Fixes CVE-2024-32462

SOURCES/flatpak-cve-2024-32462.patch

@@ -0,0 +1,68 @@
+From 81abe2a37d363f5099c3d0bdcd0caad6efc5bf97 Mon Sep 17 00:00:00 2001
+From: Alexander Larsson <alexl@redhat.com>
+Date: Mon, 15 Apr 2024 16:10:36 +0200
+Subject: [PATCH] When starting non-static command using bwrap use "--"
+
+This ensures that the command is not taken to be a bwrap option.
+
+Resolves: CVE-2024-32462
+Resolves: GHSA-phv6-cpc2-2fgj
+Signed-off-by: Alexander Larsson <alexl@redhat.com>
+[smcv: Fix DISABLE_SANDBOXED_TRIGGERS code path]
+[smcv: Make flatpak_run_maybe_start_dbus_proxy() more obviously correct]
+Signed-off-by: Simon McVittie <smcv@collabora.com>
+---
+ app/flatpak-builtins-build.c | 3 ++-
+ common/flatpak-dir.c         | 1 +
+ common/flatpak-run.c         | 5 ++++-
+ 3 files changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/app/flatpak-builtins-build.c b/app/flatpak-builtins-build.c
+index 0c4c5ce382..4a1e76232c 100644
+--- a/app/flatpak-builtins-build.c
++++ b/app/flatpak-builtins-build.c
+@@ -587,7 +587,8 @@ flatpak_builtin_build (int argc, char **argv, GCancellable *cancellable, GError
+   if (!flatpak_bwrap_bundle_args (bwrap, 1, -1, FALSE, error))
+     return FALSE;
+ 
+-  flatpak_bwrap_add_args (bwrap, command, NULL);
++  flatpak_bwrap_add_args (bwrap, "--", command, NULL);
++
+   flatpak_bwrap_append_argsv (bwrap,
+                               &argv[rest_argv_start + 2],
+                               rest_argc - 2);
+diff --git a/common/flatpak-dir.c b/common/flatpak-dir.c
+index 8e7686b093..b5736945ed 100644
+--- a/common/flatpak-dir.c
++++ b/common/flatpak-dir.c
+@@ -6817,6 +6817,7 @@ flatpak_dir_run_triggers (FlatpakDir   *self,
+                                   "--proc", "/proc",
+                                   "--dev", "/dev",
+                                   "--bind", basedir, basedir,
++                                  "--",
+                                   NULL);
+ #endif
+           flatpak_bwrap_add_args (bwrap,
+diff --git a/common/flatpak-run.c b/common/flatpak-run.c
+index 673ac08f20..4fdb56fe96 100644
+--- a/common/flatpak-run.c
++++ b/common/flatpak-run.c
+@@ -1266,6 +1266,9 @@ add_bwrap_wrapper (FlatpakBwrap *bwrap,
+   if (!flatpak_bwrap_bundle_args (bwrap, 1, -1, FALSE, error))
+     return FALSE;
+ 
++  /* End of options: the next argument will be the executable name */
++  flatpak_bwrap_add_arg (bwrap, "--");
++
+   return TRUE;
+ }
+ 
+@@ -4635,7 +4638,7 @@ flatpak_run_app (FlatpakDecomposed *app_ref,
+   if (!flatpak_bwrap_bundle_args (bwrap, 1, -1, FALSE, error))
+     return FALSE;
+ 
+-  flatpak_bwrap_add_arg (bwrap, command);
++  flatpak_bwrap_add_args (bwrap, "--", command, NULL);
+ 
+   if (!add_rest_args (bwrap, app_id,
+                       exports, (flags & FLATPAK_RUN_FLAG_FILE_FORWARDING) != 0,

flatpak.spec

@@ -3,7 +3,7 @@
 
 Name:           flatpak
 Version:        1.12.8
-Release:        1%{?dist}
+Release:        1%{?dist}.alma.1
 Summary:        Application deployment framework for desktop apps
 
 License:        LGPLv2+
@@ -17,6 +17,9 @@ Source1:        flatpak-add-fedora-repos.service
 
 # https://bugzilla.redhat.com/show_bug.cgi?id=1935508
 Patch0:         flatpak-dir-Use-SHA256-not-SHA1-to-name-the-cache-for-a-filt.patch
+# https://github.com/flatpak/flatpak/security/advisories/GHSA-phv6-cpc2-2fgj
+# https://github.com/flatpak/flatpak/commit/81abe2a37d363f5099c3d0bdcd0caad6efc5bf97
+Patch1:         flatpak-cve-2024-32462.patch
 
 BuildRequires:  pkgconfig(appstream-glib)
 BuildRequires:  pkgconfig(dconf)
@@ -276,6 +279,9 @@ fi
 
 
 %changelog
+* Tue Apr 30 2024 Jonathan Wright <jonathan@almalinux.org> - 1.12.8-1.alma.1
+- Fix CVE-2024-32462
+
 * Tue Jul 11 2023 Debarshi Ray <rishi@fedoraproject.org> - 1.12.8-1
 - Update to 1.12.8 (CVE-2023-28100, CVE-2023-28101)
 Resolves: #2180312, #2221792