From d7163f6905958a1eefbda9cf30a1cdfa84030b0b Mon Sep 17 00:00:00 2001
From: James Antill <jantill@redhat.com>
Date: Thu, 26 May 2022 07:07:04 -0400
Subject: [PATCH] Auto sync2gitlab import of
 flatpak-builder-1.0.14-2.el8.src.rpm

---
 .gitignore                           |   1 +
 EMPTY                                |   1 -
 flatpak-builder-CVE-2022-21682.patch | 172 +++++++++++++++++++++++++++
 flatpak-builder.spec                 | 112 +++++++++++++++++
 sources                              |   1 +
 5 files changed, 286 insertions(+), 1 deletion(-)
 create mode 100644 .gitignore
 delete mode 100644 EMPTY
 create mode 100644 flatpak-builder-CVE-2022-21682.patch
 create mode 100644 flatpak-builder.spec
 create mode 100644 sources

diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..10a4886
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1 @@
+/flatpak-builder-1.0.14.tar.xz
diff --git a/EMPTY b/EMPTY
deleted file mode 100644
index 0519ecb..0000000
--- a/EMPTY
+++ /dev/null
@@ -1 +0,0 @@
- 
\ No newline at end of file
diff --git a/flatpak-builder-CVE-2022-21682.patch b/flatpak-builder-CVE-2022-21682.patch
new file mode 100644
index 0000000..435ff5b
--- /dev/null
+++ b/flatpak-builder-CVE-2022-21682.patch
@@ -0,0 +1,172 @@
+From dd05ea86a4701a33cc4d271edf0a36b5c972e2e1 Mon Sep 17 00:00:00 2001
+From: Simon McVittie <smcv@collabora.com>
+Date: Mon, 17 Jan 2022 21:59:02 +0000
+Subject: [PATCH 1/2] Disable filesystem access with --nofilesystem=host:reset
+
+This requires <https://github.com/flatpak/flatpak/pull/4678>.
+
+In addition to counteracting an earlier --filesystem=host, in Flatpak
+versions that support it, the new --nofilesystem=host:reset removes all
+filesystem access that might have been inherited from the app manifest
+or overrides. This prevents CVE-2022-21682, while avoiding behaviour
+changes in Flatpak for non-builder use cases.
+
+In older Flatpak versions, this option acts as --filesystem=host with an
+unknown mode suffix, which is ignored (with a warning, which is harmless
+but will hopefully nudge people towards upgrading Flatpak to a version
+that enables CVE-2022-21682 to be avoided). flatpak-builder will still
+be vulnerable to CVE-2022-21682 in this case.
+
+Signed-off-by: Simon McVittie <smcv@collabora.com>
+(cherry picked from commit 2d1b6799e782d5e5577072aa7bbfed00ddf0b087)
+---
+ src/builder-main.c         | 2 +-
+ src/builder-manifest.c     | 4 ++--
+ src/builder-module.c       | 2 +-
+ src/builder-source-shell.c | 2 +-
+ 4 files changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/src/builder-main.c b/src/builder-main.c
+index a177f4b0c8b6..dc6f3e97603a 100644
+--- a/src/builder-main.c
++++ b/src/builder-main.c
+@@ -942,7 +942,7 @@ main (int    argc,
+         "flatpak",
+         "build",
+         "--die-with-parent",
+-        "--nofilesystem=host",
++        "--nofilesystem=host:reset",
+         fs_app_dir,
+         fs_cache,
+         "--share=network",
+diff --git a/src/builder-manifest.c b/src/builder-manifest.c
+index 62e7096674fa..ae83e493db52 100644
+--- a/src/builder-manifest.c
++++ b/src/builder-manifest.c
+@@ -2124,7 +2124,7 @@ command (GFile      *app_dir,
+   g_ptr_array_add (args, g_strdup ("build"));
+ 
+   g_ptr_array_add (args, g_strdup ("--die-with-parent"));
+-  g_ptr_array_add (args, g_strdup ("--nofilesystem=host"));
++  g_ptr_array_add (args, g_strdup ("--nofilesystem=host:reset"));
+   if (extra_args)
+     {
+       for (i = 0; extra_args[i] != NULL; i++)
+@@ -2304,7 +2304,7 @@ appstream_compose (GFile   *app_dir,
+   g_ptr_array_add (args, g_strdup ("flatpak"));
+   g_ptr_array_add (args, g_strdup ("build"));
+   g_ptr_array_add (args, g_strdup ("--die-with-parent"));
+-  g_ptr_array_add (args, g_strdup ("--nofilesystem=host"));
++  g_ptr_array_add (args, g_strdup ("--nofilesystem=host:reset"));
+   g_ptr_array_add (args, g_file_get_path (app_dir));
+   g_ptr_array_add (args, g_strdup ("appstream-compose"));
+ 
+diff --git a/src/builder-module.c b/src/builder-module.c
+index 8d1819a3e530..862c247e2fb2 100644
+--- a/src/builder-module.c
++++ b/src/builder-module.c
+@@ -1177,7 +1177,7 @@ setup_build_args (GFile          *app_dir,
+     builddir = "/run/build/";
+ 
+   g_ptr_array_add (args, g_strdup_printf ("--env=FLATPAK_BUILDER_BUILDDIR=%s%s", builddir, module_name));
+-  g_ptr_array_add (args, g_strdup ("--nofilesystem=host"));
++  g_ptr_array_add (args, g_strdup ("--nofilesystem=host:reset"));
+ 
+   /* We mount the canonical location, because bind-mounts of symlinks don't really work */
+   g_ptr_array_add (args, g_strdup_printf ("--filesystem=%s", source_dir_path_canonical));
+diff --git a/src/builder-source-shell.c b/src/builder-source-shell.c
+index 152257b12476..8132a5c49d8a 100644
+--- a/src/builder-source-shell.c
++++ b/src/builder-source-shell.c
+@@ -136,7 +136,7 @@ run_script (BuilderContext *context,
+ 
+   source_dir_path_canonical = realpath (source_dir_path, NULL);
+ 
+-  g_ptr_array_add (args, g_strdup ("--nofilesystem=host"));
++  g_ptr_array_add (args, g_strdup ("--nofilesystem=host:reset"));
+   g_ptr_array_add (args, g_strdup_printf ("--filesystem=%s", source_dir_path_canonical));
+ 
+   if (env)
+-- 
+2.35.1
+
+
+From 26cab8d7aae2146fa95cf5ad28e286f8034d97dc Mon Sep 17 00:00:00 2001
+From: Alexander Larsson <alexl@redhat.com>
+Date: Tue, 18 Jan 2022 09:58:29 +0100
+Subject: [PATCH 2/2] Allow --nofilesystem=host:reset in flatpak-builder --run
+
+This adds support for the new host:reset mode. We don't verify
+that the argument is used as carefully as flatpak does, but any
+issue will be reported later when passed to flatpak.
+
+Co-authored-by: Simon McVittie <smcv@collabora.com>
+(cherry picked from commit 27aa2f5e4508d03178bf905ee7099d6d69a79aa4)
+---
+ src/builder-flatpak-utils.c | 23 +++++++++++++++++++++--
+ 1 file changed, 21 insertions(+), 2 deletions(-)
+
+diff --git a/src/builder-flatpak-utils.c b/src/builder-flatpak-utils.c
+index 53191016047f..89352cdc2fd5 100644
+--- a/src/builder-flatpak-utils.c
++++ b/src/builder-flatpak-utils.c
+@@ -1196,6 +1196,7 @@ typedef enum {
+ 
+ /* In numerical order of more privs */
+ typedef enum {
++  FLATPAK_FILESYSTEM_MODE_NONE         = 0,
+   FLATPAK_FILESYSTEM_MODE_READ_ONLY    = 1,
+   FLATPAK_FILESYSTEM_MODE_READ_WRITE   = 2,
+   FLATPAK_FILESYSTEM_MODE_CREATE       = 3,
+@@ -1770,6 +1771,13 @@ parse_filesystem_flags (const char *filesystem, FlatpakFilesystemMode *mode)
+       if (mode)
+         *mode = FLATPAK_FILESYSTEM_MODE_CREATE;
+     }
++  else if (g_str_equal (filesystem, "host:reset"))
++    {
++      filesystem = "host-reset";
++
++      if (mode)
++        *mode = FLATPAK_FILESYSTEM_MODE_NONE;
++    }
+ 
+   return g_strndup (filesystem, len);
+ }
+@@ -1810,9 +1818,12 @@ static void
+ flatpak_context_remove_filesystem (FlatpakContext *context,
+                                    const char     *what)
+ {
++  FlatpakFilesystemMode mode;
++  g_autofree char *fs = parse_filesystem_flags (what, &mode);
++
+   g_hash_table_insert (context->filesystems,
+-                       parse_filesystem_flags (what, NULL),
+-                       NULL);
++                       g_steal_pointer (&fs),
++                       GINT_TO_POINTER (mode));
+ }
+ 
+ static gboolean
+@@ -2222,11 +2233,19 @@ flatpak_context_to_args (FlatpakContext *context,
+       g_ptr_array_add (args, g_strdup_printf ("--system-%s-name=%s", flatpak_policy_to_string (policy), name));
+     }
+ 
++  if (g_hash_table_lookup_extended (context->filesystems, "host-reset", NULL, NULL))
++    {
++      g_ptr_array_add (args, g_strdup ("--nofilesystem=host:reset"));
++    }
++
+   g_hash_table_iter_init (&iter, context->filesystems);
+   while (g_hash_table_iter_next (&iter, &key, &value))
+     {
+       FlatpakFilesystemMode mode = GPOINTER_TO_INT (value);
+ 
++      if (g_str_equal (key, "host-reset"))
++        continue;
++
+       if (mode == FLATPAK_FILESYSTEM_MODE_READ_ONLY)
+         g_ptr_array_add (args, g_strdup_printf ("--filesystem=%s:ro", (char *)key));
+       else if (mode == FLATPAK_FILESYSTEM_MODE_READ_WRITE)
+-- 
+2.35.1
+
diff --git a/flatpak-builder.spec b/flatpak-builder.spec
new file mode 100644
index 0000000..acd03ba
--- /dev/null
+++ b/flatpak-builder.spec
@@ -0,0 +1,112 @@
+%global glib2_version 2.44
+%global ostree_version 2017.14
+%global flatpak_version 0.99.1
+
+Name:           flatpak-builder
+Version:        1.0.14
+Release:        2%{?dist}
+Summary:        Tool to build flatpaks from source
+
+# src/builder-utils.c has portions derived from GPLv2+ code,
+# the rest is LGPLv2+
+License:        LGPLv2+ and GPLv2+
+URL:            http://flatpak.org/
+Source0:        https://github.com/flatpak/flatpak-builder/releases/download/%{version}/%{name}-%{version}.tar.xz
+
+# https://github.com/flatpak/flatpak-builder/pull/464
+# https://bugzilla.redhat.com/show_bug.cgi?id=2042007
+Patch0:         flatpak-builder-CVE-2022-21682.patch
+
+BuildRequires:  gettext
+BuildRequires:  docbook-dtds
+BuildRequires:  docbook-style-xsl
+BuildRequires:  flatpak >= %{flatpak_version}
+BuildRequires:  elfutils-devel
+BuildRequires:  libcap-devel
+BuildRequires:  pkgconfig(glib-2.0) >= %{glib2_version}
+BuildRequires:  pkgconfig(gobject-introspection-1.0)
+BuildRequires:  pkgconfig(json-glib-1.0)
+BuildRequires:  pkgconfig(libcurl)
+BuildRequires:  pkgconfig(libelf)
+BuildRequires:  pkgconfig(libsoup-2.4)
+BuildRequires:  pkgconfig(ostree-1) >= %{ostree_version}
+BuildRequires:  pkgconfig(yaml-0.1)
+BuildRequires:  /usr/bin/xmlto
+BuildRequires:  /usr/bin/xsltproc
+
+Requires:       flatpak%{?_isa} >= %{flatpak_version}
+Requires:       glib2%{?_isa} >= %{glib2_version}
+Requires:       ostree-libs%{?_isa} >= %{ostree_version}
+Requires:       /usr/bin/bzip2
+%if ! 0%{?rhel} > 7
+# No bzr in latest RHEL
+Recommends:     /usr/bin/bzr
+%endif
+Requires:       /usr/bin/eu-strip
+Requires:       /usr/bin/git
+Requires:       /usr/bin/patch
+Requires:       /usr/bin/rofiles-fuse
+Requires:       /usr/bin/strip
+Recommends:     /usr/bin/svn
+Requires:       /usr/bin/tar
+Requires:       /usr/bin/unzip
+
+%description
+Flatpak-builder is a tool for building flatpaks from sources.
+
+See http://flatpak.org/ for more information.
+
+
+%prep
+%autosetup -p1
+
+
+%build
+%configure \
+    --enable-docbook-docs
+
+%make_build V=1
+
+
+%install
+%make_install
+
+
+%files
+%license COPYING
+%doc %{_pkgdocdir}
+%{_bindir}/flatpak-builder
+%{_mandir}/man1/flatpak-builder.1*
+%{_mandir}/man5/flatpak-manifest.5*
+
+
+%changelog
+* Fri Apr 01 2022 Debarshi Ray <rishi@fedoraproject.org> - 1.0.14-2
+- Fix CVE-2022-21682 (#2042007)
+
+* Wed Mar 09 2022 Debarshi Ray <rishi@fedoraproject.org> - 1.0.14-1
+- Update to 1.0.14 (#2047312)
+
+* Tue Feb 25 2020 David King <dking@redhat.com> - 1.0.9-3
+- Use elfutils instead of libdwarf (#1613030)
+
+* Fri Nov 08 2019 David King <dking@redhat.com> - 1.0.9-2
+- Drop Requires on lzip (#1748290)
+
+* Fri Nov 08 2019 David King <dking@redhat.com> - 1.0.9-1
+- Rebase to 1.0.9 (#1748290)
+
+* Tue Oct 16 2018 Kalev Lember <klember@redhat.com> - 1.0.1-2
+- Change svn requires to recommends (#1639355)
+
+* Thu Oct 04 2018 Kalev Lember <klember@redhat.com> - 1.0.1-1
+- Update to 1.0.1
+
+* Mon Aug 20 2018 David King <amigadave@amigadave.com> - 1.0.0-1
+- Update to 1.0.0
+
+* Mon Aug 13 2018 Kalev Lember <klember@redhat.com> - 0.99.3-2
+- Update license to "LGPLv2+ and GPLv2+"
+
+* Thu Aug 02 2018 David King <dking@redhat.com> - 0.99.3-1
+- Import from Fedora
diff --git a/sources b/sources
new file mode 100644
index 0000000..742cb16
--- /dev/null
+++ b/sources
@@ -0,0 +1 @@
+SHA512 (flatpak-builder-1.0.14.tar.xz) = b49236f064aaa20357aa46db1671ae9d1237b402aa949c80886499c839aa404c2c9acb00be930e717bca48c7e7c3138ce6544e10db81bb7ed930abc1d3d57acf