Fixes CVE-2024-32462

This commit is contained in:
Jonathan Wright 2024-05-07 09:20:57 -05:00
parent ca33e6c3b9
commit 705aace031
2 changed files with 75 additions and 1 deletions

View File

@ -0,0 +1,68 @@
From 81abe2a37d363f5099c3d0bdcd0caad6efc5bf97 Mon Sep 17 00:00:00 2001
From: Alexander Larsson <alexl@redhat.com>
Date: Mon, 15 Apr 2024 16:10:36 +0200
Subject: [PATCH] When starting non-static command using bwrap use "--"
This ensures that the command is not taken to be a bwrap option.
Resolves: CVE-2024-32462
Resolves: GHSA-phv6-cpc2-2fgj
Signed-off-by: Alexander Larsson <alexl@redhat.com>
[smcv: Fix DISABLE_SANDBOXED_TRIGGERS code path]
[smcv: Make flatpak_run_maybe_start_dbus_proxy() more obviously correct]
Signed-off-by: Simon McVittie <smcv@collabora.com>
---
app/flatpak-builtins-build.c | 3 ++-
common/flatpak-dir.c | 1 +
common/flatpak-run.c | 5 ++++-
3 files changed, 7 insertions(+), 2 deletions(-)
diff --git a/app/flatpak-builtins-build.c b/app/flatpak-builtins-build.c
index 0c4c5ce382..4a1e76232c 100644
--- a/app/flatpak-builtins-build.c
+++ b/app/flatpak-builtins-build.c
@@ -587,7 +587,8 @@ flatpak_builtin_build (int argc, char **argv, GCancellable *cancellable, GError
if (!flatpak_bwrap_bundle_args (bwrap, 1, -1, FALSE, error))
return FALSE;
- flatpak_bwrap_add_args (bwrap, command, NULL);
+ flatpak_bwrap_add_args (bwrap, "--", command, NULL);
+
flatpak_bwrap_append_argsv (bwrap,
&argv[rest_argv_start + 2],
rest_argc - 2);
diff --git a/common/flatpak-dir.c b/common/flatpak-dir.c
index 8e7686b093..b5736945ed 100644
--- a/common/flatpak-dir.c
+++ b/common/flatpak-dir.c
@@ -6817,6 +6817,7 @@ flatpak_dir_run_triggers (FlatpakDir *self,
"--proc", "/proc",
"--dev", "/dev",
"--bind", basedir, basedir,
+ "--",
NULL);
#endif
flatpak_bwrap_add_args (bwrap,
diff --git a/common/flatpak-run.c b/common/flatpak-run.c
index 673ac08f20..4fdb56fe96 100644
--- a/common/flatpak-run.c
+++ b/common/flatpak-run.c
@@ -1266,6 +1266,9 @@ add_bwrap_wrapper (FlatpakBwrap *bwrap,
if (!flatpak_bwrap_bundle_args (bwrap, 1, -1, FALSE, error))
return FALSE;
+ /* End of options: the next argument will be the executable name */
+ flatpak_bwrap_add_arg (bwrap, "--");
+
return TRUE;
}
@@ -4635,7 +4638,7 @@ flatpak_run_app (FlatpakDecomposed *app_ref,
if (!flatpak_bwrap_bundle_args (bwrap, 1, -1, FALSE, error))
return FALSE;
- flatpak_bwrap_add_arg (bwrap, command);
+ flatpak_bwrap_add_args (bwrap, "--", command, NULL);
if (!add_rest_args (bwrap, app_id,
exports, (flags & FLATPAK_RUN_FLAG_FILE_FORWARDING) != 0,

View File

@ -3,7 +3,7 @@
Name: flatpak
Version: 1.12.8
Release: 1%{?dist}
Release: 1%{?dist}.alma.1
Summary: Application deployment framework for desktop apps
License: LGPLv2+
@ -17,6 +17,9 @@ Source1: flatpak-add-fedora-repos.service
# https://bugzilla.redhat.com/show_bug.cgi?id=1935508
Patch0: flatpak-dir-Use-SHA256-not-SHA1-to-name-the-cache-for-a-filt.patch
# https://github.com/flatpak/flatpak/security/advisories/GHSA-phv6-cpc2-2fgj
# https://github.com/flatpak/flatpak/commit/81abe2a37d363f5099c3d0bdcd0caad6efc5bf97
Patch1: flatpak-cve-2024-32462.patch
BuildRequires: pkgconfig(appstream-glib)
BuildRequires: pkgconfig(dconf)
@ -276,6 +279,9 @@ fi
%changelog
* Tue Apr 30 2024 Jonathan Wright <jonathan@almalinux.org> - 1.12.8-1.alma.1
- Fix CVE-2024-32462
* Tue Jul 11 2023 Debarshi Ray <rishi@fedoraproject.org> - 1.12.8-1
- Update to 1.12.8 (CVE-2023-28100, CVE-2023-28101)
Resolves: #2180312, #2221792