openSUSE2021:0520-1: important: Security update for flatpak, libostree, xdg-desktop-portal, xdg-desktop-portal-gtk

openSUSE Security Update: Security update for flatpak, libostree, xdg-desktop-portal, xdg-desktop-portal-gtk ______________________________________________________________________________
Announcement ID: openSUSE-SU-2021:0520-1 Rating: important References: #1133120 #1133124 #1175899 #1180996 Cross-References: CVE-2021-21261 CVSS scores: CVE-2021-21261 (NVD) : 8.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H CVE-2021-21261 (SUSE): 7.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N
Affected Products: openSUSE Leap 15.2 ______________________________________________________________________________
An update that solves one vulnerability and has three fixes is now available.
Description:
This update for flatpak, libostree, xdg-desktop-portal, xdg-desktop-portal-gtk fixes the following issues:
libostree:
Update to version 2020.8
– Enable LTO. (bsc#1133120)
– This update contains scalability improvements and bugfixes. – Caching-related HTTP headers are now supported on summaries and signatures, so that they do not have to be re-downloaded if not changed in the meanwhile. – Summaries and delta have been reworked to allow more fine-grained fetching. – Fixes several bugs related to atomic variables, HTTP timeouts, and 32-bit architectures. – Static deltas can now be signed to more easily support offline verification. – There’s now support for multiple initramfs images; Is it possible to have a “main” initramfs image and a secondary one which represents local configuration. – The documentation is now moved to ostreedev.github.io/ostree/ – Fix for an assertion failure when upgrading from systems before ostree supported devicetree. – ostree no longer hardlinks zero sized files to avoid hitting filesystem maximum link counts. – ostree now supports `/` and `/boot` being on the same filesystem. – Improvements to the GObject Introspection metadata, some (cosmetic) static analyzer fixes, a fix for the immutable bit on s390x, dropping a deprecated bit in the systemd unit file. – Fix a regression 2020.4 where the “readonly sysroot” changes incorrectly left the sysroot read-only on systems that started out with a read-only `/` (most of them, e.g. Fedora Silverblue/IoT at least). – The default dracut config now enables reproducibility. – There is a new ostree admin unlock `–transient`. This should to be a foundation for further support for “live” updates. – New `ed25519` signing support, powered by `libsodium`. – stree commit gained a new `–base` argument, which significantly simplifies constructing “derived” commits, particularly for systems using SELinux. – Handling of the read-only sysroot was reimplemented to run in the initramfs and be more reliable. Enabling the `readonly=true` flag in the repo config is recommended. – Several fixes in locking for the temporary “staging” directories OSTree creates, particularly on NFS. – A new `timestamp-check-from-rev` option was added for pulls, which makes downgrade protection more reliable and will be used by Fedora CoreOS. – Several fixes and enhancements made for “collection” pulls including a new `–mirror` option. – The ostree commit command learned a new `–mode-ro-executables` which enforces `W^R` semantics on all executables. – Added a new commit metadata key `OSTREE_COMMIT_META_KEY_ARCHITECTURE` to help standardize the architecture of the OSTree commit. This could be used on the client side for example to sanity-check that the commit matches the architecture of the machine before deploying. – Stop invalid usage of `%_libexecdir`: + Use `%{_prefix}/lib` where appropriate. + Use `_systemdgeneratordir` for the systemd-generators. + Define `_dracutmodulesdir` based on `dracut.pc`. Add BuildRequires(dracut) for this to work.
xdg-desktop-portal:
Update to version 1.8.0:
– Ensure systemd rpm macros are called at install/uninstall times for systemd user services. – Add BuildRequires on systemd-rpm-macros. – openuri: – Allow skipping the chooser for more URL tyles – Robustness fixes – filechooser: – Return the current filter – Add a “directory” option – Document the “writable” option – camera: – Make the client node visible – Don’t leak pipewire proxy – Fix file descriptor leaks – Testsuite improvements – Updated translations. – document: – Reduce the use of open fds – Add more tests and fix issues they found – Expose directories with their proper name – Support exporting directories – New fuse implementation – background: Avoid a segfault – screencast: Require pipewire 0.3 – Better support for snap and toolbox – Require `/usr/bin/fusermount`: `xdg-document-portal` calls out to the binary. (bsc#1175899) Without it, files or dirs can be selected, but whatever is done with or in them, will not have any effect – Fixes for `%_libexecdir` changing to `/usr/libexec`
xdg-desktop-portal-gtk:
Update to version 1.8.0:
– filechooser: – Return the current filter – Handle the “directory” option to select directories – Only show preview when we have an image – screenshot: Fix cancellation – appchooser: Avoid a crash – wallpaper: – Properly preview placement settings – Drop the lockscreen option – printing: Improve the notification – Updated translations. – settings: Fall back to gsettings for enable-animations – screencast: Support Mutter version to 3 (New pipewire api ver 3).
flatpak:
– Update to version 1.10.2 (jsc#SLE-17238, ECO-3148)
– This is a security update which fixes a potential attack where a flatpak application could use custom formated `.desktop` file to gain access to files on the host system. – Fix memory leaks – Documentation and translations updates – Spawn portal better handles non-utf8 filenames – Fix flatpak build on systems with setuid bwrap – Fix crash on updating apps with no deploy data – Remove deprecated texinfo packaging macros. – Support for the new repo format which should make updates faster and download less data. – The systemd generator snippets now call flatpak `–print-updated-env` in place of a bunch of shell for better login performance. – The `.profile` snippets now disable GVfs when calling flatpak to avoid spawning a gvfs daemon when logging in via ssh. – Flatpak now finds the pulseaudio sockets better in uncommon configurations. – Sandboxes with network access it now also has access to the `systemd-resolved` socket to do dns lookups. – Flatpak supports unsetting environment variables in the sandbox using `–unset-env`, and `–env=FOO=` now sets FOO to the empty string instead of unsetting it. – The spawn portal now has an option to share the pid namespace with the sub-sandbox. – This security update fixes a sandbox escape where a malicious application can execute code outside the sandbox by controlling the environment of the “flatpak run” command when spawning a sub-sandbox (bsc#1180996, CVE-2021-21261) – Fix support for ppc64. – Move flatpak-bisect and flatpak-coredumpctl to devel subpackage, allow to remove python3 dependency on main package. – Enable LTO as gobject-introspection works fine with LTO. (bsc#1133124) – Fixed progress reporting for OCI and extra-data. – The in-memory summary cache is more efficient. – Fixed authentication getting stuck in a loop in some cases. – Fixed authentication error reporting. – Extract OCI info for runtimes as well as apps. – Fixed crash if anonymous authentication fails and `-y` is specified. – flatpak info now only looks at the specified installation if one is specified. – Better error reporting for server HTTP errors during download. – Uninstall now removes applications before the runtime it depends on. – Avoid updating metadata from the remote when uninstalling. – FlatpakTransaction now verifies all passed in refs to avoid. – Added validation of collection id settings for remotes. – Fix seccomp filters on s390. – Robustness fixes to the spawn portal. – Fix support for masking update in the system installation. – Better support for distros with uncommon models of merged `/usr`. – Cache responses from localed/AccountService. – Fix hangs in cases where `xdg-dbus-proxy` fails to start. – Fix double-free in cups socket detection. – OCI authenticator now doesn’t ask for auth in case of http errors. – Fix invalid usage of `%{_libexecdir}` to reference systemd directories. – Fixes for `%_libexecdir` changing to `/usr/libexec` – Avoid calling authenticator in update if ref didn’t change – Don’t fail transaction if ref is already installed (after transaction start) – Fix flatpak run handling of userns in the `–device=all` case – Fix handling of extensions from different remotes – Fix flatpak run `–no-session-bus` – `FlatpakTransaction` has a new signal `install-authenticator` which clients can handle to install authenticators needed for the transaction. This is done in the CLI commands. – Now the host timezone data is always exposed, fixing several apps that had timezone issues. – There’s a new systemd unit (not installed by default) to automatically detect plugged in usb sticks with sideload repos. – By default the `gdm env.d` file is no longer installed because the systemd generators work better. – `create-usb` now exports partial commits by default – Fix handling of docker media types in oci remotes – Fix subjects in `remote-info –log` output – This release is also able to host flatpak images on e.g. docker hub.
This update was imported from the SUSE:SLE-15-SP2:Update update project.
Patch Instructions:
To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or “zypper patch”.
Alternatively you can run the command listed for your product:
– openSUSE Leap 15.2:
zypper in -t patch openSUSE-2021-520=1

Package List:
– openSUSE Leap 15.2 (i586 x86_64):
libostree-1-1-2020.8-lp152.2.3.1 libostree-1-1-debuginfo-2020.8-lp152.2.3.1 libostree-2020.8-lp152.2.3.1 libostree-debuginfo-2020.8-lp152.2.3.1 libostree-debugsource-2020.8-lp152.2.3.1 libostree-devel-2020.8-lp152.2.3.1 libostree-grub2-2020.8-lp152.2.3.1 typelib-1_0-OSTree-1_0-2020.8-lp152.2.3.1
– openSUSE Leap 15.2 (x86_64):
flatpak-1.10.2-lp152.3.6.1 flatpak-debuginfo-1.10.2-lp152.3.6.1 flatpak-debugsource-1.10.2-lp152.3.6.1 flatpak-devel-1.10.2-lp152.3.6.1 flatpak-zsh-completion-1.10.2-lp152.3.6.1 libflatpak0-1.10.2-lp152.3.6.1 libflatpak0-debuginfo-1.10.2-lp152.3.6.1 system-user-flatpak-1.10.2-lp152.3.6.1 typelib-1_0-Flatpak-1_0-1.10.2-lp152.3.6.1 xdg-desktop-portal-1.8.0-lp152.4.3.1 xdg-desktop-portal-debuginfo-1.8.0-lp152.4.3.1 xdg-desktop-portal-debugsource-1.8.0-lp152.4.3.1 xdg-desktop-portal-devel-1.8.0-lp152.4.3.1 xdg-desktop-portal-gtk-1.8.0-lp152.2.3.1 xdg-desktop-portal-gtk-debuginfo-1.8.0-lp152.2.3.1 xdg-desktop-portal-gtk-debugsource-1.8.0-lp152.2.3.1
– openSUSE Leap 15.2 (noarch):
xdg-desktop-portal-gtk-lang-1.8.0-lp152.2.3.1 xdg-desktop-portal-lang-1.8.0-lp152.4.3.1
References:
www.suse.com/security/cve/CVE-2021-21261.html bugzilla.suse.com/1133120 bugzilla.suse.com/1133124 bugzilla.suse.com/1175899 bugzilla.suse.com/1180996