Announcement

Collapse
No announcement yet.

Flatpak 1.2.4 Released To Address Security Issue - Sandbox Bypass Vulnerability

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Flatpak 1.2.4 Released To Address Security Issue - Sandbox Bypass Vulnerability

    Phoronix: Flatpak 1.2.4 Released To Address Security Issue - Sandbox Bypass Vulnerability

    Flatpak 1.2.4 was issued today as an emergency release to address a new CVE vulnerability...

    http://www.phoronix.com/scan.php?pag...1.2.4-Released

  • #2
    For those curious:

    It uses bubblewrap for the sandboxing, as stated in the NEWS file which referenced the original CVE (CVE-2017-5226):
    https://github.com/flatpak/flatpak/b...f0d/NEWS#L1247

    The original bubblewrap bug report for CVE-2017-5226:
    https://github.com/projectatomic/bubblewrap/issues/142

    The more recent issue on the flatpak github:
    https://github.com/flatpak/flatpak/issues/2782

    Note that snapd was also affected.

    If you open "man 7 capabilities" you can find info on the capability which exposes this terminal input feature. It's called: "CAP_SYS_ADMIN". You'll see that this capability enables the process to do many different things including employing "TIOCSTI ioctl(2) to insert characters into the input queue". Hopefully there are no other CAP_SYS_ADMIN features which a confined process could use to escape the Flatpak/bubblewrap/snapd sandboxes.

    Comment


    • #3
      BTW sandbox makes you safe, no need to take proper security measures yourself.

      Ah the ignorance.

      Comment


      • #4
        Last week I tried to Flatpak one of my applications. It's horrible :-/ To me, AppImage seems to be the superior solution.

        Comment


        • #5
          Originally posted by RealNC View Post
          Last week I tried to Flatpak one of my applications. It's horrible :-/ To me, AppImage seems to be the superior solution.
          How's it horrible?

          Comment


          • #6
            Originally posted by Weasel View Post
            BTW sandbox makes you safe, no need to take proper security measures yourself.
            None said that ever.

            Comment


            • #7
              Originally posted by RealNC View Post
              Last week I tried to Flatpak one of my applications. It's horrible :-/ To me, AppImage seems to be the superior solution.
              Did you find a way to make an AppImage that runs in any distro without bundling the whole Ubuntu (or whatever you use as a base) in your AppImage?

              Comment


              • #8
                Originally posted by starshipeleven View Post
                Did you find a way to make an AppImage that runs in any distro without bundling the whole Ubuntu (or whatever you use as a base) in your AppImage?
                I used linuxdeployqt (https://github.com/probonopd/linuxdeployqt) and an Ubuntu 16.04 VM. It copies some libraries, but not all of them. I built Qt by myself (since I want the latest version of that, 5.12), and then also built latest VLC myself (for libVLC, as I use that for video support.) The resulting appimage is 30MB and it runs on everything I tested it on, including all Ubuntu versions from 16.04 and up, but also Gentoo and Arch (which usually don't work well with binary applications due to their rolling release nature.)
                Last edited by RealNC; 03-27-2019, 04:06 PM.

                Comment


                • #9
                  Originally posted by Britoid View Post
                  How's it horrible?
                  Creating the flatpak seems borderline impossible. Maybe I'm too stupid, I don't know :-/ My issue is that there's no build environment. I can't build and install my dependencies into, say, /home/me/deps and then work from that. You need to use flatpak-builder every time, then you need to install the result into a testing repo and run from there. After two days of trying, I ran out of patience. If your application only uses libraries already in one of the flatpak SDKs, or they are trivial to build, then I guess it's easy. But if you need non-trivial deps, good luck. (I need libVLC, for example.)

                  AppImage on the other hand was very easy to deal with. You build your dependencies yourself, and thus things are easy to test and experiment with.
                  Last edited by RealNC; 03-27-2019, 04:02 PM.

                  Comment


                  • #10
                    Originally posted by starshipeleven View Post
                    None said that ever.
                    But they implied it. Para-phrasing hreindl "ROFL at you dumb idiot download some trash from internet and get burned hard while I enjoy sandbox protections, my Fedora systems up and running since 1752."

                    The difference is, I'm careful with what I download and/or do checks and sandbox manually if it's from shady site (custom setup is harder to get out of, because people won't target your system specifically, they target the defaults for dummies). He isn't because he has "teh sandbox protections", and ignorance is what silent malware loves the most: people who think they are protected.

                    Comment

                    Working...
                    X