SUSE-SU-2021:1094-1: important: Security update for flatpak, libostree, xdg-desktop-portal, xdg-desktop-portal-gtk

sle-security-updates at sle-security-updates at
Wed Apr 7 16:15:32 UTC 2021

   SUSE Security Update: Security update for flatpak, libostree, xdg-desktop-portal, xdg-desktop-portal-gtk

Announcement ID:    SUSE-SU-2021:1094-1
Rating:             important
References:         #1133120 #1133124 #1175899 #1180996 SLE-7171 
Cross-References:   CVE-2021-21261
CVSS scores:
                    CVE-2021-21261 (NVD) : 8.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
                    CVE-2021-21261 (SUSE): 7.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N

Affected Products:
                    SUSE Linux Enterprise Module for Desktop Applications 15-SP2
                    SUSE Linux Enterprise Module for Basesystem 15-SP2

   An update that solves one vulnerability, contains one
   feature and has three fixes is now available.


   This update for flatpak, libostree, xdg-desktop-portal,
   xdg-desktop-portal-gtk fixes the following issues:


   Update to version 2020.8

   - Enable LTO. (bsc#1133120)

   - This update contains scalability improvements and bugfixes.
   - Caching-related HTTP headers are now supported on summaries and
     signatures, so that they do not have to be re-downloaded if not changed
     in the meanwhile.
   - Summaries and delta have been reworked to allow more fine-grained
   - Fixes several bugs related to atomic variables, HTTP timeouts, and
     32-bit architectures.
   - Static deltas can now be signed to more easily support offline
   - There's now support for multiple initramfs images; Is it possible to
     have a "main" initramfs image and a secondary one which represents local
   - The documentation is now moved to
   - Fix for an assertion failure when upgrading from systems before ostree
     supported devicetree.
   - ostree no longer hardlinks zero sized files to avoid hitting filesystem
     maximum link counts.
   - ostree now supports `/` and `/boot` being on the same filesystem.
   - Improvements to the GObject Introspection metadata, some (cosmetic)
     static analyzer fixes, a fix for the immutable bit on s390x, dropping a
     deprecated bit in the systemd unit file.
   - Fix a regression 2020.4 where the "readonly sysroot" changes incorrectly
     left the sysroot read-only
     on systems that started out with a read-only `/` (most of them, e.g.
      Fedora Silverblue/IoT at least).
   - The default dracut config now enables reproducibility.
   - There is a new ostree admin unlock `--transient`. This should to be a
     foundation for further support for "live" updates.
   - New `ed25519` signing support, powered by `libsodium`.
   - stree commit gained a new `--base` argument, which significantly
     simplifies constructing "derived" commits, particularly for systems
     using SELinux.
   - Handling of the read-only sysroot was reimplemented to run in the
     initramfs and be more reliable. Enabling the `readonly=true` flag in the
     repo config is recommended.
   - Several fixes in locking for the temporary "staging" directories OSTree
     creates, particularly on NFS.
   - A new `timestamp-check-from-rev` option was added for pulls, which makes
     downgrade protection more reliable and will be used by Fedora CoreOS.
   - Several fixes and enhancements made for "collection" pulls including a
     new `--mirror` option.
   - The ostree commit command learned a new `--mode-ro-executables` which
     enforces `W^R` semantics
     on all executables.
   - Added a new  commit metadata key `OSTREE_COMMIT_META_KEY_ARCHITECTURE`
     to help standardize the architecture of the OSTree commit. This could be
     used on the client side for example to sanity-check that the commit
     matches the architecture of the machine before deploying.
   - Stop invalid usage of `%_libexecdir`:
     + Use `%{_prefix}/lib` where appropriate.
     + Use `_systemdgeneratordir` for the systemd-generators.
     + Define `_dracutmodulesdir` based on `dracut.pc`. Add
       BuildRequires(dracut) for this to work.


   Update to version 1.8.0:

   - Ensure systemd rpm macros are called at install/uninstall times for
     systemd user services.
   - Add BuildRequires on systemd-rpm-macros.
   - openuri:
     - Allow skipping the chooser for more URL tyles
     - Robustness fixes
   - filechooser:
     - Return the current filter
     - Add a "directory" option
     - Document the "writable" option
   - camera:
     - Make the client node visible
     - Don't leak pipewire proxy
   - Fix file descriptor leaks
   - Testsuite improvements
   - Updated translations.
   - document:
     - Reduce the use of open fds
     - Add more tests and fix issues they found
     - Expose directories with their proper name
     - Support exporting directories
     - New fuse implementation
   - background: Avoid a segfault
   - screencast: Require pipewire 0.3
   - Better support for snap and toolbox
   - Require `/usr/bin/fusermount`: `xdg-document-portal` calls out to the
     binary. (bsc#1175899) Without it, files or dirs can be selected, but
     whatever is done with or in them, will not have any effect
   - Fixes for `%_libexecdir` changing to `/usr/libexec`


   Update to version 1.8.0:

   - filechooser:
     - Return the current filter
       - Handle the "directory" option to select directories
       - Only show preview when we have an image
   - screenshot: Fix cancellation
   - appchooser: Avoid a crash
   - wallpaper:
     - Properly preview placement settings
     - Drop the lockscreen option
   - printing: Improve the notification
   - Updated translations.
   - settings: Fall back to gsettings for enable-animations
   - screencast: Support Mutter version to 3 (New pipewire api ver 3).


   -  Update to version 1.10.2 (jsc#SLE-17238, ECO-3148)

   -  This is a security update which fixes a potential attack where a
      flatpak application could use custom formated `.desktop` file to gain
      access to files on the host system.
   - Fix memory leaks
   - Documentation and translations updates
   - Spawn portal better handles non-utf8 filenames
   - Fix flatpak build on systems with setuid bwrap
   - Fix crash on updating apps with no deploy data
   - Remove deprecated texinfo packaging macros.
   - Support for the new repo format which should make updates faster and
     download less data.
   - The systemd generator snippets now call flatpak `--print-updated-env` in
     place of a bunch of shell for better login performance.
   - The `.profile` snippets now disable GVfs when calling flatpak to avoid
     spawning a gvfs daemon when logging in via ssh.
   - Flatpak now finds the pulseaudio sockets better in uncommon
   - Sandboxes with network access it now also has access to the
     `systemd-resolved` socket to do dns lookups.
   - Flatpak supports unsetting environment variables in the sandbox using
     `--unset-env`, and `--env=FOO=` now sets FOO to the empty string instead
     of unsetting it.
   - The spawn portal now has an option to share the pid namespace with the
   - This security update fixes a sandbox escape where a malicious
     application can execute code outside the sandbox by controlling the
     environment of the "flatpak run" command when spawning a sub-sandbox
     (bsc#1180996, CVE-2021-21261)
   - Fix support for ppc64.
   - Move flatpak-bisect and flatpak-coredumpctl to devel subpackage, allow
     to remove python3 dependency on main package.
   - Enable LTO as gobject-introspection works fine with LTO. (bsc#1133124)
   - Fixed progress reporting for OCI and extra-data.
   - The in-memory summary cache is more efficient.
   - Fixed authentication getting stuck in a loop in some cases.
   - Fixed authentication error reporting.
   - Extract OCI info for runtimes as well as apps.
   - Fixed crash if anonymous authentication fails and `-y` is specified.
   - flatpak info now only looks at the specified installation if one is
   - Better error reporting for server HTTP errors during download.
   - Uninstall now removes applications before the runtime it depends on.
   - Avoid updating metadata from the remote when uninstalling.
   - FlatpakTransaction now verifies all passed in refs to avoid.
   - Added validation of collection id settings for remotes.
   - Fix seccomp filters on s390.
   - Robustness fixes to the spawn portal.
   - Fix support for masking update in the system installation.
   - Better support for distros with uncommon models of merged `/usr`.
   - Cache responses from localed/AccountService.
   - Fix hangs in cases where `xdg-dbus-proxy` fails to start.
   - Fix double-free in cups socket detection.
   - OCI authenticator now doesn't ask for auth in case of http errors.
   - Fix invalid usage of `%{_libexecdir}` to reference systemd directories.
   - Fixes for `%_libexecdir` changing to `/usr/libexec`
   - Avoid calling authenticator in update if ref didn't change
   - Don't fail transaction if ref is already installed (after transaction
   - Fix flatpak run handling of userns in the `--device=all` case
   - Fix handling of extensions from different remotes
   - Fix flatpak run `--no-session-bus`
   - `FlatpakTransaction` has a new signal `install-authenticator` which
     clients can handle to install authenticators needed for the transaction.
     This is done in the CLI commands.
   - Now the host timezone data is always exposed, fixing several apps that
     had timezone issues.
   - There's a new  systemd unit (not installed by default) to automatically
     detect plugged in usb sticks with sideload repos.
   - By default the `gdm env.d` file is no longer installed because the
     systemd generators work better.
   - `create-usb` now exports partial commits by default
   - Fix handling of docker media types in oci remotes
   - Fix subjects in `remote-info --log` output
   - This release is also able to host flatpak images on e.g. docker hub.

Patch Instructions:

   To install this SUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - SUSE Linux Enterprise Module for Desktop Applications 15-SP2:

      zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-SP2-2021-1094=1

   - SUSE Linux Enterprise Module for Basesystem 15-SP2:

      zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP2-2021-1094=1

Package List:

   - SUSE Linux Enterprise Module for Desktop Applications 15-SP2 (aarch64 ppc64le s390x x86_64):


   - SUSE Linux Enterprise Module for Desktop Applications 15-SP2 (noarch):


   - SUSE Linux Enterprise Module for Basesystem 15-SP2 (aarch64 ppc64le s390x x86_64):



More information about the sle-security-updates mailing list