import CS flatpak-builder-1.2.3-1.el8

.flatpak-builder.metadata

@@ -1 +1 @@
-e201b45463be6dda24bcc38cd52abe537190a0ec SOURCES/flatpak-builder-1.0.14.tar.xz
+0fcee8a24a3980508dc67c274985d984fccb685f SOURCES/flatpak-builder-1.2.3.tar.xz

.gitignore

@@ -1 +1 @@
-SOURCES/flatpak-builder-1.0.14.tar.xz
+SOURCES/flatpak-builder-1.2.3.tar.xz

SOURCES/flatpak-builder-CVE-2022-21682.patch

@@ -1,172 +0,0 @@
-From dd05ea86a4701a33cc4d271edf0a36b5c972e2e1 Mon Sep 17 00:00:00 2001
-From: Simon McVittie <smcv@collabora.com>
-Date: Mon, 17 Jan 2022 21:59:02 +0000
-Subject: [PATCH 1/2] Disable filesystem access with --nofilesystem=host:reset
-
-This requires <https://github.com/flatpak/flatpak/pull/4678>.
-
-In addition to counteracting an earlier --filesystem=host, in Flatpak
-versions that support it, the new --nofilesystem=host:reset removes all
-filesystem access that might have been inherited from the app manifest
-or overrides. This prevents CVE-2022-21682, while avoiding behaviour
-changes in Flatpak for non-builder use cases.
-
-In older Flatpak versions, this option acts as --filesystem=host with an
-unknown mode suffix, which is ignored (with a warning, which is harmless
-but will hopefully nudge people towards upgrading Flatpak to a version
-that enables CVE-2022-21682 to be avoided). flatpak-builder will still
-be vulnerable to CVE-2022-21682 in this case.
-
-Signed-off-by: Simon McVittie <smcv@collabora.com>
-(cherry picked from commit 2d1b6799e782d5e5577072aa7bbfed00ddf0b087)
----
- src/builder-main.c         | 2 +-
- src/builder-manifest.c     | 4 ++--
- src/builder-module.c       | 2 +-
- src/builder-source-shell.c | 2 +-
- 4 files changed, 5 insertions(+), 5 deletions(-)
-
-diff --git a/src/builder-main.c b/src/builder-main.c
-index a177f4b0c8b6..dc6f3e97603a 100644
---- a/src/builder-main.c
-+++ b/src/builder-main.c
-@@ -942,7 +942,7 @@ main (int    argc,
-         "flatpak",
-         "build",
-         "--die-with-parent",
--        "--nofilesystem=host",
-+        "--nofilesystem=host:reset",
-         fs_app_dir,
-         fs_cache,
-         "--share=network",
-diff --git a/src/builder-manifest.c b/src/builder-manifest.c
-index 62e7096674fa..ae83e493db52 100644
---- a/src/builder-manifest.c
-+++ b/src/builder-manifest.c
-@@ -2124,7 +2124,7 @@ command (GFile      *app_dir,
-   g_ptr_array_add (args, g_strdup ("build"));
- 
-   g_ptr_array_add (args, g_strdup ("--die-with-parent"));
--  g_ptr_array_add (args, g_strdup ("--nofilesystem=host"));
-+  g_ptr_array_add (args, g_strdup ("--nofilesystem=host:reset"));
-   if (extra_args)
-     {
-       for (i = 0; extra_args[i] != NULL; i++)
-@@ -2304,7 +2304,7 @@ appstream_compose (GFile   *app_dir,
-   g_ptr_array_add (args, g_strdup ("flatpak"));
-   g_ptr_array_add (args, g_strdup ("build"));
-   g_ptr_array_add (args, g_strdup ("--die-with-parent"));
--  g_ptr_array_add (args, g_strdup ("--nofilesystem=host"));
-+  g_ptr_array_add (args, g_strdup ("--nofilesystem=host:reset"));
-   g_ptr_array_add (args, g_file_get_path (app_dir));
-   g_ptr_array_add (args, g_strdup ("appstream-compose"));
- 
-diff --git a/src/builder-module.c b/src/builder-module.c
-index 8d1819a3e530..862c247e2fb2 100644
---- a/src/builder-module.c
-+++ b/src/builder-module.c
-@@ -1177,7 +1177,7 @@ setup_build_args (GFile          *app_dir,
-     builddir = "/run/build/";
- 
-   g_ptr_array_add (args, g_strdup_printf ("--env=FLATPAK_BUILDER_BUILDDIR=%s%s", builddir, module_name));
--  g_ptr_array_add (args, g_strdup ("--nofilesystem=host"));
-+  g_ptr_array_add (args, g_strdup ("--nofilesystem=host:reset"));
- 
-   /* We mount the canonical location, because bind-mounts of symlinks don't really work */
-   g_ptr_array_add (args, g_strdup_printf ("--filesystem=%s", source_dir_path_canonical));
-diff --git a/src/builder-source-shell.c b/src/builder-source-shell.c
-index 152257b12476..8132a5c49d8a 100644
---- a/src/builder-source-shell.c
-+++ b/src/builder-source-shell.c
-@@ -136,7 +136,7 @@ run_script (BuilderContext *context,
- 
-   source_dir_path_canonical = realpath (source_dir_path, NULL);
- 
--  g_ptr_array_add (args, g_strdup ("--nofilesystem=host"));
-+  g_ptr_array_add (args, g_strdup ("--nofilesystem=host:reset"));
-   g_ptr_array_add (args, g_strdup_printf ("--filesystem=%s", source_dir_path_canonical));
- 
-   if (env)
--- 
-2.35.1
-
-
-From 26cab8d7aae2146fa95cf5ad28e286f8034d97dc Mon Sep 17 00:00:00 2001
-From: Alexander Larsson <alexl@redhat.com>
-Date: Tue, 18 Jan 2022 09:58:29 +0100
-Subject: [PATCH 2/2] Allow --nofilesystem=host:reset in flatpak-builder --run
-
-This adds support for the new host:reset mode. We don't verify
-that the argument is used as carefully as flatpak does, but any
-issue will be reported later when passed to flatpak.
-
-Co-authored-by: Simon McVittie <smcv@collabora.com>
-(cherry picked from commit 27aa2f5e4508d03178bf905ee7099d6d69a79aa4)
----
- src/builder-flatpak-utils.c | 23 +++++++++++++++++++++--
- 1 file changed, 21 insertions(+), 2 deletions(-)
-
-diff --git a/src/builder-flatpak-utils.c b/src/builder-flatpak-utils.c
-index 53191016047f..89352cdc2fd5 100644
---- a/src/builder-flatpak-utils.c
-+++ b/src/builder-flatpak-utils.c
-@@ -1196,6 +1196,7 @@ typedef enum {
- 
- /* In numerical order of more privs */
- typedef enum {
-+  FLATPAK_FILESYSTEM_MODE_NONE         = 0,
-   FLATPAK_FILESYSTEM_MODE_READ_ONLY    = 1,
-   FLATPAK_FILESYSTEM_MODE_READ_WRITE   = 2,
-   FLATPAK_FILESYSTEM_MODE_CREATE       = 3,
-@@ -1770,6 +1771,13 @@ parse_filesystem_flags (const char *filesystem, FlatpakFilesystemMode *mode)
-       if (mode)
-         *mode = FLATPAK_FILESYSTEM_MODE_CREATE;
-     }
-+  else if (g_str_equal (filesystem, "host:reset"))
-+    {
-+      filesystem = "host-reset";
-+
-+      if (mode)
-+        *mode = FLATPAK_FILESYSTEM_MODE_NONE;
-+    }
- 
-   return g_strndup (filesystem, len);
- }
-@@ -1810,9 +1818,12 @@ static void
- flatpak_context_remove_filesystem (FlatpakContext *context,
-                                    const char     *what)
- {
-+  FlatpakFilesystemMode mode;
-+  g_autofree char *fs = parse_filesystem_flags (what, &mode);
-+
-   g_hash_table_insert (context->filesystems,
--                       parse_filesystem_flags (what, NULL),
--                       NULL);
-+                       g_steal_pointer (&fs),
-+                       GINT_TO_POINTER (mode));
- }
- 
- static gboolean
-@@ -2222,11 +2233,19 @@ flatpak_context_to_args (FlatpakContext *context,
-       g_ptr_array_add (args, g_strdup_printf ("--system-%s-name=%s", flatpak_policy_to_string (policy), name));
-     }
- 
-+  if (g_hash_table_lookup_extended (context->filesystems, "host-reset", NULL, NULL))
-+    {
-+      g_ptr_array_add (args, g_strdup ("--nofilesystem=host:reset"));
-+    }
-+
-   g_hash_table_iter_init (&iter, context->filesystems);
-   while (g_hash_table_iter_next (&iter, &key, &value))
-     {
-       FlatpakFilesystemMode mode = GPOINTER_TO_INT (value);
- 
-+      if (g_str_equal (key, "host-reset"))
-+        continue;
-+
-       if (mode == FLATPAK_FILESYSTEM_MODE_READ_ONLY)
-         g_ptr_array_add (args, g_strdup_printf ("--filesystem=%s:ro", (char *)key));
-       else if (mode == FLATPAK_FILESYSTEM_MODE_READ_WRITE)
--- 
-2.35.1
-

SPECS/flatpak-builder.spec

@@ -1,10 +1,12 @@
+%global elf_version 0.8.12
 %global glib2_version 2.44
+%global libdw_version 0.172
 %global ostree_version 2017.14
 %global flatpak_version 0.99.1
 
 Name:           flatpak-builder
-Version:        1.0.14
+Version:        1.2.3
-Release:        2%{?dist}
+Release:        1%{?dist}
 Summary:        Tool to build flatpaks from source
 
 # src/builder-utils.c has portions derived from GPLv2+ code,
@@ -13,27 +15,25 @@ License:        LGPLv2+ and GPLv2+
 URL:            http://flatpak.org/
 Source0:        https://github.com/flatpak/flatpak-builder/releases/download/%{version}/%{name}-%{version}.tar.xz
 
-# https://github.com/flatpak/flatpak-builder/pull/464
-# https://bugzilla.redhat.com/show_bug.cgi?id=2042007
-Patch0:         flatpak-builder-CVE-2022-21682.patch
-
 BuildRequires:  gettext
 BuildRequires:  docbook-dtds
 BuildRequires:  docbook-style-xsl
 BuildRequires:  flatpak >= %{flatpak_version}
-BuildRequires:  elfutils-devel
 BuildRequires:  libcap-devel
 BuildRequires:  pkgconfig(glib-2.0) >= %{glib2_version}
 BuildRequires:  pkgconfig(gobject-introspection-1.0)
 BuildRequires:  pkgconfig(json-glib-1.0)
 BuildRequires:  pkgconfig(libcurl)
-BuildRequires:  pkgconfig(libelf)
+BuildRequires:  pkgconfig(libdw) >= %{libdw_version}
+BuildRequires:  pkgconfig(libelf) >= %{elf_version}
 BuildRequires:  pkgconfig(libsoup-2.4)
 BuildRequires:  pkgconfig(ostree-1) >= %{ostree_version}
 BuildRequires:  pkgconfig(yaml-0.1)
 BuildRequires:  /usr/bin/xmlto
 BuildRequires:  /usr/bin/xsltproc
 
+Requires:       elfutils-libelf%{?_isa} >= %{elf_version}
+Requires:       elfutils-libs%{?_isa} >= %{libdw_version}
 Requires:       flatpak%{?_isa} >= %{flatpak_version}
 Requires:       glib2%{?_isa} >= %{glib2_version}
 Requires:       ostree-libs%{?_isa} >= %{ostree_version}
@@ -50,6 +50,7 @@ Requires:       /usr/bin/strip
 Recommends:     /usr/bin/svn
 Requires:       /usr/bin/tar
 Requires:       /usr/bin/unzip
+Recommends:     /usr/bin/zstd
 
 %description
 Flatpak-builder is a tool for building flatpaks from sources.
@@ -63,7 +64,8 @@ See http://flatpak.org/ for more information.
 
 %build
 %configure \
-    --enable-docbook-docs
+    --enable-docbook-docs \
+    --with-fuse=2
 
 %make_build V=1
 
@@ -76,11 +78,15 @@ See http://flatpak.org/ for more information.
 %license COPYING
 %doc %{_pkgdocdir}
 %{_bindir}/flatpak-builder
+%{_libexecdir}/flatpak-builder-debugedit
 %{_mandir}/man1/flatpak-builder.1*
 %{_mandir}/man5/flatpak-manifest.5*
 
 
 %changelog
+* Wed Nov 08 2023 Debarshi Ray <rishi@fedoraproject.org> - 1.2.3-1
+- Rebase to 1.2.3 (RHEL-16011)
+
 * Fri Apr 01 2022 Debarshi Ray <rishi@fedoraproject.org> - 1.0.14-2
 - Fix CVE-2022-21682 (#2042007)