diff --git a/.flatpak.metadata b/.flatpak.metadata index 3007110..76bd630 100644 --- a/.flatpak.metadata +++ b/.flatpak.metadata @@ -1 +1 @@ -6763d41ca91cb2547456c16ca5f7d53c95d89a14 SOURCES/flatpak-1.6.2.tar.xz +a3dcd13e85090e9d8156f1db2a375074e459aa79 SOURCES/flatpak-1.8.5.tar.xz diff --git a/.gitignore b/.gitignore index 4568fda..27b08dc 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/flatpak-1.6.2.tar.xz +SOURCES/flatpak-1.8.5.tar.xz diff --git a/SOURCES/3845.patch b/SOURCES/3845.patch deleted file mode 100644 index b9aeafb..0000000 --- a/SOURCES/3845.patch +++ /dev/null @@ -1,26 +0,0 @@ -From 7ad549b89dfbfb67fd1cbbf6cafdd996e4722246 Mon Sep 17 00:00:00 2001 -From: "Owen W. Taylor" -Date: Wed, 9 Sep 2020 16:14:57 -0400 -Subject: [PATCH] OCI: extract appstream data for runtimes - -Runtimes also have appstream data - with description, license information, -and so forth, so we should extract the appstream data from the index -for refs that start with runtime/ as well. ---- - common/flatpak-oci-registry.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/common/flatpak-oci-registry.c b/common/flatpak-oci-registry.c -index cf501a5eb..0f7471129 100644 ---- a/common/flatpak-oci-registry.c -+++ b/common/flatpak-oci-registry.c -@@ -3120,7 +3120,8 @@ add_image_to_appstream (SoupSession *soup_session, - return; - - ref_parts = g_strsplit (ref, "/", -1); -- if (g_strv_length (ref_parts) != 4 || strcmp (ref_parts[0], "app") != 0) -+ if (g_strv_length (ref_parts) != 4 || -+ (strcmp (ref_parts[0], "app") != 0 && strcmp (ref_parts[0], "runtime") != 0)) - return; - - id = ref_parts[1]; diff --git a/SOURCES/flatpak-1.6.2-fix-CVE-2021-21261.patch b/SOURCES/flatpak-1.6.2-fix-CVE-2021-21261.patch deleted file mode 100644 index fa89ea0..0000000 --- a/SOURCES/flatpak-1.6.2-fix-CVE-2021-21261.patch +++ /dev/null @@ -1,983 +0,0 @@ -From 038655c9ee29ee659e5fede4d36871cf8ccef803 Mon Sep 17 00:00:00 2001 -From: Simon McVittie -Date: Mon, 7 Dec 2020 18:08:16 +0000 -Subject: [PATCH 01/10] common: Add a backport of - G_DBUS_METHOD_INVOCATION_HANDLED - -This is syntactic sugar added in GLib 2.67.0, which makes it more clearly -correct when we return TRUE after a GDBus error. - -Signed-off-by: Simon McVittie ---- - common/flatpak-utils-base-private.h | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git a/common/flatpak-utils-base-private.h b/common/flatpak-utils-base-private.h -index 181a0c95..9d10a530 100644 ---- a/common/flatpak-utils-base-private.h -+++ b/common/flatpak-utils-base-private.h -@@ -22,6 +22,12 @@ - #define __FLATPAK_UTILS_BASE_H__ - - #include -+#include -+ -+#ifndef G_DBUS_METHOD_INVOCATION_HANDLED -+# define G_DBUS_METHOD_INVOCATION_HANDLED TRUE -+# define G_DBUS_METHOD_INVOCATION_UNHANDLED FALSE -+#endif - - char *flatpak_get_timezone (void); - --- -2.29.2 - - -From 6ed3e235459f5fe8b58aecbab744166a5ee66f9d Mon Sep 17 00:00:00 2001 -From: Simon McVittie -Date: Sun, 10 Jan 2021 16:11:28 +0000 -Subject: [PATCH 02/10] run: Convert all environment variables into bwrap - arguments - -This avoids some of them being filtered out by a setuid bwrap. It also -means that if they came from an untrusted source, they cannot be used -to inject arbitrary code into a non-setuid bwrap via mechanisms like -LD_PRELOAD. - -Because they get bundled into a memfd or temporary file, they do not -actually appear in argv, ensuring that they remain inaccessible to -processes running under a different uid (which is important if their -values are tokens or other secrets). - -Signed-off-by: Simon McVittie -Part-of: https://github.com/flatpak/flatpak/security/advisories/GHSA-4ppf-fxf6-vxg2 ---- - common/flatpak-bwrap-private.h | 3 +++ - common/flatpak-bwrap.c | 43 ++++++++++++++++++++++++++++++++++ - common/flatpak-run.c | 32 +++++++++++-------------- - 3 files changed, 60 insertions(+), 18 deletions(-) - -diff --git a/common/flatpak-bwrap-private.h b/common/flatpak-bwrap-private.h -index 92d6e9de..6c31b789 100644 ---- a/common/flatpak-bwrap-private.h -+++ b/common/flatpak-bwrap-private.h -@@ -43,6 +43,8 @@ void flatpak_bwrap_unset_env (FlatpakBwrap *bwrap, - const char *variable); - void flatpak_bwrap_add_arg (FlatpakBwrap *bwrap, - const char *arg); -+void flatpak_bwrap_take_arg (FlatpakBwrap *bwrap, -+ char *arg); - void flatpak_bwrap_add_noinherit_fd (FlatpakBwrap *bwrap, - int fd); - void flatpak_bwrap_add_fd (FlatpakBwrap *bwrap, -@@ -73,6 +75,7 @@ void flatpak_bwrap_add_bind_arg (FlatpakBwrap *bwrap, - const char *type, - const char *src, - const char *dest); -+void flatpak_bwrap_envp_to_args (FlatpakBwrap *bwrap); - gboolean flatpak_bwrap_bundle_args (FlatpakBwrap *bwrap, - int start, - int end, -diff --git a/common/flatpak-bwrap.c b/common/flatpak-bwrap.c -index 7e5d38d1..d383d25f 100644 ---- a/common/flatpak-bwrap.c -+++ b/common/flatpak-bwrap.c -@@ -109,6 +109,18 @@ flatpak_bwrap_add_arg (FlatpakBwrap *bwrap, const char *arg) - g_ptr_array_add (bwrap->argv, g_strdup (arg)); - } - -+/* -+ * flatpak_bwrap_take_arg: -+ * @arg: (transfer full): Take ownership of this argument -+ * -+ * Add @arg to @bwrap's argv, taking ownership of the pointer. -+ */ -+void -+flatpak_bwrap_take_arg (FlatpakBwrap *bwrap, char *arg) -+{ -+ g_ptr_array_add (bwrap->argv, arg); -+} -+ - void - flatpak_bwrap_finish (FlatpakBwrap *bwrap) - { -@@ -274,6 +286,37 @@ flatpak_bwrap_add_bind_arg (FlatpakBwrap *bwrap, - } - } - -+/* -+ * Convert bwrap->envp into a series of --setenv arguments for bwrap(1), -+ * assumed to be applied to an empty environment. Reset envp to be an -+ * empty environment. -+ */ -+void -+flatpak_bwrap_envp_to_args (FlatpakBwrap *bwrap) -+{ -+ gsize i; -+ -+ for (i = 0; bwrap->envp[i] != NULL; i++) -+ { -+ char *key_val = bwrap->envp[i]; -+ char *eq = strchr (key_val, '='); -+ -+ if (eq) -+ { -+ flatpak_bwrap_add_arg (bwrap, "--setenv"); -+ flatpak_bwrap_take_arg (bwrap, g_strndup (key_val, eq - key_val)); -+ flatpak_bwrap_add_arg (bwrap, eq + 1); -+ } -+ else -+ { -+ g_warn_if_reached (); -+ } -+ } -+ -+ g_strfreev (g_steal_pointer (&bwrap->envp)); -+ bwrap->envp = g_strdupv (flatpak_bwrap_empty_env); -+} -+ - gboolean - flatpak_bwrap_bundle_args (FlatpakBwrap *bwrap, - int start, -diff --git a/common/flatpak-run.c b/common/flatpak-run.c -index 51c002ff..9383610b 100644 ---- a/common/flatpak-run.c -+++ b/common/flatpak-run.c -@@ -1314,24 +1314,6 @@ flatpak_run_add_environment_args (FlatpakBwrap *bwrap, - flatpak_run_add_system_dbus_args (bwrap, proxy_arg_bwrap, context, flags); - flatpak_run_add_a11y_dbus_args (bwrap, proxy_arg_bwrap, context, flags); - -- if (g_environ_getenv (bwrap->envp, "LD_LIBRARY_PATH") != NULL) -- { -- /* LD_LIBRARY_PATH is overridden for setuid helper, so pass it as cmdline arg */ -- flatpak_bwrap_add_args (bwrap, -- "--setenv", "LD_LIBRARY_PATH", g_environ_getenv (bwrap->envp, "LD_LIBRARY_PATH"), -- NULL); -- flatpak_bwrap_unset_env (bwrap, "LD_LIBRARY_PATH"); -- } -- -- if (g_environ_getenv (bwrap->envp, "TMPDIR") != NULL) -- { -- /* TMPDIR is overridden for setuid helper, so pass it as cmdline arg */ -- flatpak_bwrap_add_args (bwrap, -- "--setenv", "TMPDIR", g_environ_getenv (bwrap->envp, "TMPDIR"), -- NULL); -- flatpak_bwrap_unset_env (bwrap, "TMPDIR"); -- } -- - /* Must run this before spawning the dbus proxy, to ensure it - ends up in the app cgroup */ - if (!flatpak_run_in_transient_unit (app_id, &my_error)) -@@ -3852,6 +3834,8 @@ flatpak_run_app (const char *app_ref, - command = default_command; - } - -+ flatpak_bwrap_envp_to_args (bwrap); -+ - if (!flatpak_bwrap_bundle_args (bwrap, 1, -1, FALSE, error)) - return FALSE; - -@@ -3882,6 +3866,12 @@ flatpak_run_app (const char *app_ref, - /* We use LEAVE_DESCRIPTORS_OPEN to work around dead-lock, see flatpak_close_fds_workaround */ - spawn_flags |= G_SPAWN_LEAVE_DESCRIPTORS_OPEN; - -+ /* flatpak_bwrap_envp_to_args() moved the environment variables to -+ * be set into --setenv instructions in argv, so the environment -+ * in which the bwrap command runs must be empty. */ -+ g_assert (bwrap->envp != NULL); -+ g_assert (bwrap->envp[0] == NULL); -+ - if (!g_spawn_async (NULL, - (char **) bwrap->argv->pdata, - bwrap->envp, -@@ -3909,6 +3899,12 @@ flatpak_run_app (const char *app_ref, - * we do want to allow inheriting fds into flatpak run. */ - flatpak_bwrap_child_setup (bwrap->fds, FALSE); - -+ /* flatpak_bwrap_envp_to_args() moved the environment variables to -+ * be set into --setenv instructions in argv, so the environment -+ * in which the bwrap command runs must be empty. */ -+ g_assert (bwrap->envp != NULL); -+ g_assert (bwrap->envp[0] == NULL); -+ - if (execvpe (flatpak_get_bwrap (), (char **) bwrap->argv->pdata, bwrap->envp) == -1) - { - g_set_error_literal (error, G_IO_ERROR, g_io_error_from_errno (errno), --- -2.29.2 - - -From a1dec4885218f40b03044c82245d5b362c0affeb Mon Sep 17 00:00:00 2001 -From: Simon McVittie -Date: Mon, 11 Jan 2021 12:14:48 +0000 -Subject: [PATCH 03/10] tests: Expand coverage for environment variable - overrides - -This checks that `flatpak run --env=` takes precedence over -`flatpak override --env=`, and that environment variables don't get -onto the bwrap command-line (which would be information disclosure -if their values are secret). - -Signed-off-by: Simon McVittie -Part-of: https://github.com/flatpak/flatpak/security/advisories/GHSA-4ppf-fxf6-vxg2 ---- - tests/test-override.sh | 68 +++++++++++++++++++++++++++++++++++++++++- - 1 file changed, 67 insertions(+), 1 deletion(-) - -diff --git a/tests/test-override.sh b/tests/test-override.sh -index 93009ee3..1213bbd4 100755 ---- a/tests/test-override.sh -+++ b/tests/test-override.sh -@@ -12,7 +12,7 @@ reset_overrides () { - assert_file_empty info - } - --echo "1..13" -+echo "1..15" - - setup_repo - install_repo -@@ -65,14 +65,80 @@ reset_overrides - - ${FLATPAK} override --user --env=FOO=BAR org.test.Hello - ${FLATPAK} override --user --env=BAR= org.test.Hello -+# TODO: A future commit will add a way to avoid this ever being present in argv -+${FLATPAK} override --user --env=SECRET_TOKEN=3047225e-5e38-4357-b21c-eac83b7e8ea6 org.test.Hello -+# TMPDIR and TZDIR are filtered out by ld.so for setuid processes, -+# so setting these gives us a way to verify that we can pass them through -+# a setuid bwrap (without special-casing them, as we previously did for -+# TMPDIR). -+${FLATPAK} override --user --env=TMPDIR=/nonexistent/tmp org.test.Hello -+${FLATPAK} override --user --env=TZDIR=/nonexistent/tz org.test.Hello - ${FLATPAK} override --user --show org.test.Hello > override - - assert_file_has_content override "^\[Environment\]$" - assert_file_has_content override "^FOO=BAR$" - assert_file_has_content override "^BAR=$" -+assert_file_has_content override "^SECRET_TOKEN=3047225e-5e38-4357-b21c-eac83b7e8ea6$" -+assert_file_has_content override "^TMPDIR=/nonexistent/tmp$" -+assert_file_has_content override "^TZDIR=/nonexistent/tz$" - - echo "ok override --env" - -+if skip_one_without_bwrap "sandbox environment variables"; then -+ : -+else -+ ${FLATPAK} run --command=bash org.test.Hello \ -+ -c 'echo "FOO=$FOO"; echo "BAR=$BAR"; echo "SECRET_TOKEN=$SECRET_TOKEN"; echo "TMPDIR=$TMPDIR"; echo "TZDIR=$TZDIR"' > out -+ assert_file_has_content out '^FOO=BAR$' -+ assert_file_has_content out '^BAR=$' -+ assert_file_has_content out '^SECRET_TOKEN=3047225e-5e38-4357-b21c-eac83b7e8ea6$' -+ # The variables that would be filtered out by a setuid bwrap get set -+ assert_file_has_content out '^TZDIR=/nonexistent/tz$' -+ assert_file_has_content out '^TMPDIR=/nonexistent/tmp$' -+ ${FLATPAK} run --command=cat org.test.Hello -- /proc/1/cmdline > out -+ # The secret doesn't end up in bubblewrap's cmdline where other users -+ # could see it -+ assert_not_file_has_content out 3047225e-5e38-4357-b21c-eac83b7e8ea6 -+ -+ ok "sandbox environment variables" -+fi -+ -+reset_overrides -+ -+if skip_one_without_bwrap "temporary environment variables"; then -+ : -+else -+ ${FLATPAK} override --user --env=FOO=wrong org.test.Hello -+ ${FLATPAK} override --user --env=BAR=wrong org.test.Hello -+ ${FLATPAK} override --user --env=SECRET_TOKEN=wrong org.test.Hello -+ ${FLATPAK} override --user --env=TMPDIR=/nonexistent/wrong org.test.Hello -+ ${FLATPAK} override --user --env=TZDIR=/nonexistent/wrong org.test.Hello -+ ${FLATPAK} override --user --show org.test.Hello > override -+ -+ ${FLATPAK} run --command=bash \ -+ --env=FOO=BAR \ -+ --env=BAR= \ -+ --env=SECRET_TOKEN=3047225e-5e38-4357-b21c-eac83b7e8ea6 \ -+ --env=TMPDIR=/nonexistent/tmp \ -+ --env=TZDIR=/nonexistent/tz \ -+ org.test.Hello \ -+ -c 'echo "FOO=$FOO"; echo "BAR=$BAR"; echo "SECRET_TOKEN=$SECRET_TOKEN"; echo "TMPDIR=$TMPDIR"; echo "TZDIR=$TZDIR"' > out -+ # The versions from `flatpak run` overrule `flatpak override` -+ assert_file_has_content out '^FOO=BAR$' -+ assert_file_has_content out '^BAR=$' -+ assert_file_has_content out '^SECRET_TOKEN=3047225e-5e38-4357-b21c-eac83b7e8ea6$' -+ assert_file_has_content out '^TZDIR=/nonexistent/tz$' -+ assert_file_has_content out '^TMPDIR=/nonexistent/tmp$' -+ ${FLATPAK} run --command=cat org.test.Hello -- /proc/1/cmdline > out -+ # The secret doesn't end up in bubblewrap's cmdline where other users -+ # could see it -+ assert_not_file_has_content out 3047225e-5e38-4357-b21c-eac83b7e8ea6 -+ -+ ok "temporary environment variables" -+fi -+ -+reset_overrides -+ - ${FLATPAK} override --user --filesystem=home org.test.Hello - ${FLATPAK} override --user --filesystem=xdg-desktop/foo:create org.test.Hello - ${FLATPAK} override --user --filesystem=xdg-config:ro org.test.Hello --- -2.29.2 - - -From 1b80c139f02cff6eeec39ecdf1a8f531ab6d7d9b Mon Sep 17 00:00:00 2001 -From: Simon McVittie -Date: Sun, 10 Jan 2021 16:18:58 +0000 -Subject: [PATCH 04/10] context: Add --env-fd option - -This allows environment variables to be added to the context without -making their values visible to processes running under a different uid, -which might be significant if the variable's value is a token or some -other secret value. - -Signed-off-by: Simon McVittie -Part-of: https://github.com/flatpak/flatpak/security/advisories/GHSA-4ppf-fxf6-vxg2 ---- - common/flatpak-context.c | 60 ++++++++++++++++++++++++++++++++++++ - doc/flatpak-build-finish.xml | 18 +++++++++++ - doc/flatpak-build.xml | 18 +++++++++++ - doc/flatpak-override.xml | 18 +++++++++++ - doc/flatpak-run.xml | 18 +++++++++++ - 5 files changed, 132 insertions(+) - -diff --git a/common/flatpak-context.c b/common/flatpak-context.c -index 462134aa..7e1bc46c 100644 ---- a/common/flatpak-context.c -+++ b/common/flatpak-context.c -@@ -1039,6 +1039,65 @@ option_env_cb (const gchar *option_name, - return TRUE; - } - -+static gboolean -+option_env_fd_cb (const gchar *option_name, -+ const gchar *value, -+ gpointer data, -+ GError **error) -+{ -+ FlatpakContext *context = data; -+ g_autoptr(GBytes) env_block = NULL; -+ gsize remaining; -+ const char *p; -+ guint64 fd; -+ gchar *endptr; -+ -+ fd = g_ascii_strtoull (value, &endptr, 10); -+ -+ if (endptr == NULL || *endptr != '\0' || fd > G_MAXINT) -+ return glnx_throw (error, "Not a valid file descriptor: %s", value); -+ -+ env_block = glnx_fd_readall_bytes ((int) fd, NULL, error); -+ -+ if (env_block == NULL) -+ return FALSE; -+ -+ p = g_bytes_get_data (env_block, &remaining); -+ -+ /* env_block might not be \0-terminated */ -+ while (remaining > 0) -+ { -+ size_t len = strnlen (p, remaining); -+ const char *equals; -+ -+ g_assert (len <= remaining); -+ -+ equals = memchr (p, '=', len); -+ -+ if (equals == NULL || equals == p) -+ return glnx_throw (error, -+ "Environment variable must be given in the form VARIABLE=VALUE, not %.*s", (int) len, p); -+ -+ flatpak_context_set_env_var (context, -+ g_strndup (p, equals - p), -+ g_strndup (equals + 1, len - (equals - p) - 1)); -+ p += len; -+ remaining -= len; -+ -+ if (remaining > 0) -+ { -+ g_assert (*p == '\0'); -+ p += 1; -+ remaining -= 1; -+ } -+ } -+ -+ if (fd >= 3) -+ close (fd); -+ -+ return TRUE; -+} -+ - static gboolean - option_own_name_cb (const gchar *option_name, - const gchar *value, -@@ -1236,6 +1295,7 @@ static GOptionEntry context_options[] = { - { "filesystem", 0, G_OPTION_FLAG_IN_MAIN, G_OPTION_ARG_CALLBACK, &option_filesystem_cb, N_("Expose filesystem to app (:ro for read-only)"), N_("FILESYSTEM[:ro]") }, - { "nofilesystem", 0, G_OPTION_FLAG_IN_MAIN, G_OPTION_ARG_CALLBACK, &option_nofilesystem_cb, N_("Don't expose filesystem to app"), N_("FILESYSTEM") }, - { "env", 0, G_OPTION_FLAG_IN_MAIN, G_OPTION_ARG_CALLBACK, &option_env_cb, N_("Set environment variable"), N_("VAR=VALUE") }, -+ { "env-fd", 0, G_OPTION_FLAG_IN_MAIN, G_OPTION_ARG_CALLBACK, &option_env_fd_cb, N_("Read environment variables in env -0 format from FD"), N_("FD") }, - { "own-name", 0, G_OPTION_FLAG_IN_MAIN, G_OPTION_ARG_CALLBACK, &option_own_name_cb, N_("Allow app to own name on the session bus"), N_("DBUS_NAME") }, - { "talk-name", 0, G_OPTION_FLAG_IN_MAIN, G_OPTION_ARG_CALLBACK, &option_talk_name_cb, N_("Allow app to talk to name on the session bus"), N_("DBUS_NAME") }, - { "no-talk-name", 0, G_OPTION_FLAG_IN_MAIN, G_OPTION_ARG_CALLBACK, &option_no_talk_name_cb, N_("Don't allow app to talk to name on the session bus"), N_("DBUS_NAME") }, -diff --git a/doc/flatpak-build-finish.xml b/doc/flatpak-build-finish.xml -index d92eeb4d..2e01cd3e 100644 ---- a/doc/flatpak-build-finish.xml -+++ b/doc/flatpak-build-finish.xml -@@ -286,6 +286,24 @@ key=v1;v2; - - - -+ -+ -+ -+ -+ Read environment variables from the file descriptor -+ FD, and set them as if -+ via . This can be used to avoid -+ environment variables and their values becoming visible -+ to other users. -+ -+ Each environment variable is in the form -+ VAR=VALUE -+ followed by a zero byte. This is the same format used by -+ env -0 and -+ /proc/*/environ. -+ -+ -+ - - - -diff --git a/doc/flatpak-build.xml b/doc/flatpak-build.xml -index 55e3ec89..e3eb9bc8 100644 ---- a/doc/flatpak-build.xml -+++ b/doc/flatpak-build.xml -@@ -288,6 +288,24 @@ key=v1;v2; - - - -+ -+ -+ -+ -+ Read environment variables from the file descriptor -+ FD, and set them as if -+ via . This can be used to avoid -+ environment variables and their values becoming visible -+ to other users. -+ -+ Each environment variable is in the form -+ VAR=VALUE -+ followed by a zero byte. This is the same format used by -+ env -0 and -+ /proc/*/environ. -+ -+ -+ - - - -diff --git a/doc/flatpak-override.xml b/doc/flatpak-override.xml -index 8f131575..137e1251 100644 ---- a/doc/flatpak-override.xml -+++ b/doc/flatpak-override.xml -@@ -262,6 +262,24 @@ key=v1;v2; - - - -+ -+ -+ -+ -+ Read environment variables from the file descriptor -+ FD, and set them as if -+ via . This can be used to avoid -+ environment variables and their values becoming visible -+ to other users. -+ -+ Each environment variable is in the form -+ VAR=VALUE -+ followed by a zero byte. This is the same format used by -+ env -0 and -+ /proc/*/environ. -+ -+ -+ - - - -diff --git a/doc/flatpak-run.xml b/doc/flatpak-run.xml -index 5077c1a9..ed157341 100644 ---- a/doc/flatpak-run.xml -+++ b/doc/flatpak-run.xml -@@ -402,6 +402,24 @@ key=v1;v2; - - - -+ -+ -+ -+ -+ Read environment variables from the file descriptor -+ FD, and set them as if -+ via . This can be used to avoid -+ environment variables and their values becoming visible -+ to other users. -+ -+ Each environment variable is in the form -+ VAR=VALUE -+ followed by a zero byte. This is the same format used by -+ env -0 and -+ /proc/*/environ. -+ -+ -+ - - - --- -2.29.2 - - -From 6c244791c912fe0c5ae2e140f251dc02c46cc0aa Mon Sep 17 00:00:00 2001 -From: Simon McVittie -Date: Tue, 12 Jan 2021 10:11:51 +0000 -Subject: [PATCH 05/10] portal: Convert --env in extra-args into --env-fd - -This hides overridden variables from the command-line, which means -processes running under other uids can't see them in /proc/*/cmdline, -which might be important if they contain secrets. - -Signed-off-by: Simon McVittie -Part-of: https://github.com/flatpak/flatpak/security/advisories/GHSA-4ppf-fxf6-vxg2 ---- - portal/flatpak-portal.c | 51 ++++++++++++++++++++++++++++++++++++++++- - 1 file changed, 50 insertions(+), 1 deletion(-) - -diff --git a/portal/flatpak-portal.c b/portal/flatpak-portal.c -index 060987b7..03ea58cc 100644 ---- a/portal/flatpak-portal.c -+++ b/portal/flatpak-portal.c -@@ -249,6 +249,7 @@ typedef struct - int fd_map_len; - gboolean set_tty; - int tty; -+ int env_fd; - } ChildSetupData; - - static void -@@ -267,6 +268,9 @@ child_setup_func (gpointer user_data) - - flatpak_close_fds_workaround (3); - -+ if (data->env_fd != -1) -+ drop_cloexec (data->env_fd); -+ - /* Unblock all signals */ - sigemptyset (&set); - if (pthread_sigmask (SIG_SETMASK, &set, NULL) == -1) -@@ -553,6 +557,9 @@ handle_spawn (PortalFlatpak *object, - gboolean sandboxed; - gboolean devel; - gboolean expose_pids; -+ g_autoptr(GString) env_string = g_string_new (""); -+ -+ child_setup_data.env_fd = -1; - - if (fd_list != NULL) - fds = g_unix_fd_list_peek_fds (fd_list, &fds_len); -@@ -805,7 +812,49 @@ handle_spawn (PortalFlatpak *object, - else - { - for (i = 0; extra_args != NULL && extra_args[i] != NULL; i++) -- g_ptr_array_add (flatpak_argv, g_strdup (extra_args[i])); -+ { -+ if (g_str_has_prefix (extra_args[i], "--env=")) -+ { -+ const char *var_val = extra_args[i] + strlen ("--env="); -+ -+ if (var_val[0] == '\0' || var_val[0] == '=') -+ { -+ g_warning ("Environment variable in extra-args has empty name"); -+ continue; -+ } -+ -+ if (strchr (var_val, '=') == NULL) -+ { -+ g_warning ("Environment variable in extra-args has no value"); -+ continue; -+ } -+ -+ g_string_append (env_string, var_val); -+ g_string_append_c (env_string, '\0'); -+ } -+ else -+ { -+ g_ptr_array_add (flatpak_argv, g_strdup (extra_args[i])); -+ } -+ } -+ } -+ -+ if (env_string->len > 0) -+ { -+ g_auto(GLnxTmpfile) env_tmpf = { 0, }; -+ -+ if (!flatpak_buffer_to_sealed_memfd_or_tmpfile (&env_tmpf, "environ", -+ env_string->str, -+ env_string->len, &error)) -+ { -+ g_dbus_method_invocation_return_gerror (invocation, error); -+ return G_DBUS_METHOD_INVOCATION_HANDLED; -+ } -+ -+ child_setup_data.env_fd = glnx_steal_fd (&env_tmpf.fd); -+ g_ptr_array_add (flatpak_argv, -+ g_strdup_printf ("--env-fd=%d", -+ child_setup_data.env_fd)); - } - - expose_pids = (arg_flags & FLATPAK_SPAWN_FLAGS_EXPOSE_PIDS) != 0; --- -2.29.2 - - -From f1725cd4fc6164d33f7a92bba673e8718655c1f1 Mon Sep 17 00:00:00 2001 -From: Simon McVittie -Date: Mon, 11 Jan 2021 12:25:50 +0000 -Subject: [PATCH 06/10] tests: Exercise --env-fd - -Signed-off-by: Simon McVittie -Part-of: https://github.com/flatpak/flatpak/security/advisories/GHSA-4ppf-fxf6-vxg2 ---- - tests/test-override.sh | 18 ++++++++++-------- - 1 file changed, 10 insertions(+), 8 deletions(-) - -diff --git a/tests/test-override.sh b/tests/test-override.sh -index 1213bbd4..1c7dafd3 100755 ---- a/tests/test-override.sh -+++ b/tests/test-override.sh -@@ -65,14 +65,16 @@ reset_overrides - - ${FLATPAK} override --user --env=FOO=BAR org.test.Hello - ${FLATPAK} override --user --env=BAR= org.test.Hello --# TODO: A future commit will add a way to avoid this ever being present in argv --${FLATPAK} override --user --env=SECRET_TOKEN=3047225e-5e38-4357-b21c-eac83b7e8ea6 org.test.Hello -+# --env-fd with terminating \0 (strictly as documented). -+printf '%s\0' "SECRET_TOKEN=3047225e-5e38-4357-b21c-eac83b7e8ea6" > env.3 -+# --env-fd without terminating \0 (which we also accept). - # TMPDIR and TZDIR are filtered out by ld.so for setuid processes, - # so setting these gives us a way to verify that we can pass them through - # a setuid bwrap (without special-casing them, as we previously did for - # TMPDIR). --${FLATPAK} override --user --env=TMPDIR=/nonexistent/tmp org.test.Hello --${FLATPAK} override --user --env=TZDIR=/nonexistent/tz org.test.Hello -+printf '%s\0%s' "TMPDIR=/nonexistent/tmp" "TZDIR=/nonexistent/tz" > env.4 -+${FLATPAK} override --user --env-fd=3 --env-fd=4 org.test.Hello \ -+ 3 override - - assert_file_has_content override "^\[Environment\]$" -@@ -118,11 +120,11 @@ else - ${FLATPAK} run --command=bash \ - --env=FOO=BAR \ - --env=BAR= \ -- --env=SECRET_TOKEN=3047225e-5e38-4357-b21c-eac83b7e8ea6 \ -- --env=TMPDIR=/nonexistent/tmp \ -- --env=TZDIR=/nonexistent/tz \ -+ --env-fd=3 \ -+ --env-fd=4 \ - org.test.Hello \ -- -c 'echo "FOO=$FOO"; echo "BAR=$BAR"; echo "SECRET_TOKEN=$SECRET_TOKEN"; echo "TMPDIR=$TMPDIR"; echo "TZDIR=$TZDIR"' > out -+ -c 'echo "FOO=$FOO"; echo "BAR=$BAR"; echo "SECRET_TOKEN=$SECRET_TOKEN"; echo "TMPDIR=$TMPDIR"; echo "TZDIR=$TZDIR"' \ -+ 3 out - # The versions from `flatpak run` overrule `flatpak override` - assert_file_has_content out '^FOO=BAR$' - assert_file_has_content out '^BAR=$' --- -2.29.2 - - -From adcb3b2608caa1ab6647f59e31a9084ec0b66bbb Mon Sep 17 00:00:00 2001 -From: Simon McVittie -Date: Sun, 10 Jan 2021 16:25:29 +0000 -Subject: [PATCH 07/10] portal: Do not use caller-supplied variables in - environment - -If the caller specifies a variable that can be used to inject arbitrary -code into processes, we must not allow it to enter the environment -block used to run `flatpak run`, which runs unsandboxed. - -This change requires the previous commit "context: Add --env-fd option", -which adds infrastructure used here. - -To be secure, this change also requires the previous commit -"run: Convert all environment variables into bwrap arguments", which -protects a non-setuid bwrap(1) from the same attack. - -Signed-off-by: Simon McVittie -Part-of: https://github.com/flatpak/flatpak/security/advisories/GHSA-4ppf-fxf6-vxg2 ---- - portal/flatpak-portal.c | 28 +++++++++++++++++++++++++++- - 1 file changed, 27 insertions(+), 1 deletion(-) - -diff --git a/portal/flatpak-portal.c b/portal/flatpak-portal.c -index 03ea58cc..fe8a514f 100644 ---- a/portal/flatpak-portal.c -+++ b/portal/flatpak-portal.c -@@ -760,6 +760,13 @@ handle_spawn (PortalFlatpak *object, - else - env = g_get_environ (); - -+ /* Let the environment variables given by the caller override the ones -+ * from extra_args. Don't add them to @env, because they are controlled -+ * by our caller, which might be trying to use them to inject code into -+ * flatpak(1); add them to the environment block instead. -+ * -+ * We don't use --env= here, so that if the values are something that -+ * should not be exposed to other uids, they can remain confidential. */ - n_envs = g_variant_n_children (arg_envs); - for (i = 0; i < n_envs; i++) - { -@@ -767,7 +774,26 @@ handle_spawn (PortalFlatpak *object, - const char *val = NULL; - g_variant_get_child (arg_envs, i, "{&s&s}", &var, &val); - -- env = g_environ_setenv (env, var, val, TRUE); -+ if (var[0] == '\0') -+ { -+ g_dbus_method_invocation_return_error (invocation, G_DBUS_ERROR, -+ G_DBUS_ERROR_INVALID_ARGS, -+ "Environment variable cannot have empty name"); -+ return G_DBUS_METHOD_INVOCATION_HANDLED; -+ } -+ -+ if (strchr (var, '=') != NULL) -+ { -+ g_dbus_method_invocation_return_error (invocation, G_DBUS_ERROR, -+ G_DBUS_ERROR_INVALID_ARGS, -+ "Environment variable name cannot contain '='"); -+ return G_DBUS_METHOD_INVOCATION_HANDLED; -+ } -+ -+ g_string_append (env_string, var); -+ g_string_append_c (env_string, '='); -+ g_string_append (env_string, val); -+ g_string_append_c (env_string, '\0'); - } - - g_ptr_array_add (flatpak_argv, g_strdup ("flatpak")); --- -2.29.2 - - -From 1fb13b40cea72ded0ca804a990e84b12454a30a1 Mon Sep 17 00:00:00 2001 -From: Simon McVittie -Date: Mon, 11 Jan 2021 12:48:01 +0000 -Subject: [PATCH 08/10] tests: Assert that --env= does not go in `flatpak run` - or bwrap environ - -For the portal's use of --env-fd= to be safe, we want the environment -variables that it sets to end up in the environment for the program -that is run by `bwrap` as process 2, but they must not go into the -environment that gets used to run `flatpak run` or `bwrap`. Assert -that this is the case. - -For completeness, we're testing both --env= and --env-fd= here, -even though the earlier commit -"portal: Do not use caller-supplied variables in environment" -always uses --env-fd=. - -Part-of: https://github.com/flatpak/flatpak/security/advisories/GHSA-4ppf-fxf6-vxg2 -Signed-off-by: Simon McVittie ---- - tests/Makefile.am.inc | 10 ++++++++++ - tests/libpreload.c | 31 +++++++++++++++++++++++++++++++ - tests/test-override.sh | 18 ++++++++++++++++++ - 3 files changed, 59 insertions(+) - create mode 100644 tests/libpreload.c - -diff --git a/tests/Makefile.am.inc b/tests/Makefile.am.inc -index 15f52148..c95ed3bc 100644 ---- a/tests/Makefile.am.inc -+++ b/tests/Makefile.am.inc -@@ -156,6 +156,16 @@ dist_installed_test_data = \ - tests/org.flatpak.Authenticator.test.service.in \ - $(NULL) - -+test_ltlibraries = tests/libpreload.la -+ -+tests_libpreload_la_SOURCES = tests/libpreload.c -+tests_libpreload_la_LDFLAGS = \ -+ -avoid-version \ -+ -module \ -+ -no-undefined \ -+ -rpath $(installed_testdir) \ -+ $(NULL) -+ - installed_test_keyringdir = $(installed_testdir)/test-keyring - installed_test_keyring2dir = $(installed_testdir)/test-keyring2 - -diff --git a/tests/libpreload.c b/tests/libpreload.c -new file mode 100644 -index 00000000..a640a945 ---- /dev/null -+++ b/tests/libpreload.c -@@ -0,0 +1,31 @@ -+/* -+ * Copyright 2021 Collabora Ltd. -+ * SPDX-License-Identifier: LGPL-2-or-later -+ */ -+ -+#include -+#include -+#include -+#include -+#include -+ -+__attribute__((constructor)) static void -+ctor (void) -+{ -+ pid_t me = getpid (); -+ struct stat buf; -+ -+ fprintf (stderr, "LD_PRELOAD module got loaded by process %d\n", me); -+ -+ if (stat ("/.flatpak-info", &buf) == 0) -+ { -+ fprintf (stderr, "OK: pid %d is in a Flatpak sandbox\n", me); -+ } -+ else -+ { -+ /* If the --env=LD_PRELOAD had come from a call to flatpak-portal, -+ * then this would be a sandbox escape (GHSA-4ppf-fxf6-vxg2). */ -+ fprintf (stderr, "Error: pid %d is not in a Flatpak sandbox\n", me); -+ abort (); -+ } -+} -diff --git a/tests/test-override.sh b/tests/test-override.sh -index 1c7dafd3..47416a6d 100755 ---- a/tests/test-override.sh -+++ b/tests/test-override.sh -@@ -3,6 +3,11 @@ - set -euo pipefail - - . $(dirname $0)/libtest.sh -+if [ -e "${test_builddir}/.libs/libpreload.so" ]; then -+ install "${test_builddir}/.libs/libpreload.so" "${test_tmpdir}" -+else -+ install "${test_builddir}/libpreload.so" "${test_tmpdir}" -+fi - - skip_revokefs_without_fuse - -@@ -118,6 +123,7 @@ else - ${FLATPAK} override --user --show org.test.Hello > override - - ${FLATPAK} run --command=bash \ -+ --filesystem="${test_tmpdir}" \ - --env=FOO=BAR \ - --env=BAR= \ - --env-fd=3 \ -@@ -136,6 +142,18 @@ else - # could see it - assert_not_file_has_content out 3047225e-5e38-4357-b21c-eac83b7e8ea6 - -+ # libpreload.so will abort() if it gets loaded into the `flatpak run` -+ # or `bwrap` processes, so if this succeeds, everything's OK -+ ${FLATPAK} run --command=bash \ -+ --filesystem="${test_tmpdir}" \ -+ --env=LD_PRELOAD="${test_tmpdir}/libpreload.so" \ -+ org.test.Hello -c '' -+ printf '%s\0' "LD_PRELOAD=${test_tmpdir}/libpreload.so" > env.ldpreload -+ ${FLATPAK} run --command=bash \ -+ --filesystem="${test_tmpdir}" \ -+ --env-fd=3 \ -+ org.test.Hello -c '' 3 -Date: Mon, 18 Jan 2021 17:52:13 +0000 -Subject: [PATCH 09/10] build: Convert environment into a sequence of bwrap - arguments - -This means we can systematically pass the environment variables -through bwrap(1), even if it is setuid and thus is filtering out -security-sensitive environment variables. bwrap itself ends up being -run with an empty environment instead. - -This fixes a regression when CVE-2021-21261 was fixed: before the -CVE fixes, LD_LIBRARY_PATH would have been passed through like this -and appeared in the `flatpak build` shell, but during the CVE fixes, -the special case that protected LD_LIBRARY_PATH was removed in favour -of the more general flatpak_bwrap_envp_to_args(). That reasoning only -works if we use flatpak_bwrap_envp_to_args(), consistently, everywhere -that we run the potentially-setuid bwrap. - -Fixes: 6d1773d2 "run: Convert all environment variables into bwrap arguments" -Resolves: https://github.com/flatpak/flatpak/issues/4080 -Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=980323 -Signed-off-by: Simon McVittie ---- - app/flatpak-builtins-build.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/app/flatpak-builtins-build.c b/app/flatpak-builtins-build.c -index 5ecd2ef3..8616f3c8 100644 ---- a/app/flatpak-builtins-build.c -+++ b/app/flatpak-builtins-build.c -@@ -569,6 +569,8 @@ flatpak_builtin_build (int argc, char **argv, GCancellable *cancellable, GError - NULL); - } - -+ flatpak_bwrap_envp_to_args (bwrap); -+ - if (!flatpak_bwrap_bundle_args (bwrap, 1, -1, FALSE, error)) - return FALSE; - --- -2.29.2 - - -From f830b97e81a626a43b160ccb5dad4fe934ab03fa Mon Sep 17 00:00:00 2001 -From: Simon McVittie -Date: Mon, 18 Jan 2021 18:07:38 +0000 -Subject: [PATCH 10/10] dir: Pass environment via bwrap --setenv when running - apply_extra - -This means we can systematically pass the environment variables -through bwrap(1), even if it is setuid and thus is filtering out -security-sensitive environment variables. bwrap ends up being -run with an empty environment instead. - -As with the previous commit, this regressed while fixing CVE-2021-21261. - -Fixes: 6d1773d2 "run: Convert all environment variables into bwrap arguments" -Signed-off-by: Simon McVittie ---- - common/flatpak-dir.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/common/flatpak-dir.c b/common/flatpak-dir.c -index c3ab8bcf..030b8a31 100644 ---- a/common/flatpak-dir.c -+++ b/common/flatpak-dir.c -@@ -7751,6 +7751,8 @@ apply_extra_data (FlatpakDir *self, - app_context, NULL, NULL, NULL, cancellable, error)) - return FALSE; - -+ flatpak_bwrap_envp_to_args (bwrap); -+ - flatpak_bwrap_add_arg (bwrap, "/app/bin/apply_extra"); - - flatpak_bwrap_finish (bwrap); --- -2.29.2 - diff --git a/SOURCES/flatpak-1.6.2-oci-fixes.patch b/SOURCES/flatpak-1.6.2-oci-fixes.patch deleted file mode 100644 index c2c6550..0000000 --- a/SOURCES/flatpak-1.6.2-oci-fixes.patch +++ /dev/null @@ -1,161 +0,0 @@ -diff -urN flatpak-1.6.2/common/flatpak-oci-registry.c flatpak-1.6.2.new/common/flatpak-oci-registry.c ---- flatpak-1.6.2/common/flatpak-oci-registry.c 2019-12-20 09:52:17.000000000 +0000 -+++ flatpak-1.6.2.new/common/flatpak-oci-registry.c 2020-03-20 12:01:39.923000000 +0000 -@@ -901,6 +901,7 @@ - - static char * - get_token_for_www_auth (FlatpakOciRegistry *self, -+ const char *repository, - const char *www_authenticate, - const char *auth, - GCancellable *cancellable, -@@ -911,6 +912,7 @@ - g_autoptr(GHashTable) params = NULL; - g_autoptr(GHashTable) args = NULL; - const char *realm, *service, *scope, *token; -+ g_autofree char *default_scope = NULL; - g_autoptr(SoupURI) auth_uri = NULL; - g_autoptr(GBytes) body = NULL; - g_autoptr(JsonNode) json = NULL; -@@ -941,16 +943,21 @@ - service = g_hash_table_lookup (params, "service"); - if (service) - g_hash_table_insert (args, "service", (char *)service); -+ - scope = g_hash_table_lookup (params, "scope"); -- if (scope) -- g_hash_table_insert (args, "scope", (char *)scope); -+ if (scope == NULL) -+ scope = default_scope = g_strdup_printf("repository:%s:pull", repository); -+ g_hash_table_insert (args, "scope", (char *)scope); - - soup_uri_set_query_from_form (auth_uri, args); - - auth_msg = soup_message_new_from_uri ("GET", auth_uri); - -- g_autofree char *basic_auth = g_strdup_printf ("Basic %s", auth); -- soup_message_headers_replace (auth_msg->request_headers, "Authorization", basic_auth); -+ if (auth) -+ { -+ g_autofree char *basic_auth = g_strdup_printf ("Basic %s", auth); -+ soup_message_headers_replace (auth_msg->request_headers, "Authorization", basic_auth); -+ } - - auth_stream = soup_session_send (self->soup_session, auth_msg, NULL, error); - if (auth_stream == NULL) -@@ -1030,7 +1037,7 @@ - return NULL; - } - -- token = get_token_for_www_auth (self, www_authenticate, basic_auth, cancellable, error); -+ token = get_token_for_www_auth (self, repository, www_authenticate, basic_auth, cancellable, error); - if (token == NULL) - return NULL; - -diff -urN flatpak-1.6.2/oci-authenticator/flatpak-oci-authenticator.c flatpak-1.6.2.new/oci-authenticator/flatpak-oci-authenticator.c ---- flatpak-1.6.2/oci-authenticator/flatpak-oci-authenticator.c 2019-12-19 09:33:40.000000000 +0000 -+++ flatpak-1.6.2.new/oci-authenticator/flatpak-oci-authenticator.c 2020-03-20 12:01:39.936000000 +0000 -@@ -428,10 +428,12 @@ - g_autoptr(GError) error = NULL; - g_autoptr(AutoFlatpakAuthenticatorRequest) request = NULL; - const char *auth = NULL; -+ gboolean have_auth; - const char *oci_registry_uri = NULL; - gsize n_refs, i; - gboolean no_interaction = FALSE; - g_autoptr(FlatpakOciRegistry) registry = NULL; -+ g_autofree char *first_token = NULL; - GVariantBuilder tokens; - GVariantBuilder results; - g_autofree char *sender = g_strdup (g_dbus_method_invocation_get_sender (invocation)); -@@ -439,6 +441,7 @@ - g_debug ("handling Authenticator.RequestRefTokens"); - - g_variant_lookup (arg_authenticator_options, "auth", "&s", &auth); -+ have_auth = auth != NULL; - - if (!g_variant_lookup (arg_options, "xa.oci-registry-uri", "&s", &oci_registry_uri)) - { -@@ -476,18 +479,33 @@ - return error_request (request, sender, error->message); - - -- if (auth == NULL) -+ /* Look up credentials in config files */ -+ if (!have_auth) - { - g_debug ("Looking for %s in auth info", oci_registry_uri); - auth = lookup_auth_from_config (oci_registry_uri); -+ have_auth = auth != NULL; - } - -+ /* Try to see if we can get a token without presenting credentials */ - n_refs = g_variant_n_children (arg_refs); -- if (auth == NULL && n_refs > 0 && -+ if (!have_auth && n_refs > 0) -+ { -+ g_autoptr(GVariant) ref_data = g_variant_get_child_value (arg_refs, 0); -+ -+ first_token = get_token_for_ref (registry, ref_data, NULL, &error); -+ if (first_token != NULL) -+ have_auth = TRUE; -+ else -+ g_clear_error (&error); -+ } -+ -+ /* Prompt the user for credentials */ -+ n_refs = g_variant_n_children (arg_refs); -+ if (!have_auth && n_refs > 0 && - !no_interaction) - { - g_autoptr(GVariant) ref_data = g_variant_get_child_value (arg_refs, 0); -- g_autofree char *token = NULL; - - while (auth == NULL) - { -@@ -498,13 +516,21 @@ - if (test_auth == NULL) - return cancel_request (request, sender); - -- token = get_token_for_ref (registry, ref_data, test_auth, &error); -- if (token != NULL) -- auth = g_steal_pointer (&test_auth); -+ first_token = get_token_for_ref (registry, ref_data, test_auth, &error); -+ if (first_token != NULL) -+ { -+ auth = g_steal_pointer (&test_auth); -+ have_auth = TRUE; -+ } -+ else -+ { -+ g_debug ("Failed to get token: %s", error->message); -+ g_clear_error (&error); -+ } - } - } - -- if (auth == NULL) -+ if (!have_auth) - return error_request (request, sender, "No authentication information available"); - - g_variant_builder_init (&tokens, G_VARIANT_TYPE ("a{sas}")); -@@ -515,9 +541,16 @@ - char *for_refs_strv[2] = { NULL, NULL}; - g_autofree char *token = NULL; - -- token = get_token_for_ref (registry, ref_data, auth, &error); -- if (token == NULL) -- return error_request (request, sender, error->message); -+ if (i == 0 && first_token != NULL) -+ { -+ token = g_steal_pointer (&first_token); -+ } -+ else -+ { -+ token = get_token_for_ref (registry, ref_data, auth, &error); -+ if (token == NULL) -+ return error_request (request, sender, error->message); -+ } - - g_variant_get_child (ref_data, 0, "&s", &for_refs_strv[0]); - g_variant_builder_add (&tokens, "{s^as}", token, for_refs_strv); diff --git a/SOURCES/flatpak-1.6.2-oci-fixes2.patch b/SOURCES/flatpak-1.6.2-oci-fixes2.patch deleted file mode 100644 index fe91e75..0000000 --- a/SOURCES/flatpak-1.6.2-oci-fixes2.patch +++ /dev/null @@ -1,322 +0,0 @@ -From 1b9a64e943e2233e009e01a08191b4c17580b3f6 Mon Sep 17 00:00:00 2001 -From: Alexander Larsson -Date: Mon, 4 May 2020 13:00:35 +0200 -Subject: [PATCH 1/7] oci authenticator: Accept the right docker manifest when - authenticating - -Without this I got for the fedora registry: - -``` -getting token for https://registry.fedoraproject.org/v2/f32/flatpak-runtime/manifests/sha256:bd83b4f6974094848efac22b933419c1dbe11b553def148a82f821faf595de8a -F: Anonymous authentication failed: Unexpected response status 404 from repo -``` - -(cherry picked from commit 1ee132e70e5d0cb5fa0e022c2271f76bcfd03054) ---- - common/flatpak-oci-registry.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/common/flatpak-oci-registry.c b/common/flatpak-oci-registry.c -index 2505771ee..ae363bc1a 100644 ---- a/common/flatpak-oci-registry.c -+++ b/common/flatpak-oci-registry.c -@@ -1015,6 +1015,9 @@ flatpak_oci_registry_get_token (FlatpakOciRegistry *self, - - msg = soup_message_new_from_uri ("HEAD", uri); - -+ soup_message_headers_replace (msg->request_headers, "Accept", -+ FLATPAK_OCI_MEDIA_TYPE_IMAGE_MANIFEST ", " FLATPAK_DOCKER_MEDIA_TYPE_IMAGE_MANIFEST2); -+ - stream = soup_session_send (self->soup_session, msg, NULL, error); - if (stream == NULL) - return NULL; - -From 0d4deebbd5855ceef1cdb5bac3d5c6fb630dc29e Mon Sep 17 00:00:00 2001 -From: Alexander Larsson -Date: Mon, 4 May 2020 12:35:16 +0200 -Subject: [PATCH 2/7] By default, always try to auth to OCI remotes - -This makes for instance docker hub work. - -(cherry picked from commit fdfcae7a91e3af207c4acec918276511f112cafe) ---- - common/flatpak-auth.c | 4 ++++ - common/flatpak-dir.c | 5 +++++ - 2 files changed, 9 insertions(+) - -diff --git a/common/flatpak-auth.c b/common/flatpak-auth.c -index 9d0f689fc..9e45da41e 100644 ---- a/common/flatpak-auth.c -+++ b/common/flatpak-auth.c -@@ -49,6 +49,10 @@ flatpak_auth_new_for_remote (FlatpakDir *dir, - if (!ostree_repo_get_remote_option (repo, remote, FLATPAK_REMOTE_CONFIG_AUTHENTICATOR_NAME, NULL, &name, error)) - return NULL; - } -+ -+ if (name == NULL && flatpak_dir_get_remote_oci (dir, remote)) -+ name = g_strdup ("org.flatpak.Authenticator.Oci"); -+ - if (name == NULL || *name == 0 /* or if no repo */) - { - flatpak_fail (error, _("No authenticator configured for remote `%s`"), remote); -diff --git a/common/flatpak-dir.c b/common/flatpak-dir.c -index 2c8e12eaf..19de4fd38 100644 ---- a/common/flatpak-dir.c -+++ b/common/flatpak-dir.c -@@ -11233,6 +11233,11 @@ _flatpak_dir_get_remote_state (FlatpakDir *self, - } - } - -+ if (flatpak_dir_get_remote_oci (self, remote_or_uri)) -+ { -+ state->default_token_type = 1; -+ } -+ - if (state->collection_id == NULL) - { - if (state->summary != NULL) /* In the optional case we might not have a summary */ - -From 77e4db40f40a92f4f7e0ddb21ae367e9a0af9cb4 Mon Sep 17 00:00:00 2001 -From: Alexander Larsson -Date: Fri, 8 May 2020 15:09:02 +0200 -Subject: [PATCH 3/7] oci: Add flatpak_oci_registry_is_local() - -(cherry picked from commit d4962628aa8db6132e98660fe52aa5a9ac5d3637) ---- - common/flatpak-oci-registry-private.h | 1 + - common/flatpak-oci-registry.c | 6 ++++++ - 2 files changed, 7 insertions(+) - -diff --git a/common/flatpak-oci-registry-private.h b/common/flatpak-oci-registry-private.h -index 1804e43b6..6745c5f65 100644 ---- a/common/flatpak-oci-registry-private.h -+++ b/common/flatpak-oci-registry-private.h -@@ -62,6 +62,7 @@ FlatpakOciRegistry * flatpak_oci_registry_new (const char *uri, - GError **error); - void flatpak_oci_registry_set_token (FlatpakOciRegistry *self, - const char *token); -+gboolean flatpak_oci_registry_is_local (FlatpakOciRegistry *self); - const char * flatpak_oci_registry_get_uri (FlatpakOciRegistry *self); - FlatpakOciIndex * flatpak_oci_registry_load_index (FlatpakOciRegistry *self, - GCancellable *cancellable, -diff --git a/common/flatpak-oci-registry.c b/common/flatpak-oci-registry.c -index ae363bc1a..fdeee56bd 100644 ---- a/common/flatpak-oci-registry.c -+++ b/common/flatpak-oci-registry.c -@@ -205,6 +205,12 @@ flatpak_oci_registry_init (FlatpakOciRegistry *self) - self->tmp_dfd = -1; - } - -+gboolean -+flatpak_oci_registry_is_local (FlatpakOciRegistry *self) -+{ -+ return self->dfd != -1; -+} -+ - const char * - flatpak_oci_registry_get_uri (FlatpakOciRegistry *self) - { - -From 3deeea1ad50b469f7daaca7e2e0d7ba9c5efc26e Mon Sep 17 00:00:00 2001 -From: Alexander Larsson -Date: Fri, 8 May 2020 15:10:38 +0200 -Subject: [PATCH 4/7] oci: Set token on child oci registry and pass to - system-helper - -When we create a system child registry we also set the current token on -it. This is not used directly in the client, however its saved in a -file called .token and re-read in the system-helper, allowing it to -also do the remote registry operations it needs to verify the child -registry. - -(cherry picked from commit 5d8fd2d1be914a26e128ab97be6f00e9c34bfa9d) ---- - common/flatpak-dir.c | 8 ++++++-- - common/flatpak-oci-registry.c | 15 +++++++++++++++ - 2 files changed, 21 insertions(+), 2 deletions(-) - -diff --git a/common/flatpak-dir.c b/common/flatpak-dir.c -index 19de4fd38..25f874ecf 100644 ---- a/common/flatpak-dir.c -+++ b/common/flatpak-dir.c -@@ -92,6 +92,7 @@ G_DEFINE_AUTOPTR_CLEANUP_FUNC (AutoPolkitSubject, g_object_unref) - - static FlatpakOciRegistry *flatpak_dir_create_system_child_oci_registry (FlatpakDir *self, - GLnxLockFile *file_lock, -+ const char *token, - GError **error); - - static OstreeRepo * flatpak_dir_create_child_repo (FlatpakDir *self, -@@ -8602,6 +8603,7 @@ flatpak_dir_deploy_update (FlatpakDir *self, - static FlatpakOciRegistry * - flatpak_dir_create_system_child_oci_registry (FlatpakDir *self, - GLnxLockFile *file_lock, -+ const char *token, - GError **error) - { - g_autoptr(GFile) cache_dir = NULL; -@@ -8636,6 +8638,8 @@ flatpak_dir_create_system_child_oci_registry (FlatpakDir *self, - if (new_registry == NULL) - return NULL; - -+ flatpak_oci_registry_set_token (new_registry, token); -+ - return g_steal_pointer (&new_registry); - } - -@@ -8952,7 +8956,7 @@ flatpak_dir_install (FlatpakDir *self, - g_autoptr(FlatpakOciRegistry) registry = NULL; - g_autoptr(GFile) registry_file = NULL; - -- registry = flatpak_dir_create_system_child_oci_registry (self, &child_repo_lock, error); -+ registry = flatpak_dir_create_system_child_oci_registry (self, &child_repo_lock, token, error); - if (registry == NULL) - return FALSE; - -@@ -9662,7 +9666,7 @@ flatpak_dir_update (FlatpakDir *self, - g_autoptr(FlatpakOciRegistry) registry = NULL; - g_autoptr(GFile) registry_file = NULL; - -- registry = flatpak_dir_create_system_child_oci_registry (self, &child_repo_lock, error); -+ registry = flatpak_dir_create_system_child_oci_registry (self, &child_repo_lock, token, error); - if (registry == NULL) - return FALSE; - -diff --git a/common/flatpak-oci-registry.c b/common/flatpak-oci-registry.c -index fdeee56bd..c3ddb8c2b 100644 ---- a/common/flatpak-oci-registry.c -+++ b/common/flatpak-oci-registry.c -@@ -223,8 +223,15 @@ flatpak_oci_registry_set_token (FlatpakOciRegistry *self, - { - g_free (self->token); - self->token = g_strdup (token); -+ -+ if (self->token) -+ (void)glnx_file_replace_contents_at (self->dfd, ".token", -+ (guchar *)self->token, -+ strlen (self->token), -+ 0, NULL, NULL); - } - -+ - FlatpakOciRegistry * - flatpak_oci_registry_new (const char *uri, - gboolean for_write, -@@ -415,6 +422,7 @@ flatpak_oci_registry_ensure_local (FlatpakOciRegistry *self, - int dfd; - g_autoptr(GError) local_error = NULL; - g_autoptr(GBytes) oci_layout_bytes = NULL; -+ g_autoptr(GBytes) token_bytes = NULL; - gboolean not_json; - - if (self->dfd != -1) -@@ -476,6 +484,13 @@ flatpak_oci_registry_ensure_local (FlatpakOciRegistry *self, - else if (!verify_oci_version (oci_layout_bytes, ¬_json, cancellable, error)) - return FALSE; - -+ if (self->dfd != -1) -+ { -+ token_bytes = local_load_file (self->dfd, ".token", cancellable, NULL); -+ if (token_bytes != NULL) -+ self->token = g_strndup (g_bytes_get_data (token_bytes, NULL), g_bytes_get_size (token_bytes)); -+ } -+ - if (self->dfd == -1 && local_dfd != -1) - self->dfd = glnx_steal_fd (&local_dfd); - - -From 36f87863baa848c8709b75958c85857f45e97e0a Mon Sep 17 00:00:00 2001 -From: Alexander Larsson -Date: Thu, 11 Jun 2020 15:43:16 +0200 -Subject: [PATCH 5/7] OCI: Also look for the docker media type when looking - manifests - -We handle both types, so look for both. - -(cherry picked from commit 0fdec95fe068cd497b1c5a5b60d21103c711d2a4) ---- - common/flatpak-json-oci.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/common/flatpak-json-oci.c b/common/flatpak-json-oci.c -index 6d60279d0..f5b3f0a0c 100644 ---- a/common/flatpak-json-oci.c -+++ b/common/flatpak-json-oci.c -@@ -469,7 +469,8 @@ const char * - flatpak_oci_manifest_descriptor_get_ref (FlatpakOciManifestDescriptor *m) - { - if (m->parent.mediatype == NULL || -- strcmp (m->parent.mediatype, FLATPAK_OCI_MEDIA_TYPE_IMAGE_MANIFEST) != 0) -+ (strcmp (m->parent.mediatype, FLATPAK_OCI_MEDIA_TYPE_IMAGE_MANIFEST) != 0 && -+ strcmp (m->parent.mediatype, FLATPAK_DOCKER_MEDIA_TYPE_IMAGE_MANIFEST2) != 0)) - return NULL; - - if (m->parent.annotations == NULL) - -From 0da4a6c82c16d4560d4931d567e2685efd8dff0d Mon Sep 17 00:00:00 2001 -From: Alexander Larsson -Date: Mon, 4 May 2020 15:51:48 +0200 -Subject: [PATCH 6/7] tests: Make OCI authenticator available - -(cherry picked from commit 4d79110cb682b79819913aa6ce033cb7a7787c86) ---- - tests/Makefile.am.inc | 7 ++++++- - 1 file changed, 6 insertions(+), 1 deletion(-) - -diff --git a/tests/Makefile.am.inc b/tests/Makefile.am.inc -index 7c2e8271f..15f521485 100644 ---- a/tests/Makefile.am.inc -+++ b/tests/Makefile.am.inc -@@ -105,11 +105,15 @@ tests/services/org.flatpak.Authenticator.test.service: tests/org.flatpak.Authent - mkdir -p tests/services - $(AM_V_GEN) $(SED) -e "s|\@libexecdir\@|$(abs_top_builddir)/tests|" $< > $@ - -+tests/services/org.flatpak.Authenticator.Oci.service: oci-authenticator/org.flatpak.Authenticator.Oci.service.in -+ mkdir -p tests/services -+ $(AM_V_GEN) $(SED) -e "s|\@libexecdir\@|$(abs_top_builddir)|" $< > $@ -+ - tests/share/xdg-desktop-portal/portals/test.portal: tests/test.portal.in - mkdir -p tests/share/xdg-desktop-portal/portals - $(AM_V_GEN) install -m644 $< $@ - --tests/libtest.sh: tests/services/org.freedesktop.Flatpak.service tests/services/org.freedesktop.Flatpak.SystemHelper.service tests/services/org.freedesktop.portal.Flatpak.service tests/share/xdg-desktop-portal/portals/test.portal tests/services/org.freedesktop.impl.portal.desktop.test.service tests/services/org.flatpak.Authenticator.test.service -+tests/libtest.sh: tests/services/org.freedesktop.Flatpak.service tests/services/org.freedesktop.Flatpak.SystemHelper.service tests/services/org.freedesktop.portal.Flatpak.service tests/share/xdg-desktop-portal/portals/test.portal tests/services/org.freedesktop.impl.portal.desktop.test.service tests/services/org.flatpak.Authenticator.test.service tests/services/org.flatpak.Authenticator.Oci.service - - install-test-data-hook: - if ENABLE_INSTALLED_TESTS -@@ -223,6 +227,7 @@ DISTCLEANFILES += \ - tests/services/org.freedesktop.portal.Flatpak.service \ - tests/services/org.freedesktop.impl.portal.desktop.test.service \ - tests/services/org.flatpak.Authenticator.test.service \ -+ tests/services/org.flatpak.Authenticator.Oci.service \ - tests/share/xdg-desktop-portal/portals/test.portal \ - tests/package_version.txt \ - $(NULL) - -From 8fb4369439e57cc25c706610c5ce1ee776220278 Mon Sep 17 00:00:00 2001 -From: Alexander Larsson -Date: Mon, 4 May 2020 15:51:59 +0200 -Subject: [PATCH 7/7] Tests: Support HEAD requests in oci-registry-server - -This just does a GET, which is not quite right, but will work. -This is needed for the authenticator. - -(cherry picked from commit 530475b9abff81d990424ca46ec57458e1bb9604) ---- - tests/oci-registry-server.py | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/tests/oci-registry-server.py b/tests/oci-registry-server.py -index 23c2db916..33c3b646b 100755 ---- a/tests/oci-registry-server.py -+++ b/tests/oci-registry-server.py -@@ -135,6 +135,9 @@ def do_GET(self): - else: - self.wfile.write(response_string.encode('utf-8')) - -+ def do_HEAD(self): -+ return self.do_GET() -+ - def do_POST(self): - if self.check_route('/testing/@repo_name/@tag'): - repo_name = self.matches['repo_name'] diff --git a/SOURCES/flatpak-1.6.2-fix-CVE-2021-21381.patch b/SOURCES/flatpak-1.8.5-fix-CVE-2021-21381.patch similarity index 100% rename from SOURCES/flatpak-1.6.2-fix-CVE-2021-21381.patch rename to SOURCES/flatpak-1.8.5-fix-CVE-2021-21381.patch diff --git a/SOURCES/flatpak-1.8.5-post-cve-fixes.patch b/SOURCES/flatpak-1.8.5-post-cve-fixes.patch new file mode 100644 index 0000000..a5ee71c --- /dev/null +++ b/SOURCES/flatpak-1.8.5-post-cve-fixes.patch @@ -0,0 +1,73 @@ +From 93ecea3488081a726bcd2ddb04d557decaa87f80 Mon Sep 17 00:00:00 2001 +From: Simon McVittie +Date: Mon, 18 Jan 2021 17:52:13 +0000 +Subject: [PATCH] build: Convert environment into a sequence of bwrap arguments + +This means we can systematically pass the environment variables +through bwrap(1), even if it is setuid and thus is filtering out +security-sensitive environment variables. bwrap itself ends up being +run with an empty environment instead. + +This fixes a regression when CVE-2021-21261 was fixed: before the +CVE fixes, LD_LIBRARY_PATH would have been passed through like this +and appeared in the `flatpak build` shell, but during the CVE fixes, +the special case that protected LD_LIBRARY_PATH was removed in favour +of the more general flatpak_bwrap_envp_to_args(). That reasoning only +works if we use flatpak_bwrap_envp_to_args(), consistently, everywhere +that we run the potentially-setuid bwrap. + +Fixes: 6d1773d2 "run: Convert all environment variables into bwrap arguments" +Resolves: https://github.com/flatpak/flatpak/issues/4080 +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=980323 +Signed-off-by: Simon McVittie +(cherry picked from commit 9a61d2c44f0a58cebcb9b2787ae88db07ca68bb0) +--- + app/flatpak-builtins-build.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/app/flatpak-builtins-build.c b/app/flatpak-builtins-build.c +index 8da0de814..07ef6fc07 100644 +--- a/app/flatpak-builtins-build.c ++++ b/app/flatpak-builtins-build.c +@@ -569,6 +569,8 @@ flatpak_builtin_build (int argc, char **argv, GCancellable *cancellable, GError + NULL); + } + ++ flatpak_bwrap_envp_to_args (bwrap); ++ + if (!flatpak_bwrap_bundle_args (bwrap, 1, -1, FALSE, error)) + return FALSE; + +From f91857c07ede7ef5150a38d6b8e49ee43d6b3d50 Mon Sep 17 00:00:00 2001 +From: Simon McVittie +Date: Mon, 18 Jan 2021 18:07:38 +0000 +Subject: [PATCH] dir: Pass environment via bwrap --setenv when running + apply_extra + +This means we can systematically pass the environment variables +through bwrap(1), even if it is setuid and thus is filtering out +security-sensitive environment variables. bwrap ends up being +run with an empty environment instead. + +As with the previous commit, this regressed while fixing CVE-2021-21261. + +Fixes: 6d1773d2 "run: Convert all environment variables into bwrap arguments" +Signed-off-by: Simon McVittie +(cherry picked from commit fb473cad801c6b61706353256cab32330557374a) +--- + common/flatpak-dir.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/common/flatpak-dir.c b/common/flatpak-dir.c +index ed1248e74..40767fa77 100644 +--- a/common/flatpak-dir.c ++++ b/common/flatpak-dir.c +@@ -7426,6 +7426,8 @@ apply_extra_data (FlatpakDir *self, + app_context, NULL, NULL, NULL, cancellable, error)) + return FALSE; + ++ flatpak_bwrap_envp_to_args (bwrap); ++ + flatpak_bwrap_add_arg (bwrap, "/app/bin/apply_extra"); + + flatpak_bwrap_finish (bwrap); diff --git a/SPECS/flatpak.spec b/SPECS/flatpak.spec index 8304f38..9c93d27 100644 --- a/SPECS/flatpak.spec +++ b/SPECS/flatpak.spec @@ -2,24 +2,17 @@ %global ostree_version 2018.9 Name: flatpak -Version: 1.6.2 -Release: 6%{?dist} +Version: 1.8.5 +Release: 3%{?dist} Summary: Application deployment framework for desktop apps License: LGPLv2+ URL: http://flatpak.org/ Source0: https://github.com/flatpak/flatpak/releases/download/%{version}/%{name}-%{version}.tar.xz -# https://bugzilla.redhat.com/show_bug.cgi?id=1814045 -Patch0: flatpak-1.6.2-oci-fixes.patch -# https://bugzilla.redhat.com/show_bug.cgi?id=1847201 -Patch1: flatpak-1.6.2-oci-fixes2.patch -# https://bugzilla.redhat.com/show_bug.cgi?id=1878231 -# https://github.com/flatpak/flatpak/pull/3845 -Patch2: 3845.patch -# https://bugzilla.redhat.com/show_bug.cgi?id=1918774 -Patch3: flatpak-1.6.2-fix-CVE-2021-21261.patch -# https://bugzilla.redhat.com/show_bug.cgi?id=1938062 -Patch4: flatpak-1.6.2-fix-CVE-2021-21381.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=1918776 +Patch0: flatpak-1.8.5-post-cve-fixes.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=1938063 +Patch1: flatpak-1.8.5-fix-CVE-2021-21381.patch BuildRequires: pkgconfig(appstream-glib) BuildRequires: pkgconfig(dconf) @@ -33,6 +26,7 @@ BuildRequires: pkgconfig(libseccomp) BuildRequires: pkgconfig(libsoup-2.4) BuildRequires: pkgconfig(libsystemd) BuildRequires: pkgconfig(libxml-2.0) >= 2.4 +BuildRequires: pkgconfig(libzstd) >= 0.8.1 BuildRequires: pkgconfig(ostree-1) >= %{ostree_version} BuildRequires: pkgconfig(polkit-gobject-1) BuildRequires: pkgconfig(xau) @@ -43,7 +37,9 @@ BuildRequires: docbook-style-xsl BuildRequires: gettext BuildRequires: gpgme-devel BuildRequires: libcap-devel +BuildRequires: python3-pyparsing BuildRequires: systemd +BuildRequires: /usr/bin/python3 BuildRequires: /usr/bin/xmlto BuildRequires: /usr/bin/xsltproc @@ -192,8 +188,7 @@ fi %{_datadir}/dbus-1/services/org.flatpak.Authenticator.Oci.service %{_datadir}/dbus-1/services/org.freedesktop.portal.Flatpak.service %{_datadir}/dbus-1/system-services/org.freedesktop.Flatpak.SystemHelper.service -# Co-own directory. -%{_datadir}/gdm/env.d +%{_datadir}/fish %{_datadir}/%{name} %{_datadir}/polkit-1/actions/org.freedesktop.Flatpak.policy %{_datadir}/polkit-1/rules.d/org.freedesktop.Flatpak.rules @@ -214,6 +209,7 @@ fi %{_sysconfdir}/dbus-1/system.d/org.freedesktop.Flatpak.SystemHelper.conf %{_sysconfdir}/flatpak/remotes.d %{_sysconfdir}/profile.d/flatpak.sh +%{_sysusersdir}/flatpak.conf %{_unitdir}/flatpak-system-helper.service %{_userunitdir}/flatpak-oci-authenticator.service %{_userunitdir}/flatpak-portal.service @@ -248,11 +244,20 @@ fi %changelog -* Mon Mar 22 2021 David King - 1.6.2-6 -- Fix CVE-2021-21381 (#1938062) +* Mon Mar 22 2021 David King - 1.8.5-3 +- Fix CVE-2021-21381 (#1938063) -* Tue Jan 26 2021 David King - 1.6.2-5 -- Fix CVE-2021-21261 (#1918774) +* Mon Jan 25 2021 David King - 1.8.5-2 +- Apply post-release CVE fixes (#1918776) + +* Thu Jan 14 2021 David King - 1.8.5-1 +- Rebase to 1.8.5 (#1851958) + +* Tue Nov 17 2020 David King - 1.8.3-1 +- Rebase to 1.8.3 (#1851958) + +* Mon Oct 05 2020 David King - 1.8.2-1 +- Rebase to 1.8.2 (#1851958) * Mon Sep 14 2020 Kalev Lember - 1.6.2-4 - OCI: extract appstream data for runtimes (#1878231)