29885 – flatpak new security issues CVE-2021-43860 and CVE-2022-21682

Bug 29885 - flatpak new security issues CVE-2021-43860 and CVE-2022-21682

Summary: flatpak new security issues CVE-2021-43860 and CVE-2022-21682

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	8
Hardware:	All Linux

Priority:	Normal Severity: critical
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA8-64-OK
Keywords:	advisory, validated_update

Duplicates (2):	30071 30242 (view as bug list)
Depends on:
Blocks:

Reported:	2022-01-13 17:11 CET by David Walser
Modified:	2022-04-09 23:21 CEST (History)
CC List:	7 users (show)

See Also:	30071
Source RPM:	flatpak-1.12.2-1.mga9.src.rpm, flatpak-builder-1.0.11-1.mga8.src.rpm
CVE:	CVE-2021-43860, CVE-2022-21682
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2022-01-13 17:11:51 CET

Upstream has issued advisories on January 12:
https://github.com/flatpak/flatpak/security/advisories/GHSA-qpjc-vq3c-572j
https://github.com/flatpak/flatpak/security/advisories/GHSA-8ch7-5j3h-g4fx

The issues are fixed upstream in 1.10.6 and 1.12.3:
https://github.com/flatpak/flatpak/releases/tag/1.10.6
https://github.com/flatpak/flatpak/releases/tag/1.12.3

Mageia 8 is also affected.

David Walser 2022-01-13 17:12:10 CET

Status comment: (none) => Fixed upstream in 1.10.6 and 1.12.3
Whiteboard: (none) => MGA8TOO

Comment 1 Morgan Leijström 2022-01-13 18:03:43 CET

I will test update on mga8-64

CC: (none) => fri

Comment 2 Lewis Smith 2022-01-13 19:26:02 CET

NicolasL looks best assignee.

Assignee: bugsquad => mageia

Comment 3 David Walser 2022-01-17 17:53:30 CET

Fedora has issued an advisory for this today (January 17):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/APFTBYGJJVJPFVHRXUW5PII5XOAFI4KH/

Summary: flatpak new security issues CVE-2021-43860 and GHSA-8ch7-5j3h-g4fx => flatpak new security issues CVE-2021-43860 and CVE-2022-21682

Comment 4 David Walser 2022-01-19 17:24:18 CET

A regression was fixed in 1.10.7 and 1.12.4:
https://github.com/flatpak/flatpak/releases/tag/1.10.7
https://github.com/flatpak/flatpak/releases/tag/1.12.4

Comment 5 David Walser 2022-01-26 22:14:11 CET

(In reply to David Walser from comment #4)
> A regression was fixed in 1.10.7 and 1.12.4:
> https://github.com/flatpak/flatpak/releases/tag/1.10.7
> https://github.com/flatpak/flatpak/releases/tag/1.12.4

Fedora advisory for 1.12.4 from today (January 26):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/G4SGDDYLN2BFKCHIDCXL2QTDVHPMZZM4/

Apparently flatpak-builder is also affected by CVE-2022-21682:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/IXKBERLJRYV7KXKGXOLI6IOXVBQNN4DP/

Fixed upstream in flatpak-builder 1.2.2.

Status comment: Fixed upstream in 1.10.6 and 1.12.3 => Fixed upstream in flatpak 1.10.6 and 1.12.3 and flatpak-builder 1.2.2
Source RPM: flatpak-1.12.2-1.mga9.src.rpm => flatpak-1.12.2-1.mga9.src.rpm, flatpak-builder-1.0.11-1.mga8.src.rpm

Comment 6 David Walser 2022-02-03 18:43:04 CET

Fedora advisory for 1.10.7 and flatpak-builder:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/UELF5NVMHRQ45DEBIRQGIVCV4PADFC37/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/F46WFOXXRE63UMMTLQB2FOJT4KLI5AR7/

Comment 7 David Walser 2022-02-11 21:38:36 CET

1.12.5 is a new bugfix version for Cauldron:
https://github.com/flatpak/flatpak/releases/tag/1.12.5

Comment 8 Morgan Leijström 2022-02-20 12:52:56 CET

*** Bug 30071 has been marked as a duplicate of this bug. ***

CC: (none) => lovaren

Comment 9 Morgan Leijström 2022-02-20 12:54:39 CET

An src rpm suggestion for 1.12.5 in mga8 is in bug 30071.

See Also: (none) => https://bugs.mageia.org/show_bug.cgi?id=30071

Comment 10 David Walser 2022-02-22 18:32:25 CET

1.12.6 is a new bugfix version for Cauldron:
https://github.com/flatpak/flatpak/releases/tag/1.12.6

Comment 11 David Walser 2022-03-04 19:22:08 CET

openSUSE has issued an advisory for this today (March 4):
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/T4OG73MX3JPZBHYMUXUULPTVL7ZOOTZ5/

Comment 12 David Walser 2022-03-15 18:32:19 CET

New bugfix and enhancement version 1.12.7 is out:
https://github.com/flatpak/flatpak/releases/tag/1.12.7

Comment 13 David Walser 2022-04-04 23:03:09 CEST

*** Bug 30242 has been marked as a duplicate of this bug. ***

CC: (none) => mageia

Comment 14 Nicolas Lécureuil 2022-04-05 09:20:07 CEST

Advisory:

In mageia 8 we provided flatpak 1.10. This version (1.12) fixes  
CVE-2021-43860 and CVE-2022-21682 and provides various fixes and enhancements.


src:
    - flatpak-1.12.7-1.mga8
    - discover-5.20.4-3.3.mga8
    - gnome-software-3.38.0-2.1.mga8
    - xdg-desktop-portal-kde-5.20.4-2.1.mga8

rpms:
    - discover-5.20.4-3.3.mga8
    - lib64flatpak-gir1.0-1.12.7-1.mga8
    - lib64flatpak0-1.12.7-1.mga8
    - lib64flatpak-devel-1.12.7-1.mga8
    - flatpak-1.12.7-1.mga8
    - gnome-software-devel-3.38.0-2.1.mga8
    - gnome-software-3.38.0-2.1.mga8
    - xdg-desktop-portal-kde-5.20.4-2.1.mga8

Whiteboard: MGA8TOO => (none)
Version: Cauldron => 8
CVE: (none) => CVE-2021-43860, CVE-2022-21682
Status comment: Fixed upstream in flatpak 1.10.6 and 1.12.3 and flatpak-builder 1.2.2 => (none)
Assignee: mageia => qa-bugs

Comment 15 Morgan Leijström 2022-04-05 11:43:16 CEST

mga8-64 bit OK here on KDE Plasma, intel i7, nvidia-current

Thank you Nicolas
 
Updated to:
- discover-5.20.4-3.3.mga8.x86_64
- flatpak-1.12.7-1.mga8.x86_64
- lib64flatpak-gir1.0-1.12.7-1.mga8.x86_64
- lib64flatpak0-1.12.7-1.mga8.x86_64

Tested OK:
flatpak --version  - reports 1.12.7
flatpak update - updates packages
Quick tests launching and minimal use flatpak apps: kicad, spotify, firefox, Fritzing 0.9.6 unofficial, Tor Browser. Only launch test: Zoom, OnionShare

Plasma-discover have never worked nicely for me and I am too lazy to track down why.

What is the use of xdg-desktop-portal-kde ?
I did no thave it nor installed it, and it seem required by nothing.
Maybe it should be required by task-plasma, task-plasma-minimal, or plasma-discover, if it is needed?

This system did not have nor now got installed gnome-software, dont use gnome.

I am not setting 64 bit OK flag, as Plasma-discover and Gnome Software need be tested preferably by someone who usually use them.

Comment 16 Thomas Andrews 2022-04-07 21:53:45 CEST

MGA8-64 Plasma, AMD Phenom II X4, AMD HD 8490 graphics.

The following 4 packages are going to be installed:

- discover-5.20.4-3.3.mga8.x86_64
- flatpak-1.12.7-1.mga8.x86_64
- lib64flatpak-gir1.0-1.12.7-1.mga8.x86_64
- lib64flatpak0-1.12.7-1.mga8.x86_64

No installation issues.

I too have had problems with Discover, in that it seems to be unable to connect to the "KDE Store." This seems to be a recognized upstream problem, which, if I'm reading things correctly, may have been addressed in version 5.24.x. Moving to that probably requires updating all of Plasma to 5.24.x, so as long as there are no new regressions in this update I will send it along.

My last experience with Discover only allowed the Mageia repos to be activated, ignoring flatpack. This time, I added flathub as a source. Discover examined flathub, and added the available application flatpacks to the list. I browsed through the list, selected a flatpack version of a game (lbreakout), installed it, played a game, then had Discover uninstall it. Everything, except the KDE store, seemed to wor as it should.

Like Morgan, I don't normally use Gnome. But, I do have a Gnome Vbox guest available. I will look into trying this with that before giving this an OK.

CC: (none) => andrewsfarm

Comment 17 Thomas Andrews 2022-04-07 23:20:23 CEST

No installation issues with Gnome, either. 

Found some guidance on the web, and managed to install lbreakout in the Gnome guest with no issues. Tried to play a game, but it didn't respond to the mouse the way it did on real hardware, in Plasma. I removed it again.

Lbreakout probably didn't work properly because it was being run in a VM, not because of this update. It's also possible that the flathub lbreakout had been built to be used with a newer version of gnome than ours. One of the pitfalls of using flatpack.

However, because of inexperience I'm not really sure about this, so I'm holding back an OK for a day or two to allow a more experienced hand a chance to try it out.

Comment 18 Morgan Leijström 2022-04-08 06:51:56 CEST

For Flatpak, I wrote https://wiki.mageia.org/en/Flatpak

Flatpak is supposed to handle needed dependencies internally to the flatpak system. i.e my system seem to have two gnome versions supports for different flatpaks:
§ flatpak list | grep gnome
GNOME Application Platform version 3.38 org.gnome.Platform              3.38    flathub user
GNOME Application Platform version 41   org.gnome.Platform              41      flathub user


The gnome-software package in this bug is a software centre like plasma discover.
On your gnome system, does it work to find and install flatpak programs?

Comment 19 Thomas Andrews 2022-04-08 14:06:03 CEST

I only know the edges of using Gnome, and all/most of the web guidance is Ubuntu-based, as if that were the only distro out there. So, here I'm flying blind in one eye with the other peeking through a small hole.

I ran gnome-software from the menu, and like Discover it came up pre-configured to use the Mageia repos as a source. Unlike Discover, I didn't find an easy way in the gui to add the flathub repo. The guidance I found advised me to use my browser (Firefox) to go to flathub, click on "install" for an app, and direct the browser to hand it off to the software installer to install it.

So that's what I did. An installer gui (not drakrpm) did come up after getting root permissions, looking suspiciously like the flathub page for that app. I clicked on install again, and it went through the process. No reports about any missing dependencies.

I had to uninstall it the same way, going through the browser rather than directly with gnome-software.

This is why we need someone with Gnome experience to check this out. I don't have a clue about what I'm doing.

Comment 20 Guillaume Royer 2022-04-08 14:12:51 CEST

MGA 64 XFCE no installation issues.

Updated with QA repo and RPMs:

flatpak                        1.12.7       1.mga8        x86_64  
gnome-software                 3.38.0       2.1.mga8      x86_64  
lib64flatpak-gir1.0            1.12.7       1.mga8        x86_64  
lib64flatpak0                  1.12.7       1.mga8        x86_64  

Updated flatpak Firefox with Gnome Software ok
Browsing with Flatpak Firefoxe ok

CC: (none) => guillaume.royer

Comment 21 Thomas Andrews 2022-04-08 19:08:35 CEST

I didn't think about testing it with Xfce - I'm more familiar with that. Will file that away for the next time. Thanks.

Giving it an OK, and validating. Advisory in Comment 14.

Keywords: (none) => validated_update
Whiteboard: (none) => MGA8-64-OK
CC: (none) => sysadmin-bugs

Dave Hodgins 2022-04-09 19:44:12 CEST

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 22 Mageia Robot 2022-04-09 23:21:44 CEST

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0131.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.