Fedora 28: flatpak Security Update

    Date27 Nov 2018
    CategoryFedora
    299
    Posted ByAnthony Pell
    flatpak 1.0.6 release. This release fixes an issue that lets system-wide installed applications create setuid root files inside their app dir (somewhere in /var/lib/flatpak/app). Setuid support is disabled inside flatpaks, so such files are only a risk if the user runs them manually outside flatpak. Installing a flatpak system-wide is needs root access, so this isn't a privilege
    --------------------------------------------------------------------------------
    Fedora Update Notification
    FEDORA-2018-4d68cf2b1c
    2018-11-27 17:11:25.740594
    --------------------------------------------------------------------------------
    
    Name        : flatpak
    Product     : Fedora 28
    Version     : 1.0.6
    Release     : 1.fc28
    URL         : http://flatpak.org/
    Summary     : Application deployment framework for desktop apps
    Description :
    flatpak is a system for building, distributing and running sandboxed desktop
    applications on Linux. See https://wiki.gnome.org/Projects/SandboxedApps for
    more information.
    
    --------------------------------------------------------------------------------
    Update Information:
    
    flatpak 1.0.6 release.   This release fixes an issue that lets system-wide
    installed applications create setuid root files inside their app dir (somewhere
    in /var/lib/flatpak/app). Setuid support is disabled inside flatpaks, so such
    files are only a risk if the user runs them manually outside flatpak.
    Installing a flatpak system-wide is needs root access, so this isn't a privilege
    elevation for non-root users, and allowing root to install setuid files is
    something all traditional packaging systems allow. However flatpak tries to be
    better than that, in order to make it easier to trust third party repositories.
    Changes in this version:   * The permissions of the files created by the
    apply_extra script is    canonicalized and the script itself is run without any
    capabilities.  * Better matching of existing remotes when the local and remote
    configuration    differs wrt collection ids.  * New flatpakrepo
    DeployCollectionID replaces CollectionID, doing the    same thing. It is
    recommended to use this instead because older versions    of flatpak has bugs in
    the support of collection ids, and this key    will only be respected in
    versions where it works.  * The X11 socket is now mounted read-only.  ----
    flatpak 1.0.5 release.  There was a sandbox bug in the previous version where
    parts of the runtime /etc was not mounted read-only. In case the runtime was
    installed as the user (not the default) this means that the app could modify
    files on the runtime. Nothing in the host uses the runtime files, so this is not
    a direct sandbox escape, but it is possible that an app can confuse a different
    app that has higher permissions and so gain privileges.  Detailed changes:   *
    Make the /etc -> /usr/etc bind-mounts read-only.  * Make various app-specific
    configuration files read-only.  * flatpak is more picky about remote names to
    avoid problems with storing weird names in the ostree config.  * A segfault in
    libflatpak handling of bundles was fixed.  * Updated translations  * Fixed a
    regression in flatpak run that caused problems running user-installed apps when
    the system installation was broken.  In addition to upstream changes, this
    update also fixes a packaging issue and adds a missing dependency on p11-kit-
    server to fix accessing host TLS certificates.
    --------------------------------------------------------------------------------
    ChangeLog:
    
    * Fri Nov 16 2018 Kalev Lember  - 1.0.6-1
    - Update to 1.0.6
    * Mon Nov 12 2018 Kalev Lember  - 1.0.5-2
    - Recommend p11-kit-server instead of just p11-kit (#1649049)
    * Mon Nov 12 2018 Kalev Lember  - 1.0.5-1
    - Update to 1.0.5
    * Fri Oct 12 2018 Kalev Lember  - 1.0.4-1
    - Update to 1.0.4
    * Thu Oct  4 2018 Kalev Lember  - 1.0.3-1
    - Update to 1.0.3
    * Thu Sep 13 2018 Kalev Lember  - 1.0.2-1
    - Update to 1.0.2
    * Tue Aug 28 2018 David King  - 1.0.1-1
    - Update to 1.0.1
    * Mon Aug 20 2018 David King  - 1.0.0-2
    - Fix double dash in XML documentation
    * Mon Aug 20 2018 David King  - 1.0.0-1
    - Update to 1.0.0
    * Tue Jul 10 2018 Kalev Lember  - 0.99.3-1
    - Update to 0.99.3
    * Wed Jun 27 2018 Kalev Lember  - 0.99.2-1
    - Update to 0.99.2
    * Thu Jun 21 2018 David King  - 0.99.1-1
    - Update to 0.99.1
    * Wed Jun 13 2018 David King  - 0.11.8.3-1
    - Update to 0.11.8.3 (#1590808)
    * Mon Jun 11 2018 David King  - 0.11.8.2-1
    - Update to 0.11.8.2 (#1589810)
    * Fri Jun  8 2018 David King  - 0.11.8.1-1
    - Update to 0.11.8.1 (#1588868)
    * Fri Jun  8 2018 David King  - 0.11.8-1
    - Update to 0.11.8 (#1588868)
    * Wed May 23 2018 Adam Jackson  - 0.11.7-2
    - Remove Requires: kernel >= 4.0.4-202, which corresponds to rawhide
      somewhere before Fedora 22 which this spec file certainly no longer
      supports.
    * Thu May  3 2018 Kalev Lember  - 0.11.7-1
    - Update to 0.11.7
    * Wed May  2 2018 Kalev Lember  - 0.11.6-1
    - Update to 0.11.6
    * Wed May  2 2018 Kalev Lember  - 0.11.5-2
    - Backport a fix for a gnome-software crash installing .flatpakref files
    * Mon Apr 30 2018 David King  - 0.11.5-1
    - Update to 0.11.5
    * Thu Apr 26 2018 Kalev Lember  - 0.11.4-1
    - Update to 0.11.4
    --------------------------------------------------------------------------------
    References:
    
      [ 1 ] Bug #1649049 - missing dependency on p11-kit-server
            https://bugzilla.redhat.com/show_bug.cgi?id=1649049
    --------------------------------------------------------------------------------
    
    This update can be installed with the "dnf" update program. Use
    su -c 'dnf upgrade --advisory FEDORA-2018-4d68cf2b1c' at the command
    line. For more information, refer to the dnf documentation available at
    http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
    
    All packages are signed with the Fedora Project GPG key. More details on the
    GPG keys used by the Fedora Project can be found at
    https://fedoraproject.org/keys
    --------------------------------------------------------------------------------
    _______________________________________________
    package-announce mailing list -- This email address is being protected from spambots. You need JavaScript enabled to view it.
    To unsubscribe send an email to This email address is being protected from spambots. You need JavaScript enabled to view it.
    Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
    List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
    List Archives: https://lists.fedoraproject.org/archives/list/This email address is being protected from spambots. You need JavaScript enabled to view it.
    
    You are not authorised to post comments.

    Comments powered by CComment

    LinuxSecurity Poll

    Have you used our RSS feeds?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 4 answer(s).
    /component/communitypolls/?task=poll.vote&format=json
    21
    radio
    [{"id":"77","title":"Yes, for articles","votes":"0","type":"x","order":"1","pct":0,"resources":[]},{"id":"78","title":"Yes, for advisories","votes":"0","type":"x","order":"2","pct":0,"resources":[]},{"id":"79","title":"Hybrid that contains both","votes":"0","type":"x","order":"3","pct":0,"resources":[]},{"id":"80","title":"No","votes":"0","type":"x","order":"4","pct":0,"resources":[]}]["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"]["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"]350
    bottom200

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.