rpms/flatpak-builder
6
0
Fork 0
Code Issues Pull Requests Releases Activity

Auto sync2gitlab import of flatpak-builder-1.0.14-2.el8.src.rpm

Browse Source
This commit is contained in:
James Antill 2022-05-26 07:07:04 -04:00
parent 09413436c5
commit d7163f6905
5 changed files with 286 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored Normal file
View File

@ -0,0 +1 @@
/flatpak-builder-1.0.14.tar.xz

1
EMPTY
View File

@ -1 +0,0 @@

172
flatpak-builder-CVE-2022-21682.patch Normal file
View File

@ -0,0 +1,172 @@
From dd05ea86a4701a33cc4d271edf0a36b5c972e2e1 Mon Sep 17 00:00:00 2001
From: Simon McVittie <smcv@collabora.com>
Date: Mon, 17 Jan 2022 21:59:02 +0000
Subject: [PATCH 1/2] Disable filesystem access with --nofilesystem=host:reset
This requires <https://github.com/flatpak/flatpak/pull/4678>.
In addition to counteracting an earlier --filesystem=host, in Flatpak
versions that support it, the new --nofilesystem=host:reset removes all
filesystem access that might have been inherited from the app manifest
or overrides. This prevents CVE-2022-21682, while avoiding behaviour
changes in Flatpak for non-builder use cases.
In older Flatpak versions, this option acts as --filesystem=host with an
unknown mode suffix, which is ignored (with a warning, which is harmless
but will hopefully nudge people towards upgrading Flatpak to a version
that enables CVE-2022-21682 to be avoided). flatpak-builder will still
be vulnerable to CVE-2022-21682 in this case.
Signed-off-by: Simon McVittie <smcv@collabora.com>
(cherry picked from commit 2d1b6799e782d5e5577072aa7bbfed00ddf0b087)
---
src/builder-main.c | 2 +-
src/builder-manifest.c | 4 ++--
src/builder-module.c | 2 +-
src/builder-source-shell.c | 2 +-
4 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/src/builder-main.c b/src/builder-main.c
index a177f4b0c8b6..dc6f3e97603a 100644
--- a/src/builder-main.c
+++ b/src/builder-main.c
@@ -942,7 +942,7 @@ main (int argc,
"flatpak",
"build",
"--die-with-parent",
- "--nofilesystem=host",
+ "--nofilesystem=host:reset",
fs_app_dir,
fs_cache,
"--share=network",
diff --git a/src/builder-manifest.c b/src/builder-manifest.c
index 62e7096674fa..ae83e493db52 100644
--- a/src/builder-manifest.c
+++ b/src/builder-manifest.c
@@ -2124,7 +2124,7 @@ command (GFile *app_dir,
g_ptr_array_add (args, g_strdup ("build"));
g_ptr_array_add (args, g_strdup ("--die-with-parent"));
- g_ptr_array_add (args, g_strdup ("--nofilesystem=host"));
+ g_ptr_array_add (args, g_strdup ("--nofilesystem=host:reset"));
if (extra_args)
{
for (i = 0; extra_args[i] != NULL; i++)
@@ -2304,7 +2304,7 @@ appstream_compose (GFile *app_dir,
g_ptr_array_add (args, g_strdup ("flatpak"));
g_ptr_array_add (args, g_strdup ("build"));
g_ptr_array_add (args, g_strdup ("--die-with-parent"));
- g_ptr_array_add (args, g_strdup ("--nofilesystem=host"));
+ g_ptr_array_add (args, g_strdup ("--nofilesystem=host:reset"));
g_ptr_array_add (args, g_file_get_path (app_dir));
g_ptr_array_add (args, g_strdup ("appstream-compose"));
diff --git a/src/builder-module.c b/src/builder-module.c
index 8d1819a3e530..862c247e2fb2 100644
--- a/src/builder-module.c
+++ b/src/builder-module.c
@@ -1177,7 +1177,7 @@ setup_build_args (GFile *app_dir,
builddir = "/run/build/";
g_ptr_array_add (args, g_strdup_printf ("--env=FLATPAK_BUILDER_BUILDDIR=%s%s", builddir, module_name));
- g_ptr_array_add (args, g_strdup ("--nofilesystem=host"));
+ g_ptr_array_add (args, g_strdup ("--nofilesystem=host:reset"));
/* We mount the canonical location, because bind-mounts of symlinks don't really work */
g_ptr_array_add (args, g_strdup_printf ("--filesystem=%s", source_dir_path_canonical));
diff --git a/src/builder-source-shell.c b/src/builder-source-shell.c
index 152257b12476..8132a5c49d8a 100644
--- a/src/builder-source-shell.c
+++ b/src/builder-source-shell.c
@@ -136,7 +136,7 @@ run_script (BuilderContext *context,
source_dir_path_canonical = realpath (source_dir_path, NULL);
- g_ptr_array_add (args, g_strdup ("--nofilesystem=host"));
+ g_ptr_array_add (args, g_strdup ("--nofilesystem=host:reset"));
g_ptr_array_add (args, g_strdup_printf ("--filesystem=%s", source_dir_path_canonical));
if (env)
--
2.35.1
From 26cab8d7aae2146fa95cf5ad28e286f8034d97dc Mon Sep 17 00:00:00 2001
From: Alexander Larsson <alexl@redhat.com>
Date: Tue, 18 Jan 2022 09:58:29 +0100
Subject: [PATCH 2/2] Allow --nofilesystem=host:reset in flatpak-builder --run
This adds support for the new host:reset mode. We don't verify
that the argument is used as carefully as flatpak does, but any
issue will be reported later when passed to flatpak.
Co-authored-by: Simon McVittie <smcv@collabora.com>
(cherry picked from commit 27aa2f5e4508d03178bf905ee7099d6d69a79aa4)
---
src/builder-flatpak-utils.c | 23 +++++++++++++++++++++--
1 file changed, 21 insertions(+), 2 deletions(-)
diff --git a/src/builder-flatpak-utils.c b/src/builder-flatpak-utils.c
index 53191016047f..89352cdc2fd5 100644
--- a/src/builder-flatpak-utils.c
+++ b/src/builder-flatpak-utils.c
@@ -1196,6 +1196,7 @@ typedef enum {
/* In numerical order of more privs */
typedef enum {
+ FLATPAK_FILESYSTEM_MODE_NONE = 0,
FLATPAK_FILESYSTEM_MODE_READ_ONLY = 1,
FLATPAK_FILESYSTEM_MODE_READ_WRITE = 2,
FLATPAK_FILESYSTEM_MODE_CREATE = 3,
@@ -1770,6 +1771,13 @@ parse_filesystem_flags (const char *filesystem, FlatpakFilesystemMode *mode)
if (mode)
*mode = FLATPAK_FILESYSTEM_MODE_CREATE;
}
+ else if (g_str_equal (filesystem, "host:reset"))
+ {
+ filesystem = "host-reset";
+
+ if (mode)
+ *mode = FLATPAK_FILESYSTEM_MODE_NONE;
+ }
return g_strndup (filesystem, len);
}
@@ -1810,9 +1818,12 @@ static void
flatpak_context_remove_filesystem (FlatpakContext *context,
const char *what)
{
+ FlatpakFilesystemMode mode;
+ g_autofree char *fs = parse_filesystem_flags (what, &mode);
+
g_hash_table_insert (context->filesystems,
- parse_filesystem_flags (what, NULL),
- NULL);
+ g_steal_pointer (&fs),
+ GINT_TO_POINTER (mode));
}
static gboolean
@@ -2222,11 +2233,19 @@ flatpak_context_to_args (FlatpakContext *context,
g_ptr_array_add (args, g_strdup_printf ("--system-%s-name=%s", flatpak_policy_to_string (policy), name));
}
+ if (g_hash_table_lookup_extended (context->filesystems, "host-reset", NULL, NULL))
+ {
+ g_ptr_array_add (args, g_strdup ("--nofilesystem=host:reset"));
+ }
+
g_hash_table_iter_init (&iter, context->filesystems);
while (g_hash_table_iter_next (&iter, &key, &value))
{
FlatpakFilesystemMode mode = GPOINTER_TO_INT (value);
+ if (g_str_equal (key, "host-reset"))
+ continue;
+
if (mode == FLATPAK_FILESYSTEM_MODE_READ_ONLY)
g_ptr_array_add (args, g_strdup_printf ("--filesystem=%s:ro", (char *)key));
else if (mode == FLATPAK_FILESYSTEM_MODE_READ_WRITE)
--
2.35.1

112
flatpak-builder.spec Normal file
View File

@ -0,0 +1,112 @@
%global glib2_version 2.44
%global ostree_version 2017.14
%global flatpak_version 0.99.1
Name: flatpak-builder
Version: 1.0.14
Release: 2%{?dist}
Summary: Tool to build flatpaks from source
# src/builder-utils.c has portions derived from GPLv2+ code,
# the rest is LGPLv2+
License: LGPLv2+ and GPLv2+
URL: http://flatpak.org/
Source0: https://github.com/flatpak/flatpak-builder/releases/download/%{version}/%{name}-%{version}.tar.xz
# https://github.com/flatpak/flatpak-builder/pull/464
# https://bugzilla.redhat.com/show_bug.cgi?id=2042007
Patch0: flatpak-builder-CVE-2022-21682.patch
BuildRequires: gettext
BuildRequires: docbook-dtds
BuildRequires: docbook-style-xsl
BuildRequires: flatpak >= %{flatpak_version}
BuildRequires: elfutils-devel
BuildRequires: libcap-devel
BuildRequires: pkgconfig(glib-2.0) >= %{glib2_version}
BuildRequires: pkgconfig(gobject-introspection-1.0)
BuildRequires: pkgconfig(json-glib-1.0)
BuildRequires: pkgconfig(libcurl)
BuildRequires: pkgconfig(libelf)
BuildRequires: pkgconfig(libsoup-2.4)
BuildRequires: pkgconfig(ostree-1) >= %{ostree_version}
BuildRequires: pkgconfig(yaml-0.1)
BuildRequires: /usr/bin/xmlto
BuildRequires: /usr/bin/xsltproc
Requires: flatpak%{?_isa} >= %{flatpak_version}
Requires: glib2%{?_isa} >= %{glib2_version}
Requires: ostree-libs%{?_isa} >= %{ostree_version}
Requires: /usr/bin/bzip2
%if ! 0%{?rhel} > 7
# No bzr in latest RHEL
Recommends: /usr/bin/bzr
%endif
Requires: /usr/bin/eu-strip
Requires: /usr/bin/git
Requires: /usr/bin/patch
Requires: /usr/bin/rofiles-fuse
Requires: /usr/bin/strip
Recommends: /usr/bin/svn
Requires: /usr/bin/tar
Requires: /usr/bin/unzip
%description
Flatpak-builder is a tool for building flatpaks from sources.
See http://flatpak.org/ for more information.
%prep
%autosetup -p1
%build
%configure \
--enable-docbook-docs
%make_build V=1
%install
%make_install
%files
%license COPYING
%doc %{_pkgdocdir}
%{_bindir}/flatpak-builder
%{_mandir}/man1/flatpak-builder.1*
%{_mandir}/man5/flatpak-manifest.5*
%changelog
* Fri Apr 01 2022 Debarshi Ray <rishi@fedoraproject.org> - 1.0.14-2
- Fix CVE-2022-21682 (#2042007)
* Wed Mar 09 2022 Debarshi Ray <rishi@fedoraproject.org> - 1.0.14-1
- Update to 1.0.14 (#2047312)
* Tue Feb 25 2020 David King <dking@redhat.com> - 1.0.9-3
- Use elfutils instead of libdwarf (#1613030)
* Fri Nov 08 2019 David King <dking@redhat.com> - 1.0.9-2
- Drop Requires on lzip (#1748290)
* Fri Nov 08 2019 David King <dking@redhat.com> - 1.0.9-1
- Rebase to 1.0.9 (#1748290)
* Tue Oct 16 2018 Kalev Lember <klember@redhat.com> - 1.0.1-2
- Change svn requires to recommends (#1639355)
* Thu Oct 04 2018 Kalev Lember <klember@redhat.com> - 1.0.1-1
- Update to 1.0.1
* Mon Aug 20 2018 David King <amigadave@amigadave.com> - 1.0.0-1
- Update to 1.0.0
* Mon Aug 13 2018 Kalev Lember <klember@redhat.com> - 0.99.3-2
- Update license to "LGPLv2+ and GPLv2+"
* Thu Aug 02 2018 David King <dking@redhat.com> - 0.99.3-1
- Import from Fedora

1
sources Normal file
View File

@ -0,0 +1 @@
SHA512 (flatpak-builder-1.0.14.tar.xz) = b49236f064aaa20357aa46db1671ae9d1237b402aa949c80886499c839aa404c2c9acb00be930e717bca48c7e7c3138ce6544e10db81bb7ed930abc1d3d57acf