forked from rpms/flatpak
import flatpak-1.8.5-2.el8
This commit is contained in:
parent
799ccf9d64
commit
859b93d148
73
SOURCES/flatpak-1.8.5-post-cve-fixes.patch
Normal file
73
SOURCES/flatpak-1.8.5-post-cve-fixes.patch
Normal file
@ -0,0 +1,73 @@
|
||||
From 93ecea3488081a726bcd2ddb04d557decaa87f80 Mon Sep 17 00:00:00 2001
|
||||
From: Simon McVittie <smcv@collabora.com>
|
||||
Date: Mon, 18 Jan 2021 17:52:13 +0000
|
||||
Subject: [PATCH] build: Convert environment into a sequence of bwrap arguments
|
||||
|
||||
This means we can systematically pass the environment variables
|
||||
through bwrap(1), even if it is setuid and thus is filtering out
|
||||
security-sensitive environment variables. bwrap itself ends up being
|
||||
run with an empty environment instead.
|
||||
|
||||
This fixes a regression when CVE-2021-21261 was fixed: before the
|
||||
CVE fixes, LD_LIBRARY_PATH would have been passed through like this
|
||||
and appeared in the `flatpak build` shell, but during the CVE fixes,
|
||||
the special case that protected LD_LIBRARY_PATH was removed in favour
|
||||
of the more general flatpak_bwrap_envp_to_args(). That reasoning only
|
||||
works if we use flatpak_bwrap_envp_to_args(), consistently, everywhere
|
||||
that we run the potentially-setuid bwrap.
|
||||
|
||||
Fixes: 6d1773d2 "run: Convert all environment variables into bwrap arguments"
|
||||
Resolves: https://github.com/flatpak/flatpak/issues/4080
|
||||
Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=980323
|
||||
Signed-off-by: Simon McVittie <smcv@collabora.com>
|
||||
(cherry picked from commit 9a61d2c44f0a58cebcb9b2787ae88db07ca68bb0)
|
||||
---
|
||||
app/flatpak-builtins-build.c | 2 ++
|
||||
1 file changed, 2 insertions(+)
|
||||
|
||||
diff --git a/app/flatpak-builtins-build.c b/app/flatpak-builtins-build.c
|
||||
index 8da0de814..07ef6fc07 100644
|
||||
--- a/app/flatpak-builtins-build.c
|
||||
+++ b/app/flatpak-builtins-build.c
|
||||
@@ -569,6 +569,8 @@ flatpak_builtin_build (int argc, char **argv, GCancellable *cancellable, GError
|
||||
NULL);
|
||||
}
|
||||
|
||||
+ flatpak_bwrap_envp_to_args (bwrap);
|
||||
+
|
||||
if (!flatpak_bwrap_bundle_args (bwrap, 1, -1, FALSE, error))
|
||||
return FALSE;
|
||||
|
||||
From f91857c07ede7ef5150a38d6b8e49ee43d6b3d50 Mon Sep 17 00:00:00 2001
|
||||
From: Simon McVittie <smcv@collabora.com>
|
||||
Date: Mon, 18 Jan 2021 18:07:38 +0000
|
||||
Subject: [PATCH] dir: Pass environment via bwrap --setenv when running
|
||||
apply_extra
|
||||
|
||||
This means we can systematically pass the environment variables
|
||||
through bwrap(1), even if it is setuid and thus is filtering out
|
||||
security-sensitive environment variables. bwrap ends up being
|
||||
run with an empty environment instead.
|
||||
|
||||
As with the previous commit, this regressed while fixing CVE-2021-21261.
|
||||
|
||||
Fixes: 6d1773d2 "run: Convert all environment variables into bwrap arguments"
|
||||
Signed-off-by: Simon McVittie <smcv@collabora.com>
|
||||
(cherry picked from commit fb473cad801c6b61706353256cab32330557374a)
|
||||
---
|
||||
common/flatpak-dir.c | 2 ++
|
||||
1 file changed, 2 insertions(+)
|
||||
|
||||
diff --git a/common/flatpak-dir.c b/common/flatpak-dir.c
|
||||
index ed1248e74..40767fa77 100644
|
||||
--- a/common/flatpak-dir.c
|
||||
+++ b/common/flatpak-dir.c
|
||||
@@ -7426,6 +7426,8 @@ apply_extra_data (FlatpakDir *self,
|
||||
app_context, NULL, NULL, NULL, cancellable, error))
|
||||
return FALSE;
|
||||
|
||||
+ flatpak_bwrap_envp_to_args (bwrap);
|
||||
+
|
||||
flatpak_bwrap_add_arg (bwrap, "/app/bin/apply_extra");
|
||||
|
||||
flatpak_bwrap_finish (bwrap);
|
@ -3,12 +3,14 @@
|
||||
|
||||
Name: flatpak
|
||||
Version: 1.8.5
|
||||
Release: 1%{?dist}
|
||||
Release: 2%{?dist}
|
||||
Summary: Application deployment framework for desktop apps
|
||||
|
||||
License: LGPLv2+
|
||||
URL: http://flatpak.org/
|
||||
Source0: https://github.com/flatpak/flatpak/releases/download/%{version}/%{name}-%{version}.tar.xz
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1918776
|
||||
Patch0: flatpak-1.8.5-post-cve-fixes.patch
|
||||
|
||||
BuildRequires: pkgconfig(appstream-glib)
|
||||
BuildRequires: pkgconfig(dconf)
|
||||
@ -240,6 +242,9 @@ fi
|
||||
|
||||
|
||||
%changelog
|
||||
* Mon Jan 25 2021 David King <dking@redhat.com> - 1.8.5-2
|
||||
- Apply post-release CVE fixes (#1918776)
|
||||
|
||||
* Thu Jan 14 2021 David King <dking@redhat.com> - 1.8.5-1
|
||||
- Rebase to 1.8.5 (#1851958)
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user