Security update for flatpak, libostree, xdg-desktop-portal, xdg-desktop-portal-gtk (important)

An update that solves one vulnerability and has three fixes
is now available.

Description:

This update for flatpak, libostree, xdg-desktop-portal,
xdg-desktop-portal-gtk fixes the following issues:

libostree:

Update to version 2020.8

• Enable LTO. (bsc#1133120)

• This update contains scalability improvements and bugfixes.

• Caching-related HTTP headers are now supported on summaries and
  signatures, so that they do not have to be re-downloaded if not changed
  in the meanwhile.

• Summaries and delta have been reworked to allow more fine-grained
  fetching.

• Fixes several bugs related to atomic variables, HTTP timeouts, and
  32-bit architectures.

• Static deltas can now be signed to more easily support offline
  verification.

• There’s now support for multiple initramfs images; Is it possible to
  have a “main” initramfs image and a secondary one which represents local
  configuration.

• The documentation is now moved to https://ostreedev.github.io/ostree/

• Fix for an assertion failure when upgrading from systems before ostree
  supported devicetree.

• ostree no longer hardlinks zero sized files to avoid hitting filesystem
  maximum link counts.

• ostree now supports / and /boot being on the same filesystem.

• Improvements to the GObject Introspection metadata, some (cosmetic)
  static analyzer fixes, a fix for the immutable bit on s390x, dropping a
  deprecated bit in the systemd unit file.

• Fix a regression 2020.4 where the “readonly sysroot” changes incorrectly
  left the sysroot read-only
  on systems that started out with a read-only / (most of them, e.g.
  Fedora Silverblue/IoT at least).

• The default dracut config now enables reproducibility.

• There is a new ostree admin unlock --transient. This should to be a
  foundation for further support for “live” updates.

• New ed25519 signing support, powered by libsodium.

• stree commit gained a new --base argument, which significantly
  simplifies constructing “derived” commits, particularly for systems
  using SELinux.

• Handling of the read-only sysroot was reimplemented to run in the
  initramfs and be more reliable. Enabling the readonly=true flag in the
  repo config is recommended.

• Several fixes in locking for the temporary “staging” directories OSTree
  creates, particularly on NFS.

• A new timestamp-check-from-rev option was added for pulls, which makes
  downgrade protection more reliable and will be used by Fedora CoreOS.

• Several fixes and enhancements made for “collection” pulls including a
  new --mirror option.

• The ostree commit command learned a new --mode-ro-executables which
  enforces W^R semantics
  on all executables.

• Added a new commit metadata key OSTREE_COMMIT_META_KEY_ARCHITECTURE
  to help standardize the architecture of the OSTree commit. This could be
  used on the client side for example to sanity-check that the commit
  matches the architecture of the machine before deploying.

• Stop invalid usage of %_libexecdir:

  • Use %{_prefix}/lib where appropriate.
  • Use _systemdgeneratordir for the systemd-generators.
  • Define _dracutmodulesdir based on dracut.pc. Add
    BuildRequires(dracut) for this to work.

xdg-desktop-portal:

Update to version 1.8.0:

• Ensure systemd rpm macros are called at install/uninstall times for
  systemd user services.
• Add BuildRequires on systemd-rpm-macros.
• openuri:
  • Allow skipping the chooser for more URL tyles
  • Robustness fixes
• filechooser:
  • Return the current filter
  • Add a “directory” option
  • Document the “writable” option
• camera:
  • Make the client node visible
  • Don’t leak pipewire proxy
• Fix file descriptor leaks
• Testsuite improvements
• Updated translations.
• document:
  • Reduce the use of open fds
  • Add more tests and fix issues they found
  • Expose directories with their proper name
  • Support exporting directories
  • New fuse implementation
• background: Avoid a segfault
• screencast: Require pipewire 0.3
• Better support for snap and toolbox
• Require /usr/bin/fusermount: xdg-document-portal calls out to the
  binary. (bsc#1175899) Without it, files or dirs can be selected, but
  whatever is done with or in them, will not have any effect
• Fixes for %_libexecdir changing to /usr/libexec

xdg-desktop-portal-gtk:

Update to version 1.8.0:

• filechooser:
  • Return the current filter
    • Handle the “directory” option to select directories
    • Only show preview when we have an image
• screenshot: Fix cancellation
• appchooser: Avoid a crash
• wallpaper:
  • Properly preview placement settings
  • Drop the lockscreen option
• printing: Improve the notification
• Updated translations.
• settings: Fall back to gsettings for enable-animations
• screencast: Support Mutter version to 3 (New pipewire api ver 3).

flatpak:

• Update to version 1.10.2 (jsc#SLE-17238, ECO-3148)

• This is a security update which fixes a potential attack where a
  flatpak application could use custom formated .desktop file to gain
  access to files on the host system.

• Fix memory leaks

• Documentation and translations updates

• Spawn portal better handles non-utf8 filenames

• Fix flatpak build on systems with setuid bwrap

• Fix crash on updating apps with no deploy data

• Remove deprecated texinfo packaging macros.

• Support for the new repo format which should make updates faster and
  download less data.

• The systemd generator snippets now call flatpak --print-updated-env in
  place of a bunch of shell for better login performance.

• The .profile snippets now disable GVfs when calling flatpak to avoid
  spawning a gvfs daemon when logging in via ssh.

• Flatpak now finds the pulseaudio sockets better in uncommon
  configurations.

• Sandboxes with network access it now also has access to the
  systemd-resolved socket to do dns lookups.

• Flatpak supports unsetting environment variables in the sandbox using
  --unset-env, and --env=FOO= now sets FOO to the empty string instead
  of unsetting it.

• The spawn portal now has an option to share the pid namespace with the
  sub-sandbox.

• This security update fixes a sandbox escape where a malicious
  application can execute code outside the sandbox by controlling the
  environment of the “flatpak run” command when spawning a sub-sandbox
  (bsc#1180996, CVE-2021-21261)

• Fix support for ppc64.

• Move flatpak-bisect and flatpak-coredumpctl to devel subpackage, allow
  to remove python3 dependency on main package.

• Enable LTO as gobject-introspection works fine with LTO. (bsc#1133124)

• Fixed progress reporting for OCI and extra-data.

• The in-memory summary cache is more efficient.

• Fixed authentication getting stuck in a loop in some cases.

• Fixed authentication error reporting.

• Extract OCI info for runtimes as well as apps.

• Fixed crash if anonymous authentication fails and -y is specified.

• flatpak info now only looks at the specified installation if one is
  specified.

• Better error reporting for server HTTP errors during download.

• Uninstall now removes applications before the runtime it depends on.

• Avoid updating metadata from the remote when uninstalling.

• FlatpakTransaction now verifies all passed in refs to avoid.

• Added validation of collection id settings for remotes.

• Fix seccomp filters on s390.

• Robustness fixes to the spawn portal.

• Fix support for masking update in the system installation.

• Better support for distros with uncommon models of merged /usr.

• Cache responses from localed/AccountService.

• Fix hangs in cases where xdg-dbus-proxy fails to start.

• Fix double-free in cups socket detection.

• OCI authenticator now doesn’t ask for auth in case of http errors.

• Fix invalid usage of %{_libexecdir} to reference systemd directories.

• Fixes for %_libexecdir changing to /usr/libexec

• Avoid calling authenticator in update if ref didn’t change

• Don’t fail transaction if ref is already installed (after transaction
  start)

• Fix flatpak run handling of userns in the --device=all case

• Fix handling of extensions from different remotes

• Fix flatpak run --no-session-bus

• FlatpakTransaction has a new signal install-authenticator which
  clients can handle to install authenticators needed for the transaction.
  This is done in the CLI commands.

• Now the host timezone data is always exposed, fixing several apps that
  had timezone issues.

• There’s a new systemd unit (not installed by default) to automatically
  detect plugged in usb sticks with sideload repos.

• By default the gdm env.d file is no longer installed because the
  systemd generators work better.

• create-usb now exports partial commits by default

• Fix handling of docker media types in oci remotes

• Fix subjects in remote-info --log output

• This release is also able to host flatpak images on e.g. docker hub.

This update was imported from the SUSE:SLE-15-SP2:Update update project.

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or “zypper patch”.

Alternatively you can run the command listed for your product:

• openSUSE Leap 15.2:

  zypper in -t patch openSUSE-2021-520=1