opensuse-su-2021:0520-1
Vulnerability from csaf_opensuse
Published
2021-04-08 22:41
Modified
2021-04-08 22:41
Summary
Security update for flatpak, libostree, xdg-desktop-portal, xdg-desktop-portal-gtk
Notes
Title of the patch
Security update for flatpak, libostree, xdg-desktop-portal, xdg-desktop-portal-gtk
Description of the patch
This update for flatpak, libostree, xdg-desktop-portal, xdg-desktop-portal-gtk fixes the following issues:
libostree:
Update to version 2020.8
- Enable LTO. (bsc#1133120)
- This update contains scalability improvements and bugfixes.
- Caching-related HTTP headers are now supported on summaries and signatures, so that they do not have to be
re-downloaded if not changed in the meanwhile.
- Summaries and delta have been reworked to allow more fine-grained fetching.
- Fixes several bugs related to atomic variables, HTTP timeouts, and 32-bit architectures.
- Static deltas can now be signed to more easily support offline verification.
- There's now support for multiple initramfs images; Is it possible to have a 'main' initramfs image and a
secondary one which represents local configuration.
- The documentation is now moved to https://ostreedev.github.io/ostree/
- Fix for an assertion failure when upgrading from systems before ostree supported devicetree.
- ostree no longer hardlinks zero sized files to avoid hitting filesystem maximum link counts.
- ostree now supports `/` and `/boot` being on the same filesystem.
- Improvements to the GObject Introspection metadata, some (cosmetic) static analyzer fixes, a fix for
the immutable bit on s390x, dropping a deprecated bit in the systemd unit file.
- Fix a regression 2020.4 where the 'readonly sysroot' changes incorrectly left the sysroot read-only
on systems that started out with a read-only `/` (most of them, e.g. Fedora Silverblue/IoT at least).
- The default dracut config now enables reproducibility.
- There is a new ostree admin unlock `--transient`. This should to be a foundation for further support
for 'live' updates.
- New `ed25519` signing support, powered by `libsodium`.
- stree commit gained a new `--base` argument, which significantly simplifies constructing 'derived'
commits, particularly for systems using SELinux.
- Handling of the read-only sysroot was reimplemented to run in the initramfs and be more reliable.
Enabling the `readonly=true` flag in the repo config is recommended.
- Several fixes in locking for the temporary 'staging' directories OSTree creates, particularly on NFS.
- A new `timestamp-check-from-rev` option was added for pulls, which makes downgrade protection more
reliable and will be used by Fedora CoreOS.
- Several fixes and enhancements made for 'collection' pulls including a new `--mirror` option.
- The ostree commit command learned a new `--mode-ro-executables` which enforces `W^R` semantics
on all executables.
- Added a new commit metadata key `OSTREE_COMMIT_META_KEY_ARCHITECTURE` to help standardize
the architecture of the OSTree commit. This could be used on the client side for example to
sanity-check that the commit matches the architecture of the machine before deploying.
- Stop invalid usage of `%_libexecdir`:
+ Use `%{_prefix}/lib` where appropriate.
+ Use `_systemdgeneratordir` for the systemd-generators.
+ Define `_dracutmodulesdir` based on `dracut.pc`. Add BuildRequires(dracut) for this to work.
xdg-desktop-portal:
Update to version 1.8.0:
- Ensure systemd rpm macros are called at install/uninstall times for systemd user services.
- Add BuildRequires on systemd-rpm-macros.
- openuri:
- Allow skipping the chooser for more URL tyles
- Robustness fixes
- filechooser:
- Return the current filter
- Add a 'directory' option
- Document the 'writable' option
- camera:
- Make the client node visible
- Don't leak pipewire proxy
- Fix file descriptor leaks
- Testsuite improvements
- Updated translations.
- document:
- Reduce the use of open fds
- Add more tests and fix issues they found
- Expose directories with their proper name
- Support exporting directories
- New fuse implementation
- background: Avoid a segfault
- screencast: Require pipewire 0.3
- Better support for snap and toolbox
- Require `/usr/bin/fusermount`: `xdg-document-portal` calls out to the binary. (bsc#1175899)
Without it, files or dirs can be selected, but whatever is done with or in them, will not have any effect
- Fixes for `%_libexecdir` changing to `/usr/libexec`
xdg-desktop-portal-gtk:
Update to version 1.8.0:
- filechooser:
- Return the current filter
- Handle the 'directory' option to select directories
- Only show preview when we have an image
- screenshot: Fix cancellation
- appchooser: Avoid a crash
- wallpaper:
- Properly preview placement settings
- Drop the lockscreen option
- printing: Improve the notification
- Updated translations.
- settings: Fall back to gsettings for enable-animations
- screencast: Support Mutter version to 3 (New pipewire api ver 3).
flatpak:
- Update to version 1.10.2 (jsc#SLE-17238, ECO-3148)
- This is a security update which fixes a potential attack where a flatpak application could use custom formated
`.desktop` file to gain access to files on the host system.
- Fix memory leaks
- Documentation and translations updates
- Spawn portal better handles non-utf8 filenames
- Fix flatpak build on systems with setuid bwrap
- Fix crash on updating apps with no deploy data
- Remove deprecated texinfo packaging macros.
- Support for the new repo format which should make updates faster and download less data.
- The systemd generator snippets now call flatpak `--print-updated-env` in place of a bunch of shell for better
login performance.
- The `.profile` snippets now disable GVfs when calling flatpak to avoid spawning a gvfs daemon when logging in via ssh.
- Flatpak now finds the pulseaudio sockets better in uncommon configurations.
- Sandboxes with network access it now also has access to the `systemd-resolved` socket to do dns lookups.
- Flatpak supports unsetting environment variables in the sandbox using `--unset-env`,
and `--env=FOO=` now sets FOO to the empty string instead of unsetting it.
- The spawn portal now has an option to share the pid namespace with the sub-sandbox.
- This security update fixes a sandbox escape where a malicious application can execute code outside the sandbox by
controlling the environment of the 'flatpak run' command when spawning a sub-sandbox (bsc#1180996, CVE-2021-21261)
- Fix support for ppc64.
- Move flatpak-bisect and flatpak-coredumpctl to devel subpackage, allow to remove python3 dependency on main package.
- Enable LTO as gobject-introspection works fine with LTO. (bsc#1133124)
- Fixed progress reporting for OCI and extra-data.
- The in-memory summary cache is more efficient.
- Fixed authentication getting stuck in a loop in some cases.
- Fixed authentication error reporting.
- Extract OCI info for runtimes as well as apps.
- Fixed crash if anonymous authentication fails and `-y` is specified.
- flatpak info now only looks at the specified installation if one is specified.
- Better error reporting for server HTTP errors during download.
- Uninstall now removes applications before the runtime it depends on.
- Avoid updating metadata from the remote when uninstalling.
- FlatpakTransaction now verifies all passed in refs to avoid.
- Added validation of collection id settings for remotes.
- Fix seccomp filters on s390.
- Robustness fixes to the spawn portal.
- Fix support for masking update in the system installation.
- Better support for distros with uncommon models of merged `/usr`.
- Cache responses from localed/AccountService.
- Fix hangs in cases where `xdg-dbus-proxy` fails to start.
- Fix double-free in cups socket detection.
- OCI authenticator now doesn't ask for auth in case of http errors.
- Fix invalid usage of `%{_libexecdir}` to reference systemd directories.
- Fixes for `%_libexecdir` changing to `/usr/libexec`
- Avoid calling authenticator in update if ref didn't change
- Don't fail transaction if ref is already installed (after transaction start)
- Fix flatpak run handling of userns in the `--device=all` case
- Fix handling of extensions from different remotes
- Fix flatpak run `--no-session-bus`
- `FlatpakTransaction` has a new signal `install-authenticator` which clients can handle to install authenticators
needed for the transaction. This is done in the CLI commands.
- Now the host timezone data is always exposed, fixing several apps that had timezone issues.
- There's a new systemd unit (not installed by default) to automatically detect plugged in usb sticks with
sideload repos.
- By default the `gdm env.d` file is no longer installed because the systemd generators work better.
- `create-usb` now exports partial commits by default
- Fix handling of docker media types in oci remotes
- Fix subjects in `remote-info --log` output
- This release is also able to host flatpak images on e.g. docker hub.
This update was imported from the SUSE:SLE-15-SP2:Update update project.
Patchnames
openSUSE-2021-520
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for flatpak, libostree, xdg-desktop-portal, xdg-desktop-portal-gtk",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for flatpak, libostree, xdg-desktop-portal, xdg-desktop-portal-gtk fixes the following issues:\n\nlibostree:\n\nUpdate to version 2020.8\n\n- Enable LTO. (bsc#1133120)\n\n- This update contains scalability improvements and bugfixes.\n- Caching-related HTTP headers are now supported on summaries and signatures, so that they do not have to be \n re-downloaded if not changed in the meanwhile.\n- Summaries and delta have been reworked to allow more fine-grained fetching.\n- Fixes several bugs related to atomic variables, HTTP timeouts, and 32-bit architectures.\n- Static deltas can now be signed to more easily support offline verification.\n- There\u0027s now support for multiple initramfs images; Is it possible to have a \u0027main\u0027 initramfs image and a \n secondary one which represents local configuration.\n- The documentation is now moved to https://ostreedev.github.io/ostree/\n- Fix for an assertion failure when upgrading from systems before ostree supported devicetree.\n- ostree no longer hardlinks zero sized files to avoid hitting filesystem maximum link counts.\n- ostree now supports `/` and `/boot` being on the same filesystem.\n- Improvements to the GObject Introspection metadata, some (cosmetic) static analyzer fixes, a fix for \n the immutable bit on s390x, dropping a deprecated bit in the systemd unit file.\n- Fix a regression 2020.4 where the \u0027readonly sysroot\u0027 changes incorrectly left the sysroot read-only \n on systems that started out with a read-only `/` (most of them, e.g. Fedora Silverblue/IoT at least).\n- The default dracut config now enables reproducibility.\n- There is a new ostree admin unlock `--transient`. This should to be a foundation for further support \n for \u0027live\u0027 updates.\n- New `ed25519` signing support, powered by `libsodium`.\n- stree commit gained a new `--base` argument, which significantly simplifies constructing \u0027derived\u0027 \n commits, particularly for systems using SELinux.\n- Handling of the read-only sysroot was reimplemented to run in the initramfs and be more reliable. \n Enabling the `readonly=true` flag in the repo config is recommended.\n- Several fixes in locking for the temporary \u0027staging\u0027 directories OSTree creates, particularly on NFS.\n- A new `timestamp-check-from-rev` option was added for pulls, which makes downgrade protection more \n reliable and will be used by Fedora CoreOS.\n- Several fixes and enhancements made for \u0027collection\u0027 pulls including a new `--mirror` option.\n- The ostree commit command learned a new `--mode-ro-executables` which enforces `W^R` semantics \n on all executables.\n- Added a new commit metadata key `OSTREE_COMMIT_META_KEY_ARCHITECTURE` to help standardize \n the architecture of the OSTree commit. This could be used on the client side for example to \n sanity-check that the commit matches the architecture of the machine before deploying.\n- Stop invalid usage of `%_libexecdir`:\n + Use `%{_prefix}/lib` where appropriate.\n + Use `_systemdgeneratordir` for the systemd-generators.\n + Define `_dracutmodulesdir` based on `dracut.pc`. Add BuildRequires(dracut) for this to work.\n\nxdg-desktop-portal:\n\nUpdate to version 1.8.0:\n\n- Ensure systemd rpm macros are called at install/uninstall times for systemd user services.\n- Add BuildRequires on systemd-rpm-macros.\n- openuri:\n - Allow skipping the chooser for more URL tyles\n - Robustness fixes\n- filechooser: \n - Return the current filter\n - Add a \u0027directory\u0027 option\n - Document the \u0027writable\u0027 option\n- camera:\n - Make the client node visible\n - Don\u0027t leak pipewire proxy\n- Fix file descriptor leaks\n- Testsuite improvements\n- Updated translations.\n- document:\n - Reduce the use of open fds\n - Add more tests and fix issues they found\n - Expose directories with their proper name\n - Support exporting directories\n - New fuse implementation\n- background: Avoid a segfault\n- screencast: Require pipewire 0.3\n- Better support for snap and toolbox\n- Require `/usr/bin/fusermount`: `xdg-document-portal` calls out to the binary. (bsc#1175899)\n Without it, files or dirs can be selected, but whatever is done with or in them, will not have any effect\n- Fixes for `%_libexecdir` changing to `/usr/libexec`\n\nxdg-desktop-portal-gtk:\n\nUpdate to version 1.8.0:\n\n- filechooser: \n - Return the current filter\n - Handle the \u0027directory\u0027 option to select directories\n - Only show preview when we have an image\n- screenshot: Fix cancellation\n- appchooser: Avoid a crash\n- wallpaper:\n - Properly preview placement settings\n - Drop the lockscreen option\n- printing: Improve the notification\n- Updated translations.\n- settings: Fall back to gsettings for enable-animations\n- screencast: Support Mutter version to 3 (New pipewire api ver 3).\n\nflatpak:\n\n- Update to version 1.10.2 (jsc#SLE-17238, ECO-3148)\n\n- This is a security update which fixes a potential attack where a flatpak application could use custom formated \n `.desktop` file to gain access to files on the host system.\n- Fix memory leaks\n- Documentation and translations updates\n- Spawn portal better handles non-utf8 filenames\n- Fix flatpak build on systems with setuid bwrap \n- Fix crash on updating apps with no deploy data\n- Remove deprecated texinfo packaging macros.\n- Support for the new repo format which should make updates faster and download less data.\n- The systemd generator snippets now call flatpak `--print-updated-env` in place of a bunch of shell for better\n login performance.\n- The `.profile` snippets now disable GVfs when calling flatpak to avoid spawning a gvfs daemon when logging in via ssh.\n- Flatpak now finds the pulseaudio sockets better in uncommon configurations.\n- Sandboxes with network access it now also has access to the `systemd-resolved` socket to do dns lookups.\n- Flatpak supports unsetting environment variables in the sandbox using `--unset-env`, \n and `--env=FOO=` now sets FOO to the empty string instead of unsetting it.\n- The spawn portal now has an option to share the pid namespace with the sub-sandbox.\n- This security update fixes a sandbox escape where a malicious application can execute code outside the sandbox by \n controlling the environment of the \u0027flatpak run\u0027 command when spawning a sub-sandbox (bsc#1180996, CVE-2021-21261)\n- Fix support for ppc64.\n- Move flatpak-bisect and flatpak-coredumpctl to devel subpackage, allow to remove python3 dependency on main package.\n- Enable LTO as gobject-introspection works fine with LTO. (bsc#1133124)\n- Fixed progress reporting for OCI and extra-data.\n- The in-memory summary cache is more efficient.\n- Fixed authentication getting stuck in a loop in some cases.\n- Fixed authentication error reporting.\n- Extract OCI info for runtimes as well as apps. \n- Fixed crash if anonymous authentication fails and `-y` is specified.\n- flatpak info now only looks at the specified installation if one is specified.\n- Better error reporting for server HTTP errors during download. \n- Uninstall now removes applications before the runtime it depends on.\n- Avoid updating metadata from the remote when uninstalling.\n- FlatpakTransaction now verifies all passed in refs to avoid.\n- Added validation of collection id settings for remotes.\n- Fix seccomp filters on s390.\n- Robustness fixes to the spawn portal.\n- Fix support for masking update in the system installation.\n- Better support for distros with uncommon models of merged `/usr`.\n- Cache responses from localed/AccountService.\n- Fix hangs in cases where `xdg-dbus-proxy` fails to start.\n- Fix double-free in cups socket detection.\n- OCI authenticator now doesn\u0027t ask for auth in case of http errors.\n- Fix invalid usage of `%{_libexecdir}` to reference systemd directories.\n- Fixes for `%_libexecdir` changing to `/usr/libexec`\n- Avoid calling authenticator in update if ref didn\u0027t change\n- Don\u0027t fail transaction if ref is already installed (after transaction start)\n- Fix flatpak run handling of userns in the `--device=all` case\n- Fix handling of extensions from different remotes\n- Fix flatpak run `--no-session-bus`\n- `FlatpakTransaction` has a new signal `install-authenticator` which clients can handle to install authenticators \n needed for the transaction. This is done in the CLI commands.\n- Now the host timezone data is always exposed, fixing several apps that had timezone issues.\n- There\u0027s a new systemd unit (not installed by default) to automatically detect plugged in usb sticks with \n sideload repos.\n- By default the `gdm env.d` file is no longer installed because the systemd generators work better.\n- `create-usb` now exports partial commits by default \n- Fix handling of docker media types in oci remotes\n- Fix subjects in `remote-info --log` output\n- This release is also able to host flatpak images on e.g. docker hub.\n \nThis update was imported from the SUSE:SLE-15-SP2:Update update project.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-2021-520",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2021_0520-1.json"
},
{
"category": "self",
"summary": "URL for openSUSE-SU-2021:0520-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/4JRX7C3J3TJQXJODJCARSGDYY4AM57Q7/"
},
{
"category": "self",
"summary": "E-Mail link for openSUSE-SU-2021:0520-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/4JRX7C3J3TJQXJODJCARSGDYY4AM57Q7/"
},
{
"category": "self",
"summary": "SUSE Bug 1133120",
"url": "https://bugzilla.suse.com/1133120"
},
{
"category": "self",
"summary": "SUSE Bug 1133124",
"url": "https://bugzilla.suse.com/1133124"
},
{
"category": "self",
"summary": "SUSE Bug 1175899",
"url": "https://bugzilla.suse.com/1175899"
},
{
"category": "self",
"summary": "SUSE Bug 1180996",
"url": "https://bugzilla.suse.com/1180996"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2021-21261 page",
"url": "https://www.suse.com/security/cve/CVE-2021-21261/"
}
],
"title": "Security update for flatpak, libostree, xdg-desktop-portal, xdg-desktop-portal-gtk",
"tracking": {
"current_release_date": "2021-04-08T22:41:52Z",
"generator": {
"date": "2021-04-08T22:41:52Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2021:0520-1",
"initial_release_date": "2021-04-08T22:41:52Z",
"revision_history": [
{
"date": "2021-04-08T22:41:52Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "libostree-2020.8-lp152.2.3.1.i586",
"product": {
"name": "libostree-2020.8-lp152.2.3.1.i586",
"product_id": "libostree-2020.8-lp152.2.3.1.i586"
}
},
{
"category": "product_version",
"name": "libostree-1-1-2020.8-lp152.2.3.1.i586",
"product": {
"name": "libostree-1-1-2020.8-lp152.2.3.1.i586",
"product_id": "libostree-1-1-2020.8-lp152.2.3.1.i586"
}
},
{
"category": "product_version",
"name": "libostree-devel-2020.8-lp152.2.3.1.i586",
"product": {
"name": "libostree-devel-2020.8-lp152.2.3.1.i586",
"product_id": "libostree-devel-2020.8-lp152.2.3.1.i586"
}
},
{
"category": "product_version",
"name": "libostree-grub2-2020.8-lp152.2.3.1.i586",
"product": {
"name": "libostree-grub2-2020.8-lp152.2.3.1.i586",
"product_id": "libostree-grub2-2020.8-lp152.2.3.1.i586"
}
},
{
"category": "product_version",
"name": "typelib-1_0-OSTree-1_0-2020.8-lp152.2.3.1.i586",
"product": {
"name": "typelib-1_0-OSTree-1_0-2020.8-lp152.2.3.1.i586",
"product_id": "typelib-1_0-OSTree-1_0-2020.8-lp152.2.3.1.i586"
}
}
],
"category": "architecture",
"name": "i586"
},
{
"branches": [
{
"category": "product_version",
"name": "xdg-desktop-portal-gtk-lang-1.8.0-lp152.2.3.1.noarch",
"product": {
"name": "xdg-desktop-portal-gtk-lang-1.8.0-lp152.2.3.1.noarch",
"product_id": "xdg-desktop-portal-gtk-lang-1.8.0-lp152.2.3.1.noarch"
}
},
{
"category": "product_version",
"name": "xdg-desktop-portal-lang-1.8.0-lp152.4.3.1.noarch",
"product": {
"name": "xdg-desktop-portal-lang-1.8.0-lp152.4.3.1.noarch",
"product_id": "xdg-desktop-portal-lang-1.8.0-lp152.4.3.1.noarch"
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_version",
"name": "flatpak-1.10.2-lp152.3.6.1.x86_64",
"product": {
"name": "flatpak-1.10.2-lp152.3.6.1.x86_64",
"product_id": "flatpak-1.10.2-lp152.3.6.1.x86_64"
}
},
{
"category": "product_version",
"name": "flatpak-devel-1.10.2-lp152.3.6.1.x86_64",
"product": {
"name": "flatpak-devel-1.10.2-lp152.3.6.1.x86_64",
"product_id": "flatpak-devel-1.10.2-lp152.3.6.1.x86_64"
}
},
{
"category": "product_version",
"name": "flatpak-zsh-completion-1.10.2-lp152.3.6.1.x86_64",
"product": {
"name": "flatpak-zsh-completion-1.10.2-lp152.3.6.1.x86_64",
"product_id": "flatpak-zsh-completion-1.10.2-lp152.3.6.1.x86_64"
}
},
{
"category": "product_version",
"name": "libflatpak0-1.10.2-lp152.3.6.1.x86_64",
"product": {
"name": "libflatpak0-1.10.2-lp152.3.6.1.x86_64",
"product_id": "libflatpak0-1.10.2-lp152.3.6.1.x86_64"
}
},
{
"category": "product_version",
"name": "libostree-2020.8-lp152.2.3.1.x86_64",
"product": {
"name": "libostree-2020.8-lp152.2.3.1.x86_64",
"product_id": "libostree-2020.8-lp152.2.3.1.x86_64"
}
},
{
"category": "product_version",
"name": "libostree-1-1-2020.8-lp152.2.3.1.x86_64",
"product": {
"name": "libostree-1-1-2020.8-lp152.2.3.1.x86_64",
"product_id": "libostree-1-1-2020.8-lp152.2.3.1.x86_64"
}
},
{
"category": "product_version",
"name": "libostree-devel-2020.8-lp152.2.3.1.x86_64",
"product": {
"name": "libostree-devel-2020.8-lp152.2.3.1.x86_64",
"product_id": "libostree-devel-2020.8-lp152.2.3.1.x86_64"
}
},
{
"category": "product_version",
"name": "libostree-grub2-2020.8-lp152.2.3.1.x86_64",
"product": {
"name": "libostree-grub2-2020.8-lp152.2.3.1.x86_64",
"product_id": "libostree-grub2-2020.8-lp152.2.3.1.x86_64"
}
},
{
"category": "product_version",
"name": "system-user-flatpak-1.10.2-lp152.3.6.1.x86_64",
"product": {
"name": "system-user-flatpak-1.10.2-lp152.3.6.1.x86_64",
"product_id": "system-user-flatpak-1.10.2-lp152.3.6.1.x86_64"
}
},
{
"category": "product_version",
"name": "typelib-1_0-Flatpak-1_0-1.10.2-lp152.3.6.1.x86_64",
"product": {
"name": "typelib-1_0-Flatpak-1_0-1.10.2-lp152.3.6.1.x86_64",
"product_id": "typelib-1_0-Flatpak-1_0-1.10.2-lp152.3.6.1.x86_64"
}
},
{
"category": "product_version",
"name": "typelib-1_0-OSTree-1_0-2020.8-lp152.2.3.1.x86_64",
"product": {
"name": "typelib-1_0-OSTree-1_0-2020.8-lp152.2.3.1.x86_64",
"product_id": "typelib-1_0-OSTree-1_0-2020.8-lp152.2.3.1.x86_64"
}
},
{
"category": "product_version",
"name": "xdg-desktop-portal-1.8.0-lp152.4.3.1.x86_64",
"product": {
"name": "xdg-desktop-portal-1.8.0-lp152.4.3.1.x86_64",
"product_id": "xdg-desktop-portal-1.8.0-lp152.4.3.1.x86_64"
}
},
{
"category": "product_version",
"name": "xdg-desktop-portal-devel-1.8.0-lp152.4.3.1.x86_64",
"product": {
"name": "xdg-desktop-portal-devel-1.8.0-lp152.4.3.1.x86_64",
"product_id": "xdg-desktop-portal-devel-1.8.0-lp152.4.3.1.x86_64"
}
},
{
"category": "product_version",
"name": "xdg-desktop-portal-gtk-1.8.0-lp152.2.3.1.x86_64",
"product": {
"name": "xdg-desktop-portal-gtk-1.8.0-lp152.2.3.1.x86_64",
"product_id": "xdg-desktop-portal-gtk-1.8.0-lp152.2.3.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Leap 15.2",
"product": {
"name": "openSUSE Leap 15.2",
"product_id": "openSUSE Leap 15.2",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:leap:15.2"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "flatpak-1.10.2-lp152.3.6.1.x86_64 as component of openSUSE Leap 15.2",
"product_id": "openSUSE Leap 15.2:flatpak-1.10.2-lp152.3.6.1.x86_64"
},
"product_reference": "flatpak-1.10.2-lp152.3.6.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "flatpak-devel-1.10.2-lp152.3.6.1.x86_64 as component of openSUSE Leap 15.2",
"product_id": "openSUSE Leap 15.2:flatpak-devel-1.10.2-lp152.3.6.1.x86_64"
},
"product_reference": "flatpak-devel-1.10.2-lp152.3.6.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "flatpak-zsh-completion-1.10.2-lp152.3.6.1.x86_64 as component of openSUSE Leap 15.2",
"product_id": "openSUSE Leap 15.2:flatpak-zsh-completion-1.10.2-lp152.3.6.1.x86_64"
},
"product_reference": "flatpak-zsh-completion-1.10.2-lp152.3.6.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libflatpak0-1.10.2-lp152.3.6.1.x86_64 as component of openSUSE Leap 15.2",
"product_id": "openSUSE Leap 15.2:libflatpak0-1.10.2-lp152.3.6.1.x86_64"
},
"product_reference": "libflatpak0-1.10.2-lp152.3.6.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libostree-2020.8-lp152.2.3.1.i586 as component of openSUSE Leap 15.2",
"product_id": "openSUSE Leap 15.2:libostree-2020.8-lp152.2.3.1.i586"
},
"product_reference": "libostree-2020.8-lp152.2.3.1.i586",
"relates_to_product_reference": "openSUSE Leap 15.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libostree-2020.8-lp152.2.3.1.x86_64 as component of openSUSE Leap 15.2",
"product_id": "openSUSE Leap 15.2:libostree-2020.8-lp152.2.3.1.x86_64"
},
"product_reference": "libostree-2020.8-lp152.2.3.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libostree-1-1-2020.8-lp152.2.3.1.i586 as component of openSUSE Leap 15.2",
"product_id": "openSUSE Leap 15.2:libostree-1-1-2020.8-lp152.2.3.1.i586"
},
"product_reference": "libostree-1-1-2020.8-lp152.2.3.1.i586",
"relates_to_product_reference": "openSUSE Leap 15.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libostree-1-1-2020.8-lp152.2.3.1.x86_64 as component of openSUSE Leap 15.2",
"product_id": "openSUSE Leap 15.2:libostree-1-1-2020.8-lp152.2.3.1.x86_64"
},
"product_reference": "libostree-1-1-2020.8-lp152.2.3.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libostree-devel-2020.8-lp152.2.3.1.i586 as component of openSUSE Leap 15.2",
"product_id": "openSUSE Leap 15.2:libostree-devel-2020.8-lp152.2.3.1.i586"
},
"product_reference": "libostree-devel-2020.8-lp152.2.3.1.i586",
"relates_to_product_reference": "openSUSE Leap 15.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libostree-devel-2020.8-lp152.2.3.1.x86_64 as component of openSUSE Leap 15.2",
"product_id": "openSUSE Leap 15.2:libostree-devel-2020.8-lp152.2.3.1.x86_64"
},
"product_reference": "libostree-devel-2020.8-lp152.2.3.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libostree-grub2-2020.8-lp152.2.3.1.i586 as component of openSUSE Leap 15.2",
"product_id": "openSUSE Leap 15.2:libostree-grub2-2020.8-lp152.2.3.1.i586"
},
"product_reference": "libostree-grub2-2020.8-lp152.2.3.1.i586",
"relates_to_product_reference": "openSUSE Leap 15.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libostree-grub2-2020.8-lp152.2.3.1.x86_64 as component of openSUSE Leap 15.2",
"product_id": "openSUSE Leap 15.2:libostree-grub2-2020.8-lp152.2.3.1.x86_64"
},
"product_reference": "libostree-grub2-2020.8-lp152.2.3.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "system-user-flatpak-1.10.2-lp152.3.6.1.x86_64 as component of openSUSE Leap 15.2",
"product_id": "openSUSE Leap 15.2:system-user-flatpak-1.10.2-lp152.3.6.1.x86_64"
},
"product_reference": "system-user-flatpak-1.10.2-lp152.3.6.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "typelib-1_0-Flatpak-1_0-1.10.2-lp152.3.6.1.x86_64 as component of openSUSE Leap 15.2",
"product_id": "openSUSE Leap 15.2:typelib-1_0-Flatpak-1_0-1.10.2-lp152.3.6.1.x86_64"
},
"product_reference": "typelib-1_0-Flatpak-1_0-1.10.2-lp152.3.6.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "typelib-1_0-OSTree-1_0-2020.8-lp152.2.3.1.i586 as component of openSUSE Leap 15.2",
"product_id": "openSUSE Leap 15.2:typelib-1_0-OSTree-1_0-2020.8-lp152.2.3.1.i586"
},
"product_reference": "typelib-1_0-OSTree-1_0-2020.8-lp152.2.3.1.i586",
"relates_to_product_reference": "openSUSE Leap 15.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "typelib-1_0-OSTree-1_0-2020.8-lp152.2.3.1.x86_64 as component of openSUSE Leap 15.2",
"product_id": "openSUSE Leap 15.2:typelib-1_0-OSTree-1_0-2020.8-lp152.2.3.1.x86_64"
},
"product_reference": "typelib-1_0-OSTree-1_0-2020.8-lp152.2.3.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "xdg-desktop-portal-1.8.0-lp152.4.3.1.x86_64 as component of openSUSE Leap 15.2",
"product_id": "openSUSE Leap 15.2:xdg-desktop-portal-1.8.0-lp152.4.3.1.x86_64"
},
"product_reference": "xdg-desktop-portal-1.8.0-lp152.4.3.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "xdg-desktop-portal-devel-1.8.0-lp152.4.3.1.x86_64 as component of openSUSE Leap 15.2",
"product_id": "openSUSE Leap 15.2:xdg-desktop-portal-devel-1.8.0-lp152.4.3.1.x86_64"
},
"product_reference": "xdg-desktop-portal-devel-1.8.0-lp152.4.3.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "xdg-desktop-portal-gtk-1.8.0-lp152.2.3.1.x86_64 as component of openSUSE Leap 15.2",
"product_id": "openSUSE Leap 15.2:xdg-desktop-portal-gtk-1.8.0-lp152.2.3.1.x86_64"
},
"product_reference": "xdg-desktop-portal-gtk-1.8.0-lp152.2.3.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "xdg-desktop-portal-gtk-lang-1.8.0-lp152.2.3.1.noarch as component of openSUSE Leap 15.2",
"product_id": "openSUSE Leap 15.2:xdg-desktop-portal-gtk-lang-1.8.0-lp152.2.3.1.noarch"
},
"product_reference": "xdg-desktop-portal-gtk-lang-1.8.0-lp152.2.3.1.noarch",
"relates_to_product_reference": "openSUSE Leap 15.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "xdg-desktop-portal-lang-1.8.0-lp152.4.3.1.noarch as component of openSUSE Leap 15.2",
"product_id": "openSUSE Leap 15.2:xdg-desktop-portal-lang-1.8.0-lp152.4.3.1.noarch"
},
"product_reference": "xdg-desktop-portal-lang-1.8.0-lp152.4.3.1.noarch",
"relates_to_product_reference": "openSUSE Leap 15.2"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2021-21261",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2021-21261"
}
],
"notes": [
{
"category": "general",
"text": "Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. A bug was discovered in the `flatpak-portal` service that can allow sandboxed applications to execute arbitrary code on the host system (a sandbox escape). This sandbox-escape bug is present in versions from 0.11.4 and before fixed versions 1.8.5 and 1.10.0. The Flatpak portal D-Bus service (`flatpak-portal`, also known by its D-Bus service name `org.freedesktop.portal.Flatpak`) allows apps in a Flatpak sandbox to launch their own subprocesses in a new sandbox instance, either with the same security settings as the caller or with more restrictive security settings. For example, this is used in Flatpak-packaged web browsers such as Chromium to launch subprocesses that will process untrusted web content, and give those subprocesses a more restrictive sandbox than the browser itself. In vulnerable versions, the Flatpak portal service passes caller-specified environment variables to non-sandboxed processes on the host system, and in particular to the `flatpak run` command that is used to launch the new sandbox instance. A malicious or compromised Flatpak app could set environment variables that are trusted by the `flatpak run` command, and use them to execute arbitrary code that is not in a sandbox. As a workaround, this vulnerability can be mitigated by preventing the `flatpak-portal` service from starting, but that mitigation will prevent many Flatpak apps from working correctly. This is fixed in versions 1.8.5 and 1.10.0.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 15.2:flatpak-1.10.2-lp152.3.6.1.x86_64",
"openSUSE Leap 15.2:flatpak-devel-1.10.2-lp152.3.6.1.x86_64",
"openSUSE Leap 15.2:flatpak-zsh-completion-1.10.2-lp152.3.6.1.x86_64",
"openSUSE Leap 15.2:libflatpak0-1.10.2-lp152.3.6.1.x86_64",
"openSUSE Leap 15.2:libostree-1-1-2020.8-lp152.2.3.1.i586",
"openSUSE Leap 15.2:libostree-1-1-2020.8-lp152.2.3.1.x86_64",
"openSUSE Leap 15.2:libostree-2020.8-lp152.2.3.1.i586",
"openSUSE Leap 15.2:libostree-2020.8-lp152.2.3.1.x86_64",
"openSUSE Leap 15.2:libostree-devel-2020.8-lp152.2.3.1.i586",
"openSUSE Leap 15.2:libostree-devel-2020.8-lp152.2.3.1.x86_64",
"openSUSE Leap 15.2:libostree-grub2-2020.8-lp152.2.3.1.i586",
"openSUSE Leap 15.2:libostree-grub2-2020.8-lp152.2.3.1.x86_64",
"openSUSE Leap 15.2:system-user-flatpak-1.10.2-lp152.3.6.1.x86_64",
"openSUSE Leap 15.2:typelib-1_0-Flatpak-1_0-1.10.2-lp152.3.6.1.x86_64",
"openSUSE Leap 15.2:typelib-1_0-OSTree-1_0-2020.8-lp152.2.3.1.i586",
"openSUSE Leap 15.2:typelib-1_0-OSTree-1_0-2020.8-lp152.2.3.1.x86_64",
"openSUSE Leap 15.2:xdg-desktop-portal-1.8.0-lp152.4.3.1.x86_64",
"openSUSE Leap 15.2:xdg-desktop-portal-devel-1.8.0-lp152.4.3.1.x86_64",
"openSUSE Leap 15.2:xdg-desktop-portal-gtk-1.8.0-lp152.2.3.1.x86_64",
"openSUSE Leap 15.2:xdg-desktop-portal-gtk-lang-1.8.0-lp152.2.3.1.noarch",
"openSUSE Leap 15.2:xdg-desktop-portal-lang-1.8.0-lp152.4.3.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2021-21261",
"url": "https://www.suse.com/security/cve/CVE-2021-21261"
},
{
"category": "external",
"summary": "SUSE Bug 1180996 for CVE-2021-21261",
"url": "https://bugzilla.suse.com/1180996"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 15.2:flatpak-1.10.2-lp152.3.6.1.x86_64",
"openSUSE Leap 15.2:flatpak-devel-1.10.2-lp152.3.6.1.x86_64",
"openSUSE Leap 15.2:flatpak-zsh-completion-1.10.2-lp152.3.6.1.x86_64",
"openSUSE Leap 15.2:libflatpak0-1.10.2-lp152.3.6.1.x86_64",
"openSUSE Leap 15.2:libostree-1-1-2020.8-lp152.2.3.1.i586",
"openSUSE Leap 15.2:libostree-1-1-2020.8-lp152.2.3.1.x86_64",
"openSUSE Leap 15.2:libostree-2020.8-lp152.2.3.1.i586",
"openSUSE Leap 15.2:libostree-2020.8-lp152.2.3.1.x86_64",
"openSUSE Leap 15.2:libostree-devel-2020.8-lp152.2.3.1.i586",
"openSUSE Leap 15.2:libostree-devel-2020.8-lp152.2.3.1.x86_64",
"openSUSE Leap 15.2:libostree-grub2-2020.8-lp152.2.3.1.i586",
"openSUSE Leap 15.2:libostree-grub2-2020.8-lp152.2.3.1.x86_64",
"openSUSE Leap 15.2:system-user-flatpak-1.10.2-lp152.3.6.1.x86_64",
"openSUSE Leap 15.2:typelib-1_0-Flatpak-1_0-1.10.2-lp152.3.6.1.x86_64",
"openSUSE Leap 15.2:typelib-1_0-OSTree-1_0-2020.8-lp152.2.3.1.i586",
"openSUSE Leap 15.2:typelib-1_0-OSTree-1_0-2020.8-lp152.2.3.1.x86_64",
"openSUSE Leap 15.2:xdg-desktop-portal-1.8.0-lp152.4.3.1.x86_64",
"openSUSE Leap 15.2:xdg-desktop-portal-devel-1.8.0-lp152.4.3.1.x86_64",
"openSUSE Leap 15.2:xdg-desktop-portal-gtk-1.8.0-lp152.2.3.1.x86_64",
"openSUSE Leap 15.2:xdg-desktop-portal-gtk-lang-1.8.0-lp152.2.3.1.noarch",
"openSUSE Leap 15.2:xdg-desktop-portal-lang-1.8.0-lp152.4.3.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N",
"version": "3.1"
},
"products": [
"openSUSE Leap 15.2:flatpak-1.10.2-lp152.3.6.1.x86_64",
"openSUSE Leap 15.2:flatpak-devel-1.10.2-lp152.3.6.1.x86_64",
"openSUSE Leap 15.2:flatpak-zsh-completion-1.10.2-lp152.3.6.1.x86_64",
"openSUSE Leap 15.2:libflatpak0-1.10.2-lp152.3.6.1.x86_64",
"openSUSE Leap 15.2:libostree-1-1-2020.8-lp152.2.3.1.i586",
"openSUSE Leap 15.2:libostree-1-1-2020.8-lp152.2.3.1.x86_64",
"openSUSE Leap 15.2:libostree-2020.8-lp152.2.3.1.i586",
"openSUSE Leap 15.2:libostree-2020.8-lp152.2.3.1.x86_64",
"openSUSE Leap 15.2:libostree-devel-2020.8-lp152.2.3.1.i586",
"openSUSE Leap 15.2:libostree-devel-2020.8-lp152.2.3.1.x86_64",
"openSUSE Leap 15.2:libostree-grub2-2020.8-lp152.2.3.1.i586",
"openSUSE Leap 15.2:libostree-grub2-2020.8-lp152.2.3.1.x86_64",
"openSUSE Leap 15.2:system-user-flatpak-1.10.2-lp152.3.6.1.x86_64",
"openSUSE Leap 15.2:typelib-1_0-Flatpak-1_0-1.10.2-lp152.3.6.1.x86_64",
"openSUSE Leap 15.2:typelib-1_0-OSTree-1_0-2020.8-lp152.2.3.1.i586",
"openSUSE Leap 15.2:typelib-1_0-OSTree-1_0-2020.8-lp152.2.3.1.x86_64",
"openSUSE Leap 15.2:xdg-desktop-portal-1.8.0-lp152.4.3.1.x86_64",
"openSUSE Leap 15.2:xdg-desktop-portal-devel-1.8.0-lp152.4.3.1.x86_64",
"openSUSE Leap 15.2:xdg-desktop-portal-gtk-1.8.0-lp152.2.3.1.x86_64",
"openSUSE Leap 15.2:xdg-desktop-portal-gtk-lang-1.8.0-lp152.2.3.1.noarch",
"openSUSE Leap 15.2:xdg-desktop-portal-lang-1.8.0-lp152.4.3.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2021-04-08T22:41:52Z",
"details": "important"
}
],
"title": "CVE-2021-21261"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…