SUSE-SU-2021:1094-1

See a problem?
Import Source
https://ftp.suse.com/pub/projects/security/osv/SUSE-SU-2021:1094-1.json
JSON Data
https://api.osv.dev/v1/vulns/SUSE-SU-2021:1094-1
Related
Published
2021-04-07T12:11:43Z
Modified
2021-04-07T12:11:43Z
Summary
Security update for flatpak, libostree, xdg-desktop-portal, xdg-desktop-portal-gtk
Details

This update for flatpak, libostree, xdg-desktop-portal, xdg-desktop-portal-gtk fixes the following issues:

libostree:

Update to version 2020.8

  • Enable LTO. (bsc#1133120)

  • This update contains scalability improvements and bugfixes.

  • Caching-related HTTP headers are now supported on summaries and signatures, so that they do not have to be re-downloaded if not changed in the meanwhile.
  • Summaries and delta have been reworked to allow more fine-grained fetching.
  • Fixes several bugs related to atomic variables, HTTP timeouts, and 32-bit architectures.
  • Static deltas can now be signed to more easily support offline verification.
  • There's now support for multiple initramfs images; Is it possible to have a 'main' initramfs image and a secondary one which represents local configuration.
  • The documentation is now moved to https://ostreedev.github.io/ostree/
  • Fix for an assertion failure when upgrading from systems before ostree supported devicetree.
  • ostree no longer hardlinks zero sized files to avoid hitting filesystem maximum link counts.
  • ostree now supports / and /boot being on the same filesystem.
  • Improvements to the GObject Introspection metadata, some (cosmetic) static analyzer fixes, a fix for the immutable bit on s390x, dropping a deprecated bit in the systemd unit file.
  • Fix a regression 2020.4 where the 'readonly sysroot' changes incorrectly left the sysroot read-only on systems that started out with a read-only / (most of them, e.g. Fedora Silverblue/IoT at least).
  • The default dracut config now enables reproducibility.
  • There is a new ostree admin unlock --transient. This should to be a foundation for further support for 'live' updates.
  • New ed25519 signing support, powered by libsodium.
  • stree commit gained a new --base argument, which significantly simplifies constructing 'derived' commits, particularly for systems using SELinux.
  • Handling of the read-only sysroot was reimplemented to run in the initramfs and be more reliable. Enabling the readonly=true flag in the repo config is recommended.
  • Several fixes in locking for the temporary 'staging' directories OSTree creates, particularly on NFS.
  • A new timestamp-check-from-rev option was added for pulls, which makes downgrade protection more reliable and will be used by Fedora CoreOS.
  • Several fixes and enhancements made for 'collection' pulls including a new --mirror option.
  • The ostree commit command learned a new --mode-ro-executables which enforces W^R semantics on all executables.
  • Added a new commit metadata key OSTREE_COMMIT_META_KEY_ARCHITECTURE to help standardize the architecture of the OSTree commit. This could be used on the client side for example to sanity-check that the commit matches the architecture of the machine before deploying.
  • Stop invalid usage of %_libexecdir:
    • Use %{_prefix}/lib where appropriate.
    • Use _systemdgeneratordir for the systemd-generators.
    • Define _dracutmodulesdir based on dracut.pc. Add BuildRequires(dracut) for this to work.

xdg-desktop-portal:

Update to version 1.8.0:

  • Ensure systemd rpm macros are called at install/uninstall times for systemd user services.
  • Add BuildRequires on systemd-rpm-macros.
  • openuri:
    • Allow skipping the chooser for more URL tyles
    • Robustness fixes
  • filechooser:
    • Return the current filter
    • Add a 'directory' option
    • Document the 'writable' option
  • camera:
    • Make the client node visible
    • Don't leak pipewire proxy
  • Fix file descriptor leaks
  • Testsuite improvements
  • Updated translations.
  • document:
    • Reduce the use of open fds
    • Add more tests and fix issues they found
    • Expose directories with their proper name
    • Support exporting directories
    • New fuse implementation
  • background: Avoid a segfault
  • screencast: Require pipewire 0.3
  • Better support for snap and toolbox
  • Require /usr/bin/fusermount: xdg-document-portal calls out to the binary. (bsc#1175899) Without it, files or dirs can be selected, but whatever is done with or in them, will not have any effect
  • Fixes for %_libexecdir changing to /usr/libexec

xdg-desktop-portal-gtk:

Update to version 1.8.0:

  • filechooser:
    • Return the current filter
      • Handle the 'directory' option to select directories
      • Only show preview when we have an image
  • screenshot: Fix cancellation
  • appchooser: Avoid a crash
  • wallpaper:
    • Properly preview placement settings
    • Drop the lockscreen option
  • printing: Improve the notification
  • Updated translations.
  • settings: Fall back to gsettings for enable-animations
  • screencast: Support Mutter version to 3 (New pipewire api ver 3).

flatpak:

  • Update to version 1.10.2 (jsc#SLE-17238, ECO-3148)

  • This is a security update which fixes a potential attack where a flatpak application could use custom formated .desktop file to gain access to files on the host system.

  • Fix memory leaks
  • Documentation and translations updates
  • Spawn portal better handles non-utf8 filenames
  • Fix flatpak build on systems with setuid bwrap
  • Fix crash on updating apps with no deploy data
  • Remove deprecated texinfo packaging macros.
  • Support for the new repo format which should make updates faster and download less data.
  • The systemd generator snippets now call flatpak --print-updated-env in place of a bunch of shell for better login performance.
  • The .profile snippets now disable GVfs when calling flatpak to avoid spawning a gvfs daemon when logging in via ssh.
  • Flatpak now finds the pulseaudio sockets better in uncommon configurations.
  • Sandboxes with network access it now also has access to the systemd-resolved socket to do dns lookups.
  • Flatpak supports unsetting environment variables in the sandbox using --unset-env, and --env=FOO= now sets FOO to the empty string instead of unsetting it.
  • The spawn portal now has an option to share the pid namespace with the sub-sandbox.
  • This security update fixes a sandbox escape where a malicious application can execute code outside the sandbox by controlling the environment of the 'flatpak run' command when spawning a sub-sandbox (bsc#1180996, CVE-2021-21261)
  • Fix support for ppc64.
  • Move flatpak-bisect and flatpak-coredumpctl to devel subpackage, allow to remove python3 dependency on main package.
  • Enable LTO as gobject-introspection works fine with LTO. (bsc#1133124)
  • Fixed progress reporting for OCI and extra-data.
  • The in-memory summary cache is more efficient.
  • Fixed authentication getting stuck in a loop in some cases.
  • Fixed authentication error reporting.
  • Extract OCI info for runtimes as well as apps.
  • Fixed crash if anonymous authentication fails and -y is specified.
  • flatpak info now only looks at the specified installation if one is specified.
  • Better error reporting for server HTTP errors during download.
  • Uninstall now removes applications before the runtime it depends on.
  • Avoid updating metadata from the remote when uninstalling.
  • FlatpakTransaction now verifies all passed in refs to avoid.
  • Added validation of collection id settings for remotes.
  • Fix seccomp filters on s390.
  • Robustness fixes to the spawn portal.
  • Fix support for masking update in the system installation.
  • Better support for distros with uncommon models of merged /usr.
  • Cache responses from localed/AccountService.
  • Fix hangs in cases where xdg-dbus-proxy fails to start.
  • Fix double-free in cups socket detection.
  • OCI authenticator now doesn't ask for auth in case of http errors.
  • Fix invalid usage of %{_libexecdir} to reference systemd directories.
  • Fixes for %_libexecdir changing to /usr/libexec
  • Avoid calling authenticator in update if ref didn't change
  • Don't fail transaction if ref is already installed (after transaction start)
  • Fix flatpak run handling of userns in the --device=all case
  • Fix handling of extensions from different remotes
  • Fix flatpak run --no-session-bus
  • FlatpakTransaction has a new signal install-authenticator which clients can handle to install authenticators needed for the transaction. This is done in the CLI commands.
  • Now the host timezone data is always exposed, fixing several apps that had timezone issues.
  • There's a new systemd unit (not installed by default) to automatically detect plugged in usb sticks with sideload repos.
  • By default the gdm env.d file is no longer installed because the systemd generators work better.
  • create-usb now exports partial commits by default
  • Fix handling of docker media types in oci remotes
  • Fix subjects in remote-info --log output
  • This release is also able to host flatpak images on e.g. docker hub.
References

Affected packages

SUSE:Linux Enterprise Module for Basesystem 15 SP2 / libostree

Package

Name
libostree
Purl
purl:rpm/suse/libostree&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP2

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2020.8-3.3.2

Ecosystem specific

{
    "binaries": [
        {
            "libostree-1-1": "2020.8-3.3.2"
        }
    ]
}

SUSE:Linux Enterprise Module for Desktop Applications 15 SP2 / flatpak

Package

Name
flatpak
Purl
purl:rpm/suse/flatpak&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Desktop%20Applications%2015%20SP2

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.10.2-4.6.1

Ecosystem specific

{
    "binaries": [
        {
            "libflatpak0": "1.10.2-4.6.1",
            "typelib-1_0-OSTree-1_0": "2020.8-3.3.2",
            "flatpak": "1.10.2-4.6.1",
            "xdg-desktop-portal": "1.8.0-5.3.2",
            "libostree-devel": "2020.8-3.3.2",
            "flatpak-devel": "1.10.2-4.6.1",
            "typelib-1_0-Flatpak-1_0": "1.10.2-4.6.1",
            "flatpak-zsh-completion": "1.10.2-4.6.1",
            "xdg-desktop-portal-gtk-lang": "1.8.0-3.3.1",
            "system-user-flatpak": "1.10.2-4.6.1",
            "xdg-desktop-portal-gtk": "1.8.0-3.3.1",
            "xdg-desktop-portal-lang": "1.8.0-5.3.2",
            "xdg-desktop-portal-devel": "1.8.0-5.3.2",
            "libostree": "2020.8-3.3.2"
        }
    ]
}

SUSE:Linux Enterprise Module for Desktop Applications 15 SP2 / libostree

Package

Name
libostree
Purl
purl:rpm/suse/libostree&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Desktop%20Applications%2015%20SP2

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2020.8-3.3.2

Ecosystem specific

{
    "binaries": [
        {
            "libflatpak0": "1.10.2-4.6.1",
            "typelib-1_0-OSTree-1_0": "2020.8-3.3.2",
            "flatpak": "1.10.2-4.6.1",
            "xdg-desktop-portal": "1.8.0-5.3.2",
            "libostree-devel": "2020.8-3.3.2",
            "flatpak-devel": "1.10.2-4.6.1",
            "typelib-1_0-Flatpak-1_0": "1.10.2-4.6.1",
            "flatpak-zsh-completion": "1.10.2-4.6.1",
            "xdg-desktop-portal-gtk-lang": "1.8.0-3.3.1",
            "system-user-flatpak": "1.10.2-4.6.1",
            "xdg-desktop-portal-gtk": "1.8.0-3.3.1",
            "xdg-desktop-portal-lang": "1.8.0-5.3.2",
            "xdg-desktop-portal-devel": "1.8.0-5.3.2",
            "libostree": "2020.8-3.3.2"
        }
    ]
}

SUSE:Linux Enterprise Module for Desktop Applications 15 SP2 / xdg-desktop-portal

Package

Name
xdg-desktop-portal
Purl
purl:rpm/suse/xdg-desktop-portal&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Desktop%20Applications%2015%20SP2

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.8.0-5.3.2

Ecosystem specific

{
    "binaries": [
        {
            "libflatpak0": "1.10.2-4.6.1",
            "typelib-1_0-OSTree-1_0": "2020.8-3.3.2",
            "flatpak": "1.10.2-4.6.1",
            "xdg-desktop-portal": "1.8.0-5.3.2",
            "libostree-devel": "2020.8-3.3.2",
            "flatpak-devel": "1.10.2-4.6.1",
            "typelib-1_0-Flatpak-1_0": "1.10.2-4.6.1",
            "flatpak-zsh-completion": "1.10.2-4.6.1",
            "xdg-desktop-portal-gtk-lang": "1.8.0-3.3.1",
            "system-user-flatpak": "1.10.2-4.6.1",
            "xdg-desktop-portal-gtk": "1.8.0-3.3.1",
            "xdg-desktop-portal-lang": "1.8.0-5.3.2",
            "xdg-desktop-portal-devel": "1.8.0-5.3.2",
            "libostree": "2020.8-3.3.2"
        }
    ]
}

SUSE:Linux Enterprise Module for Desktop Applications 15 SP2 / xdg-desktop-portal-gtk

Package

Name
xdg-desktop-portal-gtk
Purl
purl:rpm/suse/xdg-desktop-portal-gtk&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Desktop%20Applications%2015%20SP2

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.8.0-3.3.1

Ecosystem specific

{
    "binaries": [
        {
            "libflatpak0": "1.10.2-4.6.1",
            "typelib-1_0-OSTree-1_0": "2020.8-3.3.2",
            "flatpak": "1.10.2-4.6.1",
            "xdg-desktop-portal": "1.8.0-5.3.2",
            "libostree-devel": "2020.8-3.3.2",
            "flatpak-devel": "1.10.2-4.6.1",
            "typelib-1_0-Flatpak-1_0": "1.10.2-4.6.1",
            "flatpak-zsh-completion": "1.10.2-4.6.1",
            "xdg-desktop-portal-gtk-lang": "1.8.0-3.3.1",
            "system-user-flatpak": "1.10.2-4.6.1",
            "xdg-desktop-portal-gtk": "1.8.0-3.3.1",
            "xdg-desktop-portal-lang": "1.8.0-5.3.2",
            "xdg-desktop-portal-devel": "1.8.0-5.3.2",
            "libostree": "2020.8-3.3.2"
        }
    ]
}