openSUSE Security Update : flatpak / libostree / xdg-desktop-portal / etc (openSUSE-2021-520)

high Nessus Plugin ID 148417

Synopsis

The remote openSUSE host is missing a security update.

Description

This update for flatpak, libostree, xdg-desktop-portal, xdg-desktop-portal-gtk fixes the following issues :

libostree :

Update to version 2020.8

- Enable LTO. (bsc#1133120)

- This update contains scalability improvements and bugfixes.

- Caching-related HTTP headers are now supported on summaries and signatures, so that they do not have to be re-downloaded if not changed in the meanwhile.

- Summaries and delta have been reworked to allow more fine-grained fetching.

- Fixes several bugs related to atomic variables, HTTP timeouts, and 32-bit architectures.

- Static deltas can now be signed to more easily support offline verification.

- There's now support for multiple initramfs images; Is it possible to have a 'main' initramfs image and a secondary one which represents local configuration.

- The documentation is now moved to https://ostreedev.github.io/ostree/

- Fix for an assertion failure when upgrading from systems before ostree supported devicetree.

- ostree no longer hardlinks zero sized files to avoid hitting filesystem maximum link counts.

- ostree now supports `/` and `/boot` being on the same filesystem.

- Improvements to the GObject Introspection metadata, some (cosmetic) static analyzer fixes, a fix for the immutable bit on s390x, dropping a deprecated bit in the systemd unit file.

- Fix a regression 2020.4 where the 'readonly sysroot' changes incorrectly left the sysroot read-only on systems that started out with a read-only `/` (most of them, e.g. Fedora Silverblue/IoT at least).

- The default dracut config now enables reproducibility.

- There is a new ostree admin unlock `--transient`. This should to be a foundation for further support for 'live' updates.

- New `ed25519` signing support, powered by `libsodium`.

- stree commit gained a new `--base` argument, which significantly simplifies constructing 'derived' commits, particularly for systems using SELinux.

- Handling of the read-only sysroot was reimplemented to run in the initramfs and be more reliable. Enabling the `readonly=true` flag in the repo config is recommended.

- Several fixes in locking for the temporary 'staging' directories OSTree creates, particularly on NFS.

- A new `timestamp-check-from-rev` option was added for pulls, which makes downgrade protection more reliable and will be used by Fedora CoreOS.

- Several fixes and enhancements made for 'collection' pulls including a new `--mirror` option.

- The ostree commit command learned a new `--mode-ro-executables` which enforces `W^R` semantics on all executables.

- Added a new commit metadata key `OSTREE_COMMIT_META_KEY_ARCHITECTURE` to help standardize the architecture of the OSTree commit. This could be used on the client side for example to sanity-check that the commit matches the architecture of the machine before deploying.

- Stop invalid usage of `%_libexecdir` :

+ Use `%(_prefix)/lib` where appropriate.

+ Use `_systemdgeneratordir` for the systemd-generators.

+ Define `_dracutmodulesdir` based on `dracut.pc`. Add BuildRequires(dracut) for this to work.

xdg-desktop-portal :

Update to version 1.8.0 :

- Ensure systemd rpm macros are called at install/uninstall times for systemd user services.

- Add BuildRequires on systemd-rpm-macros.

- openuri :

- Allow skipping the chooser for more URL tyles

- Robustness fixes

- filechooser :

- Return the current filter

- Add a 'directory' option

- Document the 'writable' option

- camera :

- Make the client node visible

- Don't leak pipewire proxy

- Fix file descriptor leaks

- Testsuite improvements

- Updated translations.

- document :

- Reduce the use of open fds

- Add more tests and fix issues they found

- Expose directories with their proper name

- Support exporting directories

- New fuse implementation

- background: Avoid a segfault

- screencast: Require pipewire 0.3

- Better support for snap and toolbox

- Require `/usr/bin/fusermount`: `xdg-document-portal` calls out to the binary. (bsc#1175899) Without it, files or dirs can be selected, but whatever is done with or in them, will not have any effect

- Fixes for `%_libexecdir` changing to `/usr/libexec`

xdg-desktop-portal-gtk :

Update to version 1.8.0 :

- filechooser :

- Return the current filter

- Handle the 'directory' option to select directories

- Only show preview when we have an image

- screenshot: Fix cancellation

- appchooser: Avoid a crash

- wallpaper :

- Properly preview placement settings

- Drop the lockscreen option

- printing: Improve the notification

- Updated translations.

- settings: Fall back to gsettings for enable-animations

- screencast: Support Mutter version to 3 (New pipewire api ver 3).

flatpak :

- Update to version 1.10.2 (jsc#SLE-17238, ECO-3148)

- This is a security update which fixes a potential attack where a flatpak application could use custom formated `.desktop` file to gain access to files on the host system.

- Fix memory leaks

- Documentation and translations updates

- Spawn portal better handles non-utf8 filenames

- Fix flatpak build on systems with setuid bwrap

- Fix crash on updating apps with no deploy data

- Remove deprecated texinfo packaging macros.

- Support for the new repo format which should make updates faster and download less data.

- The systemd generator snippets now call flatpak `--print-updated-env` in place of a bunch of shell for better login performance.

- The `.profile` snippets now disable GVfs when calling flatpak to avoid spawning a gvfs daemon when logging in via ssh.

- Flatpak now finds the pulseaudio sockets better in uncommon configurations.

- Sandboxes with network access it now also has access to the `systemd-resolved` socket to do dns lookups.

- Flatpak supports unsetting environment variables in the sandbox using `--unset-env`, and `--env=FOO=` now sets FOO to the empty string instead of unsetting it.

- The spawn portal now has an option to share the pid namespace with the sub-sandbox.

- This security update fixes a sandbox escape where a malicious application can execute code outside the sandbox by controlling the environment of the 'flatpak run' command when spawning a sub-sandbox (bsc#1180996, CVE-2021-21261)

- Fix support for ppc64.

- Move flatpak-bisect and flatpak-coredumpctl to devel subpackage, allow to remove python3 dependency on main package.

- Enable LTO as gobject-introspection works fine with LTO.
(bsc#1133124)

- Fixed progress reporting for OCI and extra-data.

- The in-memory summary cache is more efficient.

- Fixed authentication getting stuck in a loop in some cases.

- Fixed authentication error reporting.

- Extract OCI info for runtimes as well as apps.

- Fixed crash if anonymous authentication fails and `-y` is specified.

- flatpak info now only looks at the specified installation if one is specified.

- Better error reporting for server HTTP errors during download.

- Uninstall now removes applications before the runtime it depends on.

- Avoid updating metadata from the remote when uninstalling.

- FlatpakTransaction now verifies all passed in refs to avoid.

- Added validation of collection id settings for remotes.

- Fix seccomp filters on s390.

- Robustness fixes to the spawn portal.

- Fix support for masking update in the system installation.

- Better support for distros with uncommon models of merged `/usr`.

- Cache responses from localed/AccountService.

- Fix hangs in cases where `xdg-dbus-proxy` fails to start.

- Fix double-free in cups socket detection.

- OCI authenticator now doesn't ask for auth in case of http errors.

- Fix invalid usage of `%(_libexecdir)` to reference systemd directories.

- Fixes for `%_libexecdir` changing to `/usr/libexec`

- Avoid calling authenticator in update if ref didn't change

- Don't fail transaction if ref is already installed (after transaction start)

- Fix flatpak run handling of userns in the `--device=all` case

- Fix handling of extensions from different remotes

- Fix flatpak run `--no-session-bus`

- `FlatpakTransaction` has a new signal `install-authenticator` which clients can handle to install authenticators needed for the transaction. This is done in the CLI commands.

- Now the host timezone data is always exposed, fixing several apps that had timezone issues.

- There's a new systemd unit (not installed by default) to automatically detect plugged in usb sticks with sideload repos.

- By default the `gdm env.d` file is no longer installed because the systemd generators work better.

- `create-usb` now exports partial commits by default

- Fix handling of docker media types in oci remotes

- Fix subjects in `remote-info --log` output

- This release is also able to host flatpak images on e.g.
docker hub. This update was imported from the SUSE:SLE-15-SP2:Update update project.

Solution

Update the affected flatpak / libostree / xdg-desktop-portal / etc packages.

See Also

https://bugzilla.opensuse.org/show_bug.cgi?id=1133120

https://bugzilla.opensuse.org/show_bug.cgi?id=1133124

https://bugzilla.opensuse.org/show_bug.cgi?id=1175899

https://bugzilla.opensuse.org/show_bug.cgi?id=1180996

https://ostreedev.github.io/ostree/

Plugin Details

Severity: High

ID: 148417

File Name: openSUSE-2021-520.nasl

Version: 1.2

Type: local

Agent: unix

Published: 4/9/2021

Updated: 4/14/2021

Supported Sensors: Nessus Agent

Risk Information

VPR

Risk Factor: High

Score: 7.3

CVSS v2

Risk Factor: High

Base Score: 7.2

Temporal Score: 5.3

Vector: AV:L/AC:L/Au:N/C:C/I:C/A:C

Temporal Vector: E:U/RL:OF/RC:C

CVSS v3

Risk Factor: High

Base Score: 8.8

Temporal Score: 7.7

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Temporal Vector: E:U/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:novell:opensuse:flatpak, p-cpe:/a:novell:opensuse:flatpak-debuginfo, p-cpe:/a:novell:opensuse:flatpak-debugsource, p-cpe:/a:novell:opensuse:flatpak-devel, p-cpe:/a:novell:opensuse:flatpak-zsh-completion, p-cpe:/a:novell:opensuse:libflatpak0, p-cpe:/a:novell:opensuse:libflatpak0-debuginfo, p-cpe:/a:novell:opensuse:libostree, p-cpe:/a:novell:opensuse:libostree-1-1, p-cpe:/a:novell:opensuse:libostree-1-1-debuginfo, p-cpe:/a:novell:opensuse:libostree-debuginfo, p-cpe:/a:novell:opensuse:libostree-debugsource, p-cpe:/a:novell:opensuse:libostree-devel, p-cpe:/a:novell:opensuse:libostree-grub2, p-cpe:/a:novell:opensuse:system-user-flatpak, p-cpe:/a:novell:opensuse:typelib-1_0-Flatpak-1_0, p-cpe:/a:novell:opensuse:typelib-1_0-OSTree-1_0, p-cpe:/a:novell:opensuse:xdg-desktop-portal, p-cpe:/a:novell:opensuse:xdg-desktop-portal-debuginfo, p-cpe:/a:novell:opensuse:xdg-desktop-portal-debugsource, p-cpe:/a:novell:opensuse:xdg-desktop-portal-devel, p-cpe:/a:novell:opensuse:xdg-desktop-portal-gtk, p-cpe:/a:novell:opensuse:xdg-desktop-portal-gtk-debuginfo, p-cpe:/a:novell:opensuse:xdg-desktop-portal-gtk-debugsource, p-cpe:/a:novell:opensuse:xdg-desktop-portal-gtk-lang, p-cpe:/a:novell:opensuse:xdg-desktop-portal-lang, cpe:/o:novell:opensuse:15.2

Required KB Items: Host/local_checks_enabled, Host/SuSE/release, Host/SuSE/rpm-list, Host/cpu

Exploit Ease: No known exploits are available

Patch Publication Date: 4/8/2021

Vulnerability Publication Date: 1/14/2021

Reference Information

CVE: CVE-2021-21261