Detections
Analytics

openSUSE Security Update : flatpak / libostree / xdg-desktop-portal / etc (openSUSE-2021-520)

high Nessus Plugin ID 148417

Language:

Synopsis

The remote openSUSE host is missing a security update.

Description

This update for flatpak, libostree, xdg-desktop-portal, xdg-desktop-portal-gtk fixes the following issues :

libostree :

Update to version 2020.8

 - Enable LTO. (bsc#1133120)

 - This update contains scalability improvements and bugfixes.

 - Caching-related HTTP headers are now supported on summaries and signatures, so that they do not have to be re-downloaded if not changed in the meanwhile.

 - Summaries and delta have been reworked to allow more fine-grained fetching.

 - Fixes several bugs related to atomic variables, HTTP timeouts, and 32-bit architectures.

 - Static deltas can now be signed to more easily support offline verification.

 - There's now support for multiple initramfs images; Is it possible to have a 'main' initramfs image and a secondary one which represents local configuration.

 - The documentation is now moved to https://ostreedev.github.io/ostree/

 - Fix for an assertion failure when upgrading from systems before ostree supported devicetree.

 - ostree no longer hardlinks zero sized files to avoid hitting filesystem maximum link counts.

 - ostree now supports `/` and `/boot` being on the same filesystem.

 - Improvements to the GObject Introspection metadata, some (cosmetic) static analyzer fixes, a fix for the immutable bit on s390x, dropping a deprecated bit in the systemd unit file.

 - Fix a regression 2020.4 where the 'readonly sysroot' changes incorrectly left the sysroot read-only on systems that started out with a read-only `/` (most of them, e.g. Fedora Silverblue/IoT at least).

 - The default dracut config now enables reproducibility.

 - There is a new ostree admin unlock `--transient`. This should to be a foundation for further support for 'live' updates.

 - New `ed25519` signing support, powered by `libsodium`.

 - stree commit gained a new `--base` argument, which significantly simplifies constructing 'derived' commits, particularly for systems using SELinux.

 - Handling of the read-only sysroot was reimplemented to run in the initramfs and be more reliable. Enabling the `readonly=true` flag in the repo config is recommended.

 - Several fixes in locking for the temporary 'staging' directories OSTree creates, particularly on NFS.

 - A new `timestamp-check-from-rev` option was added for pulls, which makes downgrade protection more reliable and will be used by Fedora CoreOS.

 - Several fixes and enhancements made for 'collection' pulls including a new `--mirror` option.

 - The ostree commit command learned a new `--mode-ro-executables` which enforces `W^R` semantics on all executables.

 - Added a new commit metadata key `OSTREE_COMMIT_META_KEY_ARCHITECTURE` to help standardize the architecture of the OSTree commit. This could be used on the client side for example to sanity-check that the commit matches the architecture of the machine before deploying.

 - Stop invalid usage of `%_libexecdir` :

 + Use `%(_prefix)/lib` where appropriate.

 + Use `_systemdgeneratordir` for the systemd-generators.

 + Define `_dracutmodulesdir` based on `dracut.pc`. Add BuildRequires(dracut) for this to work.

xdg-desktop-portal :

Update to version 1.8.0 :

 - Ensure systemd rpm macros are called at install/uninstall times for systemd user services.

 - Add BuildRequires on systemd-rpm-macros.

 - openuri :

 - Allow skipping the chooser for more URL tyles

 - Robustness fixes

 - filechooser :

 - Return the current filter

 - Add a 'directory' option

 - Document the 'writable' option

 - camera :

 - Make the client node visible

 - Don't leak pipewire proxy

 - Fix file descriptor leaks

 - Testsuite improvements

 - Updated translations.

 - document :

 - Reduce the use of open fds

 - Add more tests and fix issues they found

 - Expose directories with their proper name

 - Support exporting directories

 - New fuse implementation

 - background: Avoid a segfault

 - screencast: Require pipewire 0.3

 - Better support for snap and toolbox

 - Require `/usr/bin/fusermount`: `xdg-document-portal` calls out to the binary. (bsc#1175899) Without it, files or dirs can be selected, but whatever is done with or in them, will not have any effect

 - Fixes for `%_libexecdir` changing to `/usr/libexec`

xdg-desktop-portal-gtk :

Update to version 1.8.0 :

 - filechooser :

 - Return the current filter

 - Handle the 'directory' option to select directories

 - Only show preview when we have an image

 - screenshot: Fix cancellation

 - appchooser: Avoid a crash

 - wallpaper :

 - Properly preview placement settings

 - Drop the lockscreen option

 - printing: Improve the notification

 - Updated translations.

 - settings: Fall back to gsettings for enable-animations

 - screencast: Support Mutter version to 3 (New pipewire api ver 3).

flatpak :

 - Update to version 1.10.2 (jsc#SLE-17238, ECO-3148)

 - This is a security update which fixes a potential attack where a flatpak application could use custom formated `.desktop` file to gain access to files on the host system.

 - Fix memory leaks

 - Documentation and translations updates

 - Spawn portal better handles non-utf8 filenames

 - Fix flatpak build on systems with setuid bwrap

- Fix crash on updating apps with no deploy data

 - Remove deprecated texinfo packaging macros.

 - Support for the new repo format which should make updates faster and download less data.

 - The systemd generator snippets now call flatpak `--print-updated-env` in place of a bunch of shell for better login performance.

 - The `.profile` snippets now disable GVfs when calling flatpak to avoid spawning a gvfs daemon when logging in via ssh.

 - Flatpak now finds the pulseaudio sockets better in uncommon configurations.

 - Sandboxes with network access it now also has access to the `systemd-resolved` socket to do dns lookups.

 - Flatpak supports unsetting environment variables in the sandbox using `--unset-env`, and `--env=FOO=` now sets FOO to the empty string instead of unsetting it.

 - The spawn portal now has an option to share the pid namespace with the sub-sandbox.

 - This security update fixes a sandbox escape where a malicious application can execute code outside the sandbox by controlling the environment of the 'flatpak run' command when spawning a sub-sandbox (bsc#1180996, CVE-2021-21261)

 - Fix support for ppc64.

 - Move flatpak-bisect and flatpak-coredumpctl to devel subpackage, allow to remove python3 dependency on main package.

 - Enable LTO as gobject-introspection works fine with LTO.
 (bsc#1133124)

 - Fixed progress reporting for OCI and extra-data.

 - The in-memory summary cache is more efficient.

 - Fixed authentication getting stuck in a loop in some cases.

 - Fixed authentication error reporting.

 - Extract OCI info for runtimes as well as apps.

- Fixed crash if anonymous authentication fails and `-y` is specified.

 - flatpak info now only looks at the specified installation if one is specified.

 - Better error reporting for server HTTP errors during download.

- Uninstall now removes applications before the runtime it depends on.

 - Avoid updating metadata from the remote when uninstalling.

 - FlatpakTransaction now verifies all passed in refs to avoid.

 - Added validation of collection id settings for remotes.

 - Fix seccomp filters on s390.

 - Robustness fixes to the spawn portal.

 - Fix support for masking update in the system installation.

 - Better support for distros with uncommon models of merged `/usr`.

 - Cache responses from localed/AccountService.

 - Fix hangs in cases where `xdg-dbus-proxy` fails to start.

 - Fix double-free in cups socket detection.

 - OCI authenticator now doesn't ask for auth in case of http errors.

 - Fix invalid usage of `%(_libexecdir)` to reference systemd directories.

 - Fixes for `%_libexecdir` changing to `/usr/libexec`

 - Avoid calling authenticator in update if ref didn't change

 - Don't fail transaction if ref is already installed (after transaction start)

 - Fix flatpak run handling of userns in the `--device=all` case

 - Fix handling of extensions from different remotes

 - Fix flatpak run `--no-session-bus`

 - `FlatpakTransaction` has a new signal `install-authenticator` which clients can handle to install authenticators needed for the transaction. This is done in the CLI commands.

 - Now the host timezone data is always exposed, fixing several apps that had timezone issues.

 - There's a new systemd unit (not installed by default) to automatically detect plugged in usb sticks with sideload repos.

 - By default the `gdm env.d` file is no longer installed because the systemd generators work better.

 - `create-usb` now exports partial commits by default

- Fix handling of docker media types in oci remotes

 - Fix subjects in `remote-info --log` output

 - This release is also able to host flatpak images on e.g.
 docker hub. This update was imported from the SUSE:SLE-15-SP2:Update update project.

Solution

Update the affected flatpak / libostree / xdg-desktop-portal / etc packages.

See Also

https://bugzilla.opensuse.org/show_bug.cgi?id=1133120

https://bugzilla.opensuse.org/show_bug.cgi?id=1133124

https://bugzilla.opensuse.org/show_bug.cgi?id=1175899

https://bugzilla.opensuse.org/show_bug.cgi?id=1180996

https://ostreedev.github.io/ostree/

Plugin Details

Severity: High

ID: 148417

File Name: openSUSE-2021-520.nasl

Version: 1.3

Type: local

Agent: unix

Published: 4/9/2021

Updated: 1/5/2024

Supported Sensors: Continuous Assessment, Frictionless Assessment Agent, Frictionless Assessment AWS, Frictionless Assessment Azure, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.5

CVSS v2

Risk Factor: High

Base Score: 7.2

Temporal Score: 5.3

Vector: CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2021-21261

CVSS v3

Risk Factor: High

Base Score: 8.8

Temporal Score: 7.7

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:novell:opensuse:flatpak-zsh-completion, p-cpe:/a:novell:opensuse:libflatpak0-debuginfo, p-cpe:/a:novell:opensuse:system-user-flatpak, p-cpe:/a:novell:opensuse:xdg-desktop-portal-gtk-lang, p-cpe:/a:novell:opensuse:libostree-devel, p-cpe:/a:novell:opensuse:xdg-desktop-portal, p-cpe:/a:novell:opensuse:xdg-desktop-portal-debugsource, p-cpe:/a:novell:opensuse:xdg-desktop-portal-gtk-debugsource, p-cpe:/a:novell:opensuse:libostree-grub2, p-cpe:/a:novell:opensuse:xdg-desktop-portal-debuginfo, p-cpe:/a:novell:opensuse:flatpak-debuginfo, p-cpe:/a:novell:opensuse:libostree-debugsource, p-cpe:/a:novell:opensuse:libostree-debuginfo, p-cpe:/a:novell:opensuse:flatpak, p-cpe:/a:novell:opensuse:libostree-1-1, p-cpe:/a:novell:opensuse:xdg-desktop-portal-gtk, p-cpe:/a:novell:opensuse:libostree-1-1-debuginfo, p-cpe:/a:novell:opensuse:xdg-desktop-portal-lang, p-cpe:/a:novell:opensuse:typelib-1_0-flatpak-1_0, p-cpe:/a:novell:opensuse:flatpak-debugsource, p-cpe:/a:novell:opensuse:flatpak-devel, p-cpe:/a:novell:opensuse:libostree, p-cpe:/a:novell:opensuse:typelib-1_0-ostree-1_0, cpe:/o:novell:opensuse:15.2, p-cpe:/a:novell:opensuse:xdg-desktop-portal-devel, p-cpe:/a:novell:opensuse:libflatpak0, p-cpe:/a:novell:opensuse:xdg-desktop-portal-gtk-debuginfo

Required KB Items: Host/local_checks_enabled, Host/SuSE/release, Host/SuSE/rpm-list, Host/cpu

Exploit Ease: No known exploits are available

Patch Publication Date: 4/8/2021

Vulnerability Publication Date: 1/14/2021

Reference Information

CVE: CVE-2021-21261