{"affected":[{"ecosystem_specific":{"binaries":[{"flatpak":"1.10.2-lp152.3.6.1","flatpak-devel":"1.10.2-lp152.3.6.1","flatpak-zsh-completion":"1.10.2-lp152.3.6.1","libflatpak0":"1.10.2-lp152.3.6.1","libostree":"2020.8-lp152.2.3.1","libostree-1-1":"2020.8-lp152.2.3.1","libostree-devel":"2020.8-lp152.2.3.1","libostree-grub2":"2020.8-lp152.2.3.1","system-user-flatpak":"1.10.2-lp152.3.6.1","typelib-1_0-Flatpak-1_0":"1.10.2-lp152.3.6.1","typelib-1_0-OSTree-1_0":"2020.8-lp152.2.3.1","xdg-desktop-portal":"1.8.0-lp152.4.3.1","xdg-desktop-portal-devel":"1.8.0-lp152.4.3.1","xdg-desktop-portal-gtk":"1.8.0-lp152.2.3.1","xdg-desktop-portal-gtk-lang":"1.8.0-lp152.2.3.1","xdg-desktop-portal-lang":"1.8.0-lp152.4.3.1"}]},"package":{"ecosystem":"openSUSE:Leap 15.2","name":"flatpak","purl":"pkg:rpm/opensuse/flatpak&distro=openSUSE%20Leap%2015.2"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"1.10.2-lp152.3.6.1"}],"type":"ECOSYSTEM"}]},{"ecosystem_specific":{"binaries":[{"flatpak":"1.10.2-lp152.3.6.1","flatpak-devel":"1.10.2-lp152.3.6.1","flatpak-zsh-completion":"1.10.2-lp152.3.6.1","libflatpak0":"1.10.2-lp152.3.6.1","libostree":"2020.8-lp152.2.3.1","libostree-1-1":"2020.8-lp152.2.3.1","libostree-devel":"2020.8-lp152.2.3.1","libostree-grub2":"2020.8-lp152.2.3.1","system-user-flatpak":"1.10.2-lp152.3.6.1","typelib-1_0-Flatpak-1_0":"1.10.2-lp152.3.6.1","typelib-1_0-OSTree-1_0":"2020.8-lp152.2.3.1","xdg-desktop-portal":"1.8.0-lp152.4.3.1","xdg-desktop-portal-devel":"1.8.0-lp152.4.3.1","xdg-desktop-portal-gtk":"1.8.0-lp152.2.3.1","xdg-desktop-portal-gtk-lang":"1.8.0-lp152.2.3.1","xdg-desktop-portal-lang":"1.8.0-lp152.4.3.1"}]},"package":{"ecosystem":"openSUSE:Leap 15.2","name":"libostree","purl":"pkg:rpm/opensuse/libostree&distro=openSUSE%20Leap%2015.2"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"2020.8-lp152.2.3.1"}],"type":"ECOSYSTEM"}]},{"ecosystem_specific":{"binaries":[{"flatpak":"1.10.2-lp152.3.6.1","flatpak-devel":"1.10.2-lp152.3.6.1","flatpak-zsh-completion":"1.10.2-lp152.3.6.1","libflatpak0":"1.10.2-lp152.3.6.1","libostree":"2020.8-lp152.2.3.1","libostree-1-1":"2020.8-lp152.2.3.1","libostree-devel":"2020.8-lp152.2.3.1","libostree-grub2":"2020.8-lp152.2.3.1","system-user-flatpak":"1.10.2-lp152.3.6.1","typelib-1_0-Flatpak-1_0":"1.10.2-lp152.3.6.1","typelib-1_0-OSTree-1_0":"2020.8-lp152.2.3.1","xdg-desktop-portal":"1.8.0-lp152.4.3.1","xdg-desktop-portal-devel":"1.8.0-lp152.4.3.1","xdg-desktop-portal-gtk":"1.8.0-lp152.2.3.1","xdg-desktop-portal-gtk-lang":"1.8.0-lp152.2.3.1","xdg-desktop-portal-lang":"1.8.0-lp152.4.3.1"}]},"package":{"ecosystem":"openSUSE:Leap 15.2","name":"xdg-desktop-portal","purl":"pkg:rpm/opensuse/xdg-desktop-portal&distro=openSUSE%20Leap%2015.2"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"1.8.0-lp152.4.3.1"}],"type":"ECOSYSTEM"}]},{"ecosystem_specific":{"binaries":[{"flatpak":"1.10.2-lp152.3.6.1","flatpak-devel":"1.10.2-lp152.3.6.1","flatpak-zsh-completion":"1.10.2-lp152.3.6.1","libflatpak0":"1.10.2-lp152.3.6.1","libostree":"2020.8-lp152.2.3.1","libostree-1-1":"2020.8-lp152.2.3.1","libostree-devel":"2020.8-lp152.2.3.1","libostree-grub2":"2020.8-lp152.2.3.1","system-user-flatpak":"1.10.2-lp152.3.6.1","typelib-1_0-Flatpak-1_0":"1.10.2-lp152.3.6.1","typelib-1_0-OSTree-1_0":"2020.8-lp152.2.3.1","xdg-desktop-portal":"1.8.0-lp152.4.3.1","xdg-desktop-portal-devel":"1.8.0-lp152.4.3.1","xdg-desktop-portal-gtk":"1.8.0-lp152.2.3.1","xdg-desktop-portal-gtk-lang":"1.8.0-lp152.2.3.1","xdg-desktop-portal-lang":"1.8.0-lp152.4.3.1"}]},"package":{"ecosystem":"openSUSE:Leap 15.2","name":"xdg-desktop-portal-gtk","purl":"pkg:rpm/opensuse/xdg-desktop-portal-gtk&distro=openSUSE%20Leap%2015.2"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"1.8.0-lp152.2.3.1"}],"type":"ECOSYSTEM"}]}],"aliases":[],"details":"This update for flatpak, libostree, xdg-desktop-portal, xdg-desktop-portal-gtk fixes the following issues:\n\nlibostree:\n\nUpdate to version 2020.8\n\n- Enable LTO. (bsc#1133120)\n\n- This update contains scalability improvements and bugfixes.\n- Caching-related HTTP headers are now supported on summaries and signatures, so that they do not have to be \n  re-downloaded if not changed in the meanwhile.\n- Summaries and delta have been reworked to allow more fine-grained fetching.\n- Fixes several bugs related to atomic variables, HTTP timeouts, and 32-bit architectures.\n- Static deltas can now be signed to more easily support offline verification.\n- There's now support for multiple initramfs images; Is it possible to have a 'main' initramfs image and a \n  secondary one which represents local configuration.\n- The documentation is now moved to https://ostreedev.github.io/ostree/\n- Fix for an assertion failure when upgrading from systems before ostree supported devicetree.\n- ostree no longer hardlinks zero sized files to avoid hitting filesystem maximum link counts.\n- ostree now supports `/` and `/boot` being on the same filesystem.\n- Improvements to the GObject Introspection metadata, some (cosmetic) static analyzer fixes, a fix for \n  the immutable bit on s390x, dropping a deprecated bit in the systemd unit file.\n- Fix a regression 2020.4 where the 'readonly sysroot' changes incorrectly left the sysroot read-only \n  on systems that started out with a read-only `/` (most of them, e.g. Fedora Silverblue/IoT at least).\n- The default dracut config now enables reproducibility.\n- There is a new ostree admin unlock `--transient`. This should to be a foundation for further support \n  for 'live' updates.\n- New `ed25519` signing support, powered by `libsodium`.\n- stree commit gained a new `--base` argument, which significantly simplifies constructing 'derived' \n  commits, particularly for systems using SELinux.\n- Handling of the read-only sysroot was reimplemented to run in the initramfs and be more reliable. \n  Enabling the `readonly=true` flag in the repo config is recommended.\n- Several fixes in locking for the temporary 'staging' directories OSTree creates, particularly on NFS.\n- A new `timestamp-check-from-rev` option was added for pulls, which makes downgrade protection more \n  reliable and will be used by Fedora CoreOS.\n- Several fixes and enhancements made for 'collection' pulls including a new `--mirror` option.\n- The ostree commit command learned a new `--mode-ro-executables` which enforces `W^R` semantics \n  on all executables.\n- Added a new  commit metadata key `OSTREE_COMMIT_META_KEY_ARCHITECTURE` to help standardize \n  the architecture of the OSTree commit. This could be used on the client side for example to \n  sanity-check that the commit matches the architecture of the machine before deploying.\n- Stop invalid usage of `%_libexecdir`:\n  + Use `%{_prefix}/lib` where appropriate.\n  + Use `_systemdgeneratordir` for the systemd-generators.\n  + Define `_dracutmodulesdir` based on `dracut.pc`. Add BuildRequires(dracut) for this to work.\n\nxdg-desktop-portal:\n\nUpdate to version 1.8.0:\n\n- Ensure systemd rpm macros are called at install/uninstall times for systemd user services.\n- Add BuildRequires on systemd-rpm-macros.\n- openuri:\n  - Allow skipping the chooser for more URL tyles\n  - Robustness fixes\n- filechooser: \n  - Return the current filter\n  - Add a 'directory' option\n  - Document the 'writable' option\n- camera:\n  - Make the client node visible\n  - Don't leak pipewire proxy\n- Fix file descriptor leaks\n- Testsuite improvements\n- Updated translations.\n- document:\n  - Reduce the use of open fds\n  - Add more tests and fix issues they found\n  - Expose directories with their proper name\n  - Support exporting directories\n  - New fuse implementation\n- background: Avoid a segfault\n- screencast: Require pipewire 0.3\n- Better support for snap and toolbox\n- Require `/usr/bin/fusermount`: `xdg-document-portal` calls out to the binary. (bsc#1175899)\n  Without it, files or dirs can be selected, but whatever is done with or in them, will not have any effect\n- Fixes for `%_libexecdir` changing to `/usr/libexec`\n\nxdg-desktop-portal-gtk:\n\nUpdate to version 1.8.0:\n\n- filechooser: \n  - Return the current filter\n    - Handle the 'directory' option to select directories\n    - Only show preview when we have an image\n- screenshot: Fix cancellation\n- appchooser: Avoid a crash\n- wallpaper:\n  - Properly preview placement settings\n  - Drop the lockscreen option\n- printing: Improve the notification\n- Updated translations.\n- settings: Fall back to gsettings for enable-animations\n- screencast: Support Mutter version to 3 (New pipewire api ver 3).\n\nflatpak:\n\n-  Update to version 1.10.2 (jsc#SLE-17238, ECO-3148)\n\n-  This is a security update which fixes a potential attack where a flatpak application could use custom formated \n   `.desktop` file to gain access to files on the host system.\n- Fix memory leaks\n- Documentation and translations updates\n- Spawn portal better handles non-utf8 filenames\n- Fix flatpak build on systems with setuid bwrap \n- Fix crash on updating apps with no deploy data\n- Remove deprecated texinfo packaging macros.\n- Support for the new repo format which should make updates faster and download less data.\n- The systemd generator snippets now call flatpak `--print-updated-env` in place of a bunch of shell for better\n  login performance.\n- The `.profile` snippets now disable GVfs when calling flatpak to avoid spawning a gvfs daemon when logging in via ssh.\n- Flatpak now finds the pulseaudio sockets better in uncommon configurations.\n- Sandboxes with network access it now also has access to the `systemd-resolved` socket to do dns lookups.\n- Flatpak supports unsetting environment variables in the sandbox using `--unset-env`, \n  and `--env=FOO=` now sets FOO to the empty string instead of unsetting it.\n- The spawn portal now has an option to share the pid namespace with the sub-sandbox.\n- This security update fixes a sandbox escape where a malicious application can execute code outside the sandbox by \n  controlling the environment of the 'flatpak run' command when spawning a sub-sandbox (bsc#1180996, CVE-2021-21261)\n- Fix support for ppc64.\n- Move flatpak-bisect and flatpak-coredumpctl to devel subpackage, allow to remove python3 dependency on main package.\n- Enable LTO as gobject-introspection works fine with LTO. (bsc#1133124)\n- Fixed progress reporting for OCI and extra-data.\n- The in-memory summary cache is more efficient.\n- Fixed authentication getting stuck in a loop in some cases.\n- Fixed authentication error reporting.\n- Extract OCI info for runtimes as well as apps. \n- Fixed crash if anonymous authentication fails and `-y` is specified.\n- flatpak info now only looks at the specified installation if one is specified.\n- Better error reporting for server HTTP errors during download. \n- Uninstall now removes applications before the runtime it depends on.\n- Avoid updating metadata from the remote when uninstalling.\n- FlatpakTransaction now verifies all passed in refs to avoid.\n- Added validation of collection id settings for remotes.\n- Fix seccomp filters on s390.\n- Robustness fixes to the spawn portal.\n- Fix support for masking update in the system installation.\n- Better support for distros with uncommon models of merged `/usr`.\n- Cache responses from localed/AccountService.\n- Fix hangs in cases where `xdg-dbus-proxy` fails to start.\n- Fix double-free in cups socket detection.\n- OCI authenticator now doesn't ask for auth in case of http errors.\n- Fix invalid usage of `%{_libexecdir}` to reference systemd directories.\n- Fixes for `%_libexecdir` changing to `/usr/libexec`\n- Avoid calling authenticator in update if ref didn't change\n- Don't fail transaction if ref is already installed (after transaction start)\n- Fix flatpak run handling of userns in the `--device=all` case\n- Fix handling of extensions from different remotes\n- Fix flatpak run `--no-session-bus`\n- `FlatpakTransaction` has a new signal `install-authenticator` which clients can handle to install authenticators \n   needed for the transaction. This is done in the CLI commands.\n- Now the host timezone data is always exposed, fixing several apps that had timezone issues.\n- There's a new  systemd unit (not installed by default) to automatically detect plugged in usb sticks with \n  sideload repos.\n- By default the `gdm env.d` file is no longer installed because the  systemd generators work better.\n- `create-usb` now exports partial commits by default \n- Fix handling of docker media types in oci remotes\n- Fix subjects in `remote-info --log` output\n- This release is also able to host flatpak images on e.g. docker hub.\n \nThis update was imported from the SUSE:SLE-15-SP2:Update update project.","id":"openSUSE-SU-2021:0520-1","modified":"2021-04-08T22:41:52Z","published":"2021-04-08T22:41:52Z","references":[{"type":"ADVISORY","url":"https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/4JRX7C3J3TJQXJODJCARSGDYY4AM57Q7/"},{"type":"REPORT","url":"https://bugzilla.suse.com/1133120"},{"type":"REPORT","url":"https://bugzilla.suse.com/1133124"},{"type":"REPORT","url":"https://bugzilla.suse.com/1175899"},{"type":"REPORT","url":"https://bugzilla.suse.com/1180996"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2021-21261"}],"related":["CVE-2021-21261"],"summary":"Security update for flatpak, libostree, xdg-desktop-portal, xdg-desktop-portal-gtk","upstream":["CVE-2021-21261"]}