diff --git a/.flatpak-builder.metadata b/.flatpak-builder.metadata deleted file mode 100644 index 5c11f01..0000000 --- a/.flatpak-builder.metadata +++ /dev/null @@ -1 +0,0 @@ -e201b45463be6dda24bcc38cd52abe537190a0ec SOURCES/flatpak-builder-1.0.14.tar.xz diff --git a/.gitignore b/.gitignore index 430181a..c6cb4c9 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/flatpak-builder-1.0.14.tar.xz +SOURCES/flatpak-builder-1.2.3.tar.xz diff --git a/SOURCES/flatpak-builder-CVE-2022-21682.patch b/SOURCES/flatpak-builder-CVE-2022-21682.patch deleted file mode 100644 index 435ff5b..0000000 --- a/SOURCES/flatpak-builder-CVE-2022-21682.patch +++ /dev/null @@ -1,172 +0,0 @@ -From dd05ea86a4701a33cc4d271edf0a36b5c972e2e1 Mon Sep 17 00:00:00 2001 -From: Simon McVittie -Date: Mon, 17 Jan 2022 21:59:02 +0000 -Subject: [PATCH 1/2] Disable filesystem access with --nofilesystem=host:reset - -This requires . - -In addition to counteracting an earlier --filesystem=host, in Flatpak -versions that support it, the new --nofilesystem=host:reset removes all -filesystem access that might have been inherited from the app manifest -or overrides. This prevents CVE-2022-21682, while avoiding behaviour -changes in Flatpak for non-builder use cases. - -In older Flatpak versions, this option acts as --filesystem=host with an -unknown mode suffix, which is ignored (with a warning, which is harmless -but will hopefully nudge people towards upgrading Flatpak to a version -that enables CVE-2022-21682 to be avoided). flatpak-builder will still -be vulnerable to CVE-2022-21682 in this case. - -Signed-off-by: Simon McVittie -(cherry picked from commit 2d1b6799e782d5e5577072aa7bbfed00ddf0b087) ---- - src/builder-main.c | 2 +- - src/builder-manifest.c | 4 ++-- - src/builder-module.c | 2 +- - src/builder-source-shell.c | 2 +- - 4 files changed, 5 insertions(+), 5 deletions(-) - -diff --git a/src/builder-main.c b/src/builder-main.c -index a177f4b0c8b6..dc6f3e97603a 100644 ---- a/src/builder-main.c -+++ b/src/builder-main.c -@@ -942,7 +942,7 @@ main (int argc, - "flatpak", - "build", - "--die-with-parent", -- "--nofilesystem=host", -+ "--nofilesystem=host:reset", - fs_app_dir, - fs_cache, - "--share=network", -diff --git a/src/builder-manifest.c b/src/builder-manifest.c -index 62e7096674fa..ae83e493db52 100644 ---- a/src/builder-manifest.c -+++ b/src/builder-manifest.c -@@ -2124,7 +2124,7 @@ command (GFile *app_dir, - g_ptr_array_add (args, g_strdup ("build")); - - g_ptr_array_add (args, g_strdup ("--die-with-parent")); -- g_ptr_array_add (args, g_strdup ("--nofilesystem=host")); -+ g_ptr_array_add (args, g_strdup ("--nofilesystem=host:reset")); - if (extra_args) - { - for (i = 0; extra_args[i] != NULL; i++) -@@ -2304,7 +2304,7 @@ appstream_compose (GFile *app_dir, - g_ptr_array_add (args, g_strdup ("flatpak")); - g_ptr_array_add (args, g_strdup ("build")); - g_ptr_array_add (args, g_strdup ("--die-with-parent")); -- g_ptr_array_add (args, g_strdup ("--nofilesystem=host")); -+ g_ptr_array_add (args, g_strdup ("--nofilesystem=host:reset")); - g_ptr_array_add (args, g_file_get_path (app_dir)); - g_ptr_array_add (args, g_strdup ("appstream-compose")); - -diff --git a/src/builder-module.c b/src/builder-module.c -index 8d1819a3e530..862c247e2fb2 100644 ---- a/src/builder-module.c -+++ b/src/builder-module.c -@@ -1177,7 +1177,7 @@ setup_build_args (GFile *app_dir, - builddir = "/run/build/"; - - g_ptr_array_add (args, g_strdup_printf ("--env=FLATPAK_BUILDER_BUILDDIR=%s%s", builddir, module_name)); -- g_ptr_array_add (args, g_strdup ("--nofilesystem=host")); -+ g_ptr_array_add (args, g_strdup ("--nofilesystem=host:reset")); - - /* We mount the canonical location, because bind-mounts of symlinks don't really work */ - g_ptr_array_add (args, g_strdup_printf ("--filesystem=%s", source_dir_path_canonical)); -diff --git a/src/builder-source-shell.c b/src/builder-source-shell.c -index 152257b12476..8132a5c49d8a 100644 ---- a/src/builder-source-shell.c -+++ b/src/builder-source-shell.c -@@ -136,7 +136,7 @@ run_script (BuilderContext *context, - - source_dir_path_canonical = realpath (source_dir_path, NULL); - -- g_ptr_array_add (args, g_strdup ("--nofilesystem=host")); -+ g_ptr_array_add (args, g_strdup ("--nofilesystem=host:reset")); - g_ptr_array_add (args, g_strdup_printf ("--filesystem=%s", source_dir_path_canonical)); - - if (env) --- -2.35.1 - - -From 26cab8d7aae2146fa95cf5ad28e286f8034d97dc Mon Sep 17 00:00:00 2001 -From: Alexander Larsson -Date: Tue, 18 Jan 2022 09:58:29 +0100 -Subject: [PATCH 2/2] Allow --nofilesystem=host:reset in flatpak-builder --run - -This adds support for the new host:reset mode. We don't verify -that the argument is used as carefully as flatpak does, but any -issue will be reported later when passed to flatpak. - -Co-authored-by: Simon McVittie -(cherry picked from commit 27aa2f5e4508d03178bf905ee7099d6d69a79aa4) ---- - src/builder-flatpak-utils.c | 23 +++++++++++++++++++++-- - 1 file changed, 21 insertions(+), 2 deletions(-) - -diff --git a/src/builder-flatpak-utils.c b/src/builder-flatpak-utils.c -index 53191016047f..89352cdc2fd5 100644 ---- a/src/builder-flatpak-utils.c -+++ b/src/builder-flatpak-utils.c -@@ -1196,6 +1196,7 @@ typedef enum { - - /* In numerical order of more privs */ - typedef enum { -+ FLATPAK_FILESYSTEM_MODE_NONE = 0, - FLATPAK_FILESYSTEM_MODE_READ_ONLY = 1, - FLATPAK_FILESYSTEM_MODE_READ_WRITE = 2, - FLATPAK_FILESYSTEM_MODE_CREATE = 3, -@@ -1770,6 +1771,13 @@ parse_filesystem_flags (const char *filesystem, FlatpakFilesystemMode *mode) - if (mode) - *mode = FLATPAK_FILESYSTEM_MODE_CREATE; - } -+ else if (g_str_equal (filesystem, "host:reset")) -+ { -+ filesystem = "host-reset"; -+ -+ if (mode) -+ *mode = FLATPAK_FILESYSTEM_MODE_NONE; -+ } - - return g_strndup (filesystem, len); - } -@@ -1810,9 +1818,12 @@ static void - flatpak_context_remove_filesystem (FlatpakContext *context, - const char *what) - { -+ FlatpakFilesystemMode mode; -+ g_autofree char *fs = parse_filesystem_flags (what, &mode); -+ - g_hash_table_insert (context->filesystems, -- parse_filesystem_flags (what, NULL), -- NULL); -+ g_steal_pointer (&fs), -+ GINT_TO_POINTER (mode)); - } - - static gboolean -@@ -2222,11 +2233,19 @@ flatpak_context_to_args (FlatpakContext *context, - g_ptr_array_add (args, g_strdup_printf ("--system-%s-name=%s", flatpak_policy_to_string (policy), name)); - } - -+ if (g_hash_table_lookup_extended (context->filesystems, "host-reset", NULL, NULL)) -+ { -+ g_ptr_array_add (args, g_strdup ("--nofilesystem=host:reset")); -+ } -+ - g_hash_table_iter_init (&iter, context->filesystems); - while (g_hash_table_iter_next (&iter, &key, &value)) - { - FlatpakFilesystemMode mode = GPOINTER_TO_INT (value); - -+ if (g_str_equal (key, "host-reset")) -+ continue; -+ - if (mode == FLATPAK_FILESYSTEM_MODE_READ_ONLY) - g_ptr_array_add (args, g_strdup_printf ("--filesystem=%s:ro", (char *)key)); - else if (mode == FLATPAK_FILESYSTEM_MODE_READ_WRITE) --- -2.35.1 - diff --git a/SPECS/flatpak-builder.spec b/SPECS/flatpak-builder.spec index acd03ba..05125fd 100644 --- a/SPECS/flatpak-builder.spec +++ b/SPECS/flatpak-builder.spec @@ -1,10 +1,12 @@ +%global elf_version 0.8.12 %global glib2_version 2.44 +%global libdw_version 0.172 %global ostree_version 2017.14 %global flatpak_version 0.99.1 Name: flatpak-builder -Version: 1.0.14 -Release: 2%{?dist} +Version: 1.2.3 +Release: 1%{?dist} Summary: Tool to build flatpaks from source # src/builder-utils.c has portions derived from GPLv2+ code, @@ -13,27 +15,25 @@ License: LGPLv2+ and GPLv2+ URL: http://flatpak.org/ Source0: https://github.com/flatpak/flatpak-builder/releases/download/%{version}/%{name}-%{version}.tar.xz -# https://github.com/flatpak/flatpak-builder/pull/464 -# https://bugzilla.redhat.com/show_bug.cgi?id=2042007 -Patch0: flatpak-builder-CVE-2022-21682.patch - BuildRequires: gettext BuildRequires: docbook-dtds BuildRequires: docbook-style-xsl BuildRequires: flatpak >= %{flatpak_version} -BuildRequires: elfutils-devel BuildRequires: libcap-devel BuildRequires: pkgconfig(glib-2.0) >= %{glib2_version} BuildRequires: pkgconfig(gobject-introspection-1.0) BuildRequires: pkgconfig(json-glib-1.0) BuildRequires: pkgconfig(libcurl) -BuildRequires: pkgconfig(libelf) +BuildRequires: pkgconfig(libdw) >= %{libdw_version} +BuildRequires: pkgconfig(libelf) >= %{elf_version} BuildRequires: pkgconfig(libsoup-2.4) BuildRequires: pkgconfig(ostree-1) >= %{ostree_version} BuildRequires: pkgconfig(yaml-0.1) BuildRequires: /usr/bin/xmlto BuildRequires: /usr/bin/xsltproc +Requires: elfutils-libelf%{?_isa} >= %{elf_version} +Requires: elfutils-libs%{?_isa} >= %{libdw_version} Requires: flatpak%{?_isa} >= %{flatpak_version} Requires: glib2%{?_isa} >= %{glib2_version} Requires: ostree-libs%{?_isa} >= %{ostree_version} @@ -50,6 +50,7 @@ Requires: /usr/bin/strip Recommends: /usr/bin/svn Requires: /usr/bin/tar Requires: /usr/bin/unzip +Recommends: /usr/bin/zstd %description Flatpak-builder is a tool for building flatpaks from sources. @@ -63,7 +64,8 @@ See http://flatpak.org/ for more information. %build %configure \ - --enable-docbook-docs + --enable-docbook-docs \ + --with-fuse=2 %make_build V=1 @@ -76,11 +78,15 @@ See http://flatpak.org/ for more information. %license COPYING %doc %{_pkgdocdir} %{_bindir}/flatpak-builder +%{_libexecdir}/flatpak-builder-debugedit %{_mandir}/man1/flatpak-builder.1* %{_mandir}/man5/flatpak-manifest.5* %changelog +* Wed Nov 08 2023 Debarshi Ray - 1.2.3-1 +- Rebase to 1.2.3 (RHEL-16011) + * Fri Apr 01 2022 Debarshi Ray - 1.0.14-2 - Fix CVE-2022-21682 (#2042007)