Security update for flatpak, libostree, xdg-desktop-portal, xdg-desktop-portal-gtk

Announcement ID:	SUSE-SU-2021:1094-1
Rating:	important
References:	bsc#1133120 bsc#1133124 bsc#1175899 bsc#1180996 jsc#SLE-7171
Cross-References:	CVE-2021-21261
CVSS scores:	CVE-2021-21261 ( SUSE ): 7.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N CVE-2021-21261 ( NVD ): 8.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Affected Products:	Basesystem Module 15-SP2 Desktop Applications Module 15-SP2 SUSE Linux Enterprise Desktop 15 SP2 SUSE Linux Enterprise High Performance Computing 15 SP2 SUSE Linux Enterprise Real Time 15 SP2 SUSE Linux Enterprise Server 15 SP2 SUSE Linux Enterprise Server 15 SP2 Business Critical Linux 15-SP2 SUSE Linux Enterprise Server for SAP Applications 15 SP2 SUSE Manager Proxy 4.1 SUSE Manager Retail Branch Server 4.1 SUSE Manager Server 4.1

An update that solves one vulnerability, contains one feature and has three security fixes can now be installed.

Description:

This update for flatpak, libostree, xdg-desktop-portal, xdg-desktop-portal-gtk fixes the following issues:

libostree:

Update to version 2020.8

• Enable LTO. (bsc#1133120)

• This update contains scalability improvements and bugfixes.

• Caching-related HTTP headers are now supported on summaries and signatures, so that they do not have to be re-downloaded if not changed in the meanwhile.
• Summaries and delta have been reworked to allow more fine-grained fetching.
• Fixes several bugs related to atomic variables, HTTP timeouts, and 32-bit architectures.
• Static deltas can now be signed to more easily support offline verification.
• There's now support for multiple initramfs images; Is it possible to have a "main" initramfs image and a secondary one which represents local configuration.
• The documentation is now moved to https://ostreedev.github.io/ostree/
• Fix for an assertion failure when upgrading from systems before ostree supported devicetree.
• ostree no longer hardlinks zero sized files to avoid hitting filesystem maximum link counts.
• ostree now supports / and /boot being on the same filesystem.
• Improvements to the GObject Introspection metadata, some (cosmetic) static analyzer fixes, a fix for the immutable bit on s390x, dropping a deprecated bit in the systemd unit file.
• Fix a regression 2020.4 where the "readonly sysroot" changes incorrectly left the sysroot read-only on systems that started out with a read-only / (most of them, e.g. Fedora Silverblue/IoT at least).
• The default dracut config now enables reproducibility.
• There is a new ostree admin unlock --transient. This should to be a foundation for further support for "live" updates.
• New ed25519 signing support, powered by libsodium.
• stree commit gained a new --base argument, which significantly simplifies constructing "derived" commits, particularly for systems using SELinux.
• Handling of the read-only sysroot was reimplemented to run in the initramfs and be more reliable. Enabling the readonly=true flag in the repo config is recommended.
• Several fixes in locking for the temporary "staging" directories OSTree creates, particularly on NFS.
• A new timestamp-check-from-rev option was added for pulls, which makes downgrade protection more reliable and will be used by Fedora CoreOS.
• Several fixes and enhancements made for "collection" pulls including a new --mirror option.
• The ostree commit command learned a new --mode-ro-executables which enforces W^R semantics on all executables.
• Added a new commit metadata key OSTREE_COMMIT_META_KEY_ARCHITECTURE to help standardize the architecture of the OSTree commit. This could be used on the client side for example to sanity-check that the commit matches the architecture of the machine before deploying.
• Stop invalid usage of %_libexecdir:
• Use %{_prefix}/lib where appropriate.
• Use _systemdgeneratordir for the systemd-generators.
• Define _dracutmodulesdir based on dracut.pc. Add BuildRequires(dracut) for this to work.

xdg-desktop-portal:

Update to version 1.8.0:

• Ensure systemd rpm macros are called at install/uninstall times for systemd user services.
• Add BuildRequires on systemd-rpm-macros.
• openuri:
• Allow skipping the chooser for more URL tyles
• Robustness fixes
• filechooser:
• Return the current filter
• Add a "directory" option
• Document the "writable" option
• camera:
• Make the client node visible
• Don't leak pipewire proxy
• Fix file descriptor leaks
• Testsuite improvements
• Updated translations.
• document:
• Reduce the use of open fds
• Add more tests and fix issues they found
• Expose directories with their proper name
• Support exporting directories
• New fuse implementation
• background: Avoid a segfault
• screencast: Require pipewire 0.3
• Better support for snap and toolbox
• Require /usr/bin/fusermount: xdg-document-portal calls out to the binary. (bsc#1175899) Without it, files or dirs can be selected, but whatever is done with or in them, will not have any effect
• Fixes for %_libexecdir changing to /usr/libexec

xdg-desktop-portal-gtk:

Update to version 1.8.0:

• filechooser:
• Return the current filter
  • Handle the "directory" option to select directories
  • Only show preview when we have an image
• screenshot: Fix cancellation
• appchooser: Avoid a crash
• wallpaper:
• Properly preview placement settings
• Drop the lockscreen option
• printing: Improve the notification
• Updated translations.
• settings: Fall back to gsettings for enable-animations
• screencast: Support Mutter version to 3 (New pipewire api ver 3).

flatpak:

• Update to version 1.10.2 (jsc#SLE-17238, ECO-3148)

• This is a security update which fixes a potential attack where a flatpak application could use custom formated .desktop file to gain access to files on the host system.

• Fix memory leaks
• Documentation and translations updates
• Spawn portal better handles non-utf8 filenames
• Fix flatpak build on systems with setuid bwrap
• Fix crash on updating apps with no deploy data
• Remove deprecated texinfo packaging macros.
• Support for the new repo format which should make updates faster and download less data.
• The systemd generator snippets now call flatpak --print-updated-env in place of a bunch of shell for better login performance.
• The .profile snippets now disable GVfs when calling flatpak to avoid spawning a gvfs daemon when logging in via ssh.
• Flatpak now finds the pulseaudio sockets better in uncommon configurations.
• Sandboxes with network access it now also has access to the systemd-resolved socket to do dns lookups.
• Flatpak supports unsetting environment variables in the sandbox using --unset-env, and --env=FOO= now sets FOO to the empty string instead of unsetting it.
• The spawn portal now has an option to share the pid namespace with the sub-sandbox.
• This security update fixes a sandbox escape where a malicious application can execute code outside the sandbox by controlling the environment of the "flatpak run" command when spawning a sub-sandbox (bsc#1180996, CVE-2021-21261)
• Fix support for ppc64.
• Move flatpak-bisect and flatpak-coredumpctl to devel subpackage, allow to remove python3 dependency on main package.
• Enable LTO as gobject-introspection works fine with LTO. (bsc#1133124)
• Fixed progress reporting for OCI and extra-data.
• The in-memory summary cache is more efficient.
• Fixed authentication getting stuck in a loop in some cases.
• Fixed authentication error reporting.
• Extract OCI info for runtimes as well as apps.
• Fixed crash if anonymous authentication fails and -y is specified.
• flatpak info now only looks at the specified installation if one is specified.
• Better error reporting for server HTTP errors during download.
• Uninstall now removes applications before the runtime it depends on.
• Avoid updating metadata from the remote when uninstalling.
• FlatpakTransaction now verifies all passed in refs to avoid.
• Added validation of collection id settings for remotes.
• Fix seccomp filters on s390.
• Robustness fixes to the spawn portal.
• Fix support for masking update in the system installation.
• Better support for distros with uncommon models of merged /usr.
• Cache responses from localed/AccountService.
• Fix hangs in cases where xdg-dbus-proxy fails to start.
• Fix double-free in cups socket detection.
• OCI authenticator now doesn't ask for auth in case of http errors.
• Fix invalid usage of %{_libexecdir} to reference systemd directories.
• Fixes for %_libexecdir changing to /usr/libexec
• Avoid calling authenticator in update if ref didn't change
• Don't fail transaction if ref is already installed (after transaction start)
• Fix flatpak run handling of userns in the --device=all case
• Fix handling of extensions from different remotes
• Fix flatpak run --no-session-bus
• FlatpakTransaction has a new signal install-authenticator which clients can handle to install authenticators needed for the transaction. This is done in the CLI commands.
• Now the host timezone data is always exposed, fixing several apps that had timezone issues.
• There's a new systemd unit (not installed by default) to automatically detect plugged in usb sticks with sideload repos.
• By default the gdm env.d file is no longer installed because the systemd generators work better.
• create-usb now exports partial commits by default
• Fix handling of docker media types in oci remotes
• Fix subjects in remote-info --log output
• This release is also able to host flatpak images on e.g. docker hub.

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• Basesystem Module 15-SP2
  zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP2-2021-1094=1
• Desktop Applications Module 15-SP2
  zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-SP2-2021-1094=1

Package List:

• Basesystem Module 15-SP2 (aarch64 ppc64le s390x x86_64)
  • libostree-debuginfo-2020.8-3.3.2
  • libostree-debugsource-2020.8-3.3.2
  • libostree-1-1-debuginfo-2020.8-3.3.2
  • libostree-1-1-2020.8-3.3.2
• Desktop Applications Module 15-SP2 (aarch64 ppc64le s390x x86_64)
  • xdg-desktop-portal-gtk-1.8.0-3.3.1
  • flatpak-zsh-completion-1.10.2-4.6.1
  • flatpak-debuginfo-1.10.2-4.6.1
  • xdg-desktop-portal-1.8.0-5.3.2
  • xdg-desktop-portal-devel-1.8.0-5.3.2
  • xdg-desktop-portal-debuginfo-1.8.0-5.3.2
  • typelib-1_0-OSTree-1_0-2020.8-3.3.2
  • flatpak-devel-1.10.2-4.6.1
  • xdg-desktop-portal-gtk-debugsource-1.8.0-3.3.1
  • xdg-desktop-portal-gtk-debuginfo-1.8.0-3.3.1
  • libflatpak0-debuginfo-1.10.2-4.6.1
  • system-user-flatpak-1.10.2-4.6.1
  • flatpak-debugsource-1.10.2-4.6.1
  • libostree-devel-2020.8-3.3.2
  • libflatpak0-1.10.2-4.6.1
  • xdg-desktop-portal-debugsource-1.8.0-5.3.2
  • flatpak-1.10.2-4.6.1
  • libostree-debugsource-2020.8-3.3.2
  • libostree-2020.8-3.3.2
  • libostree-debuginfo-2020.8-3.3.2
  • typelib-1_0-Flatpak-1_0-1.10.2-4.6.1
• Desktop Applications Module 15-SP2 (noarch)
  • xdg-desktop-portal-gtk-lang-1.8.0-3.3.1
  • xdg-desktop-portal-lang-1.8.0-5.3.2

References:

• https://www.suse.com/security/cve/CVE-2021-21261.html
• https://bugzilla.suse.com/show_bug.cgi?id=1133120
• https://bugzilla.suse.com/show_bug.cgi?id=1133124
• https://bugzilla.suse.com/show_bug.cgi?id=1175899
• https://bugzilla.suse.com/show_bug.cgi?id=1180996
• https://jira.suse.com/browse/SLE-7171