Bug 1465025 (CVE-2017-9780)

Summary: CVE-2017-9780 flatpak: Privilege escalation via setuid/world-writable file permissions
Product: [Other] Security Response Reporter: Andrej Nemec <anemec>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: amigadave, dking
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: flatpak 0.8.7, flatpak 0.9.6 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-06-27 01:00:00 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1465027    
Bug Blocks: 1465028    

Description Andrej Nemec 2017-06-26 12:49:47 UTC 
A vulnerability was found in Flatpak. A third-party app repository could include malicious apps that contain files with inappropriate permissions, for example setuid or world-writable. The files are deployed with those permissions, which would let a local attacker run the setuid executable or write to the world-writable location. In the case of the "system helper" component, files deployed as part of the app are owned by root, so in the worst case they could be setuid root.

Upstream issue:

https://github.com/flatpak/flatpak/issues/845
Comment 1 Andrej Nemec 2017-06-26 12:50:01 UTC 
Acknowledgments:

Name: Colin Walters (Red Hat)
Comment 2 Andrej Nemec 2017-06-26 12:50:17 UTC 
Created flatpak tracking bugs for this issue:

Affects: fedora-24 [bug 1465027]
Comment 3 Andrej Nemec 2017-06-26 12:52:15 UTC 
References:

http://seclists.org/oss-sec/2017/q2/569
Comment 4 Doran Moppert 2017-06-27 01:00:00 UTC 
Upstream commit for 0.8.7 branch:

https://github.com/flatpak/flatpak/commit/2c8e2417de

This is already included in flatpak-0.8.7-1.el7