifywm] spotify window found
[spotifywm] attached to spotify
[spotifywm] spotify window found
[spotifywm] spotify window found

Connecting to my Spotify account is OK!
and I'm able to listen to music.

So, I imagine a fix somewhere in spotify app or under-the-hood frameworks.

Also:
$ flatpak install flathub im.riot.Riot
Looking for matches…

im.riot.Riot permissions:
    ipc       network       pulseaudio       x11       devices      file access [1]      dbus access [2]      bus ownership [3]

    [1] xdg-download, xdg-run/keyring
    [2] org.freedesktop.Notifications, org.freedesktop.portal.Fcitx, org.kde.StatusNotifierWatcher
    [3] org.kde.StatusNotifierItem-2-1


        ID                   Arch           Branch         Remote          Download
 1. [✓] im.riot.Riot         x86_64         stable         flathub         95,1 MB / 95,2 MB

Installation complete.
[aurelien@localhost ~]$ flatpak run im.riot.Riot
/home/aurelien/.var/app/im.riot.Riot/config/Element exists: no
/home/aurelien/.var/app/im.riot.Riot/config/Riot exists: no
Gtk-Message: 17:05:29.911: Failed to load module "canberra-gtk-module"
Starting auto update with base URL: https://packages.riot.im/desktop/update/
Auto update not supported on this platform
Error getting the event index passphrase out of the secret store [Error: org.freedesktop.DBus.Error.ServiceUnknown]

this correctly launches element matrix IRC client.

BUT true about chromium.
$ flatpak install flathub org.chromium.Chromium
Looking for matches…

org.chromium.Chromium permissions:
    ipc             network                 cups                   pulseaudio               wayland                       x11
    devices         file access [1]         dbus access [2]        bus ownership [3]        system dbus access [4]

    [1] home, xdg-run/pipewire-0
    [2] org.freedesktop.FileManager1, org.freedesktop.Notifications, org.freedesktop.secrets, org.gnome.SessionManager
    [3] org.mpris.MediaPlayer2.chromium.*
    [4] org.freedesktop.Avahi, org.freedesktop.UPower


        ID                                     Arch             Branch           Remote            Download
 1. [✗] org.chromium.Chromium                  x86_64           stable           flathub           < 102,8 MB
 2. [ ] org.chromium.Chromium.Codecs           x86_64           stable           flathub             < 1,1 MB
 3. [ ] org.chromium.Chromium.Locale           x86_64           stable           flathub           < 113,6 kB (partial)

Error: org.chromium.Chromium needs a later flatpak version
error: Failed to install org.chromium.Chromium: app/org.chromium.Chromium/x86_64/stable needs a later flatpak version (1.8.2)

So, for M7 we need an updated version.

CC: (none) => ouaurelien

Comment 28 Aurelien Oudelet 2020-12-22 17:50:53 CET
Note that Cauldron/M8 has 1.8.1 version.
https://github.com/flatpak/flatpak/releases:

- 1.8.4 is available

- 1.9.3 (pre 1.10.0) release also with many fix.

Source RPM: flatpak-1.4.1-1.mga7.src.rpm => flatpak-1.8.1-1.mga8.src.rpm
Status comment: (none) => flatpak-1.4.1-1.mga7.src.rpm
Whiteboard: Cauldron updated OK => MGA7TOO
Version: 7 => Cauldron
Target Milestone: Mageia 7 => Mageia 8

Comment 29 Thomas Backlund 2021-01-14 15:42:50 CET
I pushed flatpak 1.8.5 (up from 1.8.1) in Cauldron as it fixes atleast one security issue)

https://github.com/flatpak/flatpak/releases/tag/1.8.5
Comment 30 Morgan Leijström 2021-01-14 16:33:25 CET
Any 1.8.5 for mga7 testing?

Is it too late to evaluate latest stable 1.10.0 in cauldron?
(which also includes the security fixes)
- I suggest to put in i.e cauldron backport until tested OK
Comment 31 Thomas Backlund 2021-01-14 17:04:15 CET
I'm not flatpak maintainer, and the update is done from the last stable branch...
and switching to a new ".0" at this point is not really wise as it can/will affect several packages with no idea of how much will break...

--
Thomas
David Walser 2021-01-14 18:46:57 CET

Summary: Flatpak package is outdated => flatpak new security issue fixed upstream in 1.8.5
Severity: critical => major
Whiteboard: MGA7TOO => (none)
Version: Cauldron => 7
Priority: High => Normal
Target Milestone: Mageia 8 => ---
QA Contact: (none) => security
Source RPM: flatpak-1.8.1-1.mga8.src.rpm => flatpak-1.4.1-1.mga7.src.rpm
Component: RPM Packages => Security
Status comment: flatpak-1.4.1-1.mga7.src.rpm => Fixed upstream in 1.8.5

Comment 32 Neal Gompa 2021-01-15 15:57:11 CET
I will be updating to 1.10.0 because we need support for the new metadata format. I don't know how long older clients will stay working, so changing to the new stable series is important.
Comment 33 Morgan Leijström 2021-01-15 17:24:38 CET
(In reply to Thomas Backlund from comment #31)
> switching to a new ".0" at this point

".0" versions normally itches me too, but 1.9 series was the "beta" series, so this is potentially much better off than several other softwares ".0" releases.

1.10 is the new stable and as Neal say, we need to support new software needing this.


And for mga7 we need 1.8.5 (at lest for the security fix)
Comment 34 David Walser 2021-01-15 21:14:27 CET
Debian has issued an advisory for this on January 14:
https://www.debian.org/security/2021/dsa-4830
Comment 35 David Walser 2021-01-16 16:09:57 CET
Upstream advisory with CVE:
https://github.com/flatpak/flatpak/security/advisories/GHSA-4ppf-fxf6-vxg2

Summary: flatpak new security issue fixed upstream in 1.8.5 => flatpak new security issue fixed upstream in 1.8.5 (CVE-2021-21261)

Comment 36 Thomas Backlund 2021-01-16 17:36:42 CET
(In reply to Neal Gompa from comment #32)
> I will be updating to 1.10.0 because we need support for the new metadata
> format. I don't know how long older clients will stay working, so changing
> to the new stable series is important.

Can you prepare is ASAP for Cauldron then so we hopefully can handle of the fallout before Mageia 8 is released.
Comment 37 David Walser 2021-01-20 15:59:54 CET
Fedora has issued an advisory for this on January 19:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/2K2Q5P4IIUN2SFJKQKB4UJQ37CE2E55K/
Comment 38 Jose Manuel López 2021-02-16 09:22:33 CET
Hi, 

This remain unresolved. We are about to see the release of Mageia 8, so we should consider this bug obsolete since it seems that this application will not be updated in Mageia 7?

In Mageia 8 flatpak works fine and is updated.

Greetings!!
Comment 39 Dave Hodgins 2021-02-16 19:38:39 CET
Releasing Mageia 8 does not immediately end support for Mageia 7. Bugs still
need to be fixed.
Comment 40 Morgan Leijström 2021-02-25 17:35:50 CET
FWIW,
Yesterday on my wifes mga7 laptop using flatpak 1.4.1 
$ flatpak update
updated itself without error, and also updated spotify:
Spotify now works (failed a half year ago)
Then I also successfully installed and used Zoom.

Note You need to log in before you can comment on or make changes to this bug.