SUSE SLED15 / SLES15 Security Update : flatpak, libostree, xdg-desktop-portal, xdg-desktop-portal-gtk (SUSE-SU-2021:1094-1)

high Nessus Plugin ID 148387

Synopsis

The remote SUSE host is missing one or more security updates.

Description

This update for flatpak, libostree, xdg-desktop-portal, xdg-desktop-portal-gtk fixes the following issues :

libostree :

Update to version 2020.8

Enable LTO. (bsc#1133120)

This update contains scalability improvements and bugfixes.

Caching-related HTTP headers are now supported on summaries and signatures, so that they do not have to be re-downloaded if not changed in the meanwhile.

Summaries and delta have been reworked to allow more fine-grained fetching.

Fixes several bugs related to atomic variables, HTTP timeouts, and 32-bit architectures.

Static deltas can now be signed to more easily support offline verification.

There's now support for multiple initramfs images; Is it possible to have a 'main' initramfs image and a secondary one which represents local configuration.

The documentation is now moved to https://ostreedev.github.io/ostree/

Fix for an assertion failure when upgrading from systems before ostree supported devicetree.

ostree no longer hardlinks zero sized files to avoid hitting filesystem maximum link counts.

ostree now supports `/` and `/boot` being on the same filesystem.

Improvements to the GObject Introspection metadata, some (cosmetic) static analyzer fixes, a fix for the immutable bit on s390x, dropping a deprecated bit in the systemd unit file.

Fix a regression 2020.4 where the 'readonly sysroot' changes incorrectly left the sysroot read-only on systems that started out with a read-only `/` (most of them, e.g. Fedora Silverblue/IoT at least).

The default dracut config now enables reproducibility.

There is a new ostree admin unlock `--transient`. This should to be a foundation for further support for 'live' updates.

New `ed25519` signing support, powered by `libsodium`.

stree commit gained a new `--base` argument, which significantly simplifies constructing 'derived' commits, particularly for systems using SELinux.

Handling of the read-only sysroot was reimplemented to run in the initramfs and be more reliable. Enabling the `readonly=true` flag in the repo config is recommended.

Several fixes in locking for the temporary 'staging' directories OSTree creates, particularly on NFS.

A new `timestamp-check-from-rev` option was added for pulls, which makes downgrade protection more reliable and will be used by Fedora CoreOS.

Several fixes and enhancements made for 'collection' pulls including a new `--mirror` option.

The ostree commit command learned a new `--mode-ro-executables` which enforces `W^R` semantics on all executables.

Added a new commit metadata key `OSTREE_COMMIT_META_KEY_ARCHITECTURE` to help standardize the architecture of the OSTree commit. This could be used on the client side for example to sanity-check that the commit matches the architecture of the machine before deploying.

Stop invalid usage of `%_libexecdir` :

+ Use `%{_prefix}/lib` where appropriate.

+ Use `_systemdgeneratordir` for the systemd-generators.

+ Define `_dracutmodulesdir` based on `dracut.pc`. Add BuildRequires(dracut) for this to work.

xdg-desktop-portal :

Update to version 1.8.0 :

Ensure systemd rpm macros are called at install/uninstall times for systemd user services.

Add BuildRequires on systemd-rpm-macros.

openuri :

- Allow skipping the chooser for more URL tyles

- Robustness fixes

filechooser :

- Return the current filter

- Add a 'directory' option

- Document the 'writable' option

camera :

- Make the client node visible

- Don't leak pipewire proxy

Fix file descriptor leaks

Testsuite improvements

Updated translations.

document :

- Reduce the use of open fds

- Add more tests and fix issues they found

- Expose directories with their proper name

- Support exporting directories

- New fuse implementation

background: Avoid a segfault

screencast: Require pipewire 0.3

Better support for snap and toolbox

Require `/usr/bin/fusermount`: `xdg-document-portal` calls out to the binary. (bsc#1175899) Without it, files or dirs can be selected, but whatever is done with or in them, will not have any effect

Fixes for `%_libexecdir` changing to `/usr/libexec`

xdg-desktop-portal-gtk :

Update to version 1.8.0 :

filechooser :

- Return the current filter

- Handle the 'directory' option to select directories

- Only show preview when we have an image

screenshot: Fix cancellation

appchooser: Avoid a crash

wallpaper :

- Properly preview placement settings

- Drop the lockscreen option

printing: Improve the notification

Updated translations.

settings: Fall back to gsettings for enable-animations

screencast: Support Mutter version to 3 (New pipewire api ver 3).

flatpak :

Update to version 1.10.2 (jsc#SLE-17238, ECO-3148)

This is a security update which fixes a potential attack where a flatpak application could use custom formated `.desktop` file to gain access to files on the host system.

Fix memory leaks

Documentation and translations updates

Spawn portal better handles non-utf8 filenames

Fix flatpak build on systems with setuid bwrap

Fix crash on updating apps with no deploy data

Remove deprecated texinfo packaging macros.

Support for the new repo format which should make updates faster and download less data.

The systemd generator snippets now call flatpak `--print-updated-env` in place of a bunch of shell for better login performance.

The `.profile` snippets now disable GVfs when calling flatpak to avoid spawning a gvfs daemon when logging in via ssh.

Flatpak now finds the pulseaudio sockets better in uncommon configurations.

Sandboxes with network access it now also has access to the `systemd-resolved` socket to do dns lookups.

Flatpak supports unsetting environment variables in the sandbox using `--unset-env`, and `--env=FOO=` now sets FOO to the empty string instead of unsetting it.

The spawn portal now has an option to share the pid namespace with the sub-sandbox.

This security update fixes a sandbox escape where a malicious application can execute code outside the sandbox by controlling the environment of the 'flatpak run' command when spawning a sub-sandbox (bsc#1180996, CVE-2021-21261)

Fix support for ppc64.

Move flatpak-bisect and flatpak-coredumpctl to devel subpackage, allow to remove python3 dependency on main package.

Enable LTO as gobject-introspection works fine with LTO. (bsc#1133124)

Fixed progress reporting for OCI and extra-data.

The in-memory summary cache is more efficient.

Fixed authentication getting stuck in a loop in some cases.

Fixed authentication error reporting.

Extract OCI info for runtimes as well as apps.

Fixed crash if anonymous authentication fails and `-y` is specified.

flatpak info now only looks at the specified installation if one is specified.

Better error reporting for server HTTP errors during download.

Uninstall now removes applications before the runtime it depends on.

Avoid updating metadata from the remote when uninstalling.

FlatpakTransaction now verifies all passed in refs to avoid.

Added validation of collection id settings for remotes.

Fix seccomp filters on s390.

Robustness fixes to the spawn portal.

Fix support for masking update in the system installation.

Better support for distros with uncommon models of merged `/usr`.

Cache responses from localed/AccountService.

Fix hangs in cases where `xdg-dbus-proxy` fails to start.

Fix double-free in cups socket detection.

OCI authenticator now doesn't ask for auth in case of http errors.

Fix invalid usage of `%{_libexecdir}` to reference systemd directories.

Fixes for `%_libexecdir` changing to `/usr/libexec`

Avoid calling authenticator in update if ref didn't change

Don't fail transaction if ref is already installed (after transaction start)

Fix flatpak run handling of userns in the `--device=all` case

Fix handling of extensions from different remotes

Fix flatpak run `--no-session-bus`

`FlatpakTransaction` has a new signal `install-authenticator` which clients can handle to install authenticators needed for the transaction. This is done in the CLI commands.

Now the host timezone data is always exposed, fixing several apps that had timezone issues.

There's a new systemd unit (not installed by default) to automatically detect plugged in usb sticks with sideload repos.

By default the `gdm env.d` file is no longer installed because the systemd generators work better.

`create-usb` now exports partial commits by default

Fix handling of docker media types in oci remotes

Fix subjects in `remote-info --log` output

This release is also able to host flatpak images on e.g. docker hub.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Solution

To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or 'zypper patch'.

Alternatively you can run the command listed for your product :

SUSE Linux Enterprise Module for Desktop Applications 15-SP2 :

zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-SP2-2021-1094=1

SUSE Linux Enterprise Module for Basesystem 15-SP2 :

zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP2-2021-1094=1

See Also

https://bugzilla.suse.com/show_bug.cgi?id=1133120

https://bugzilla.suse.com/show_bug.cgi?id=1133124

https://bugzilla.suse.com/show_bug.cgi?id=1175899

https://bugzilla.suse.com/show_bug.cgi?id=1180996

https://ostreedev.github.io/ostree/

https://www.suse.com/security/cve/CVE-2021-21261/

http://www.nessus.org/u?5a97906e

Plugin Details

Severity: High

ID: 148387

File Name: suse_SU-2021-1094-1.nasl

Version: 1.2

Type: local

Agent: unix

Published: 4/8/2021

Updated: 4/12/2021

Supported Sensors: Nessus Agent

Risk Information

VPR

Risk Factor: High

Score: 7.3

CVSS v2

Risk Factor: High

Base Score: 7.2

Temporal Score: 5.3

Vector: AV:L/AC:L/Au:N/C:C/I:C/A:C

Temporal Vector: E:U/RL:OF/RC:C

CVSS v3

Risk Factor: High

Base Score: 8.8

Temporal Score: 7.7

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Temporal Vector: E:U/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:novell:suse_linux:flatpak, p-cpe:/a:novell:suse_linux:flatpak-debuginfo, p-cpe:/a:novell:suse_linux:flatpak-debugsource, p-cpe:/a:novell:suse_linux:flatpak-devel, p-cpe:/a:novell:suse_linux:flatpak-zsh-completion, p-cpe:/a:novell:suse_linux:libflatpak0, p-cpe:/a:novell:suse_linux:libflatpak0-debuginfo, p-cpe:/a:novell:suse_linux:libostree, p-cpe:/a:novell:suse_linux:libostree-1, p-cpe:/a:novell:suse_linux:libostree-1-1-debuginfo, p-cpe:/a:novell:suse_linux:libostree-debuginfo, p-cpe:/a:novell:suse_linux:libostree-debugsource, p-cpe:/a:novell:suse_linux:libostree-devel, p-cpe:/a:novell:suse_linux:system-user-flatpak, p-cpe:/a:novell:suse_linux:typelib-1_0-Flatpak, p-cpe:/a:novell:suse_linux:typelib-1_0-OSTree, p-cpe:/a:novell:suse_linux:xdg-desktop-portal, p-cpe:/a:novell:suse_linux:xdg-desktop-portal-debuginfo, p-cpe:/a:novell:suse_linux:xdg-desktop-portal-debugsource, p-cpe:/a:novell:suse_linux:xdg-desktop-portal-devel, p-cpe:/a:novell:suse_linux:xdg-desktop-portal-gtk, p-cpe:/a:novell:suse_linux:xdg-desktop-portal-gtk-debuginfo, p-cpe:/a:novell:suse_linux:xdg-desktop-portal-gtk-debugsource, cpe:/o:novell:suse_linux:15

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list

Exploit Ease: No known exploits are available

Patch Publication Date: 4/7/2021

Vulnerability Publication Date: 1/14/2021

Reference Information

CVE: CVE-2021-21261