From 2591b14abf17afd32f128eaba242c1354c8c1ace Mon Sep 17 00:00:00 2001
From: Debarshi Ray <debarshir@gnome.org>
Date: Tue, 11 Jul 2023 22:23:09 +0200
Subject: [PATCH] Rebase to 1.10.8 (CVE-2023-28100 and CVE-2023-28101)

The gpgme dependency was simplified to prefer pkg-config on
distributions released after 2016, as opposed to gpgme-config [1].
Unfortunately, on RHEL 8, gpgme-devel doesn't pull in libassuan-devel
even though gpgme.pc refers to it [2]:
  $ pkg-config --cflags --libs gpgme
  -I/usr/include/libassuan2 -lgpgme -lgpg-error -lassuan

... and libassuan-devel itself doesn't provide a libassuan.pc.

Last time when flatpak-1.10.7 was built for RHEL 8.7, something was
pulling python36 into the buildroot.  Now, on RHEL 8.9, something is
pulling python3.11 into the buildroot, and that requires the
python3.11-pyparsing RPM.

[1] Flatpak commit f1dd7d6076645b06
    https://github.com/flatpak/flatpak/commit/f1dd7d6076645b06

[2] https://bugzilla.redhat.com/show_bug.cgi?id=2222124

Resolves: #2180311, #2222103
---
 .gitignore   |  1 +
 flatpak.spec | 11 ++++++++---
 sources      |  2 +-
 3 files changed, 10 insertions(+), 4 deletions(-)

diff --git a/.gitignore b/.gitignore
index d9ac4b5..cc54d03 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1,3 @@
 SOURCES/flatpak-1.10.7.tar.xz
 /flatpak-1.10.7.tar.xz
+/flatpak-1.10.8.tar.xz
diff --git a/flatpak.spec b/flatpak.spec
index 9e50902..1e5023d 100644
--- a/flatpak.spec
+++ b/flatpak.spec
@@ -2,7 +2,7 @@
 %global ostree_version 2020.8
 
 Name:           flatpak
-Version:        1.10.7
+Version:        1.10.8
 Release:        1%{?dist}
 Summary:        Application deployment framework for desktop apps
 
@@ -16,6 +16,7 @@ BuildRequires:  pkgconfig(fuse)
 BuildRequires:  pkgconfig(gdk-pixbuf-2.0)
 BuildRequires:  pkgconfig(gio-unix-2.0)
 BuildRequires:  pkgconfig(gobject-introspection-1.0) >= 1.40.0
+BuildRequires:  pkgconfig(gpgme)
 BuildRequires:  pkgconfig(json-glib-1.0)
 BuildRequires:  pkgconfig(libarchive) >= 2.8.0
 BuildRequires:  pkgconfig(libseccomp)
@@ -31,9 +32,9 @@ BuildRequires:  bubblewrap >= %{bubblewrap_version}
 BuildRequires:  docbook-dtds
 BuildRequires:  docbook-style-xsl
 BuildRequires:  gettext
-BuildRequires:  gpgme-devel
+BuildRequires:  libassuan-devel
 BuildRequires:  libcap-devel
-BuildRequires:  python3-pyparsing
+BuildRequires:  python3.11-pyparsing
 BuildRequires:  systemd
 BuildRequires:  /usr/bin/python3
 BuildRequires:  /usr/bin/xmlto
@@ -245,6 +246,10 @@ fi
 
 
 %changelog
+* Tue Jul 11 2023 Debarshi Ray <rishi@fedoraproject.org> - 1.10.8-1
+- Rebase to 1.10.8 (#2222103)
+- Fix CVE-2023-28100 and CVE-2023-28101 (#2180311)
+
 * Wed Mar 09 2022 Debarshi Ray <rishi@fedoraproject.org> - 1.10.7-1
 - Rebase to 1.10.7 (#2062417)
 
diff --git a/sources b/sources
index 34413ed..0187955 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-SHA512 (flatpak-1.10.7.tar.xz) = a25e9492b21542082e074c8805fd0d723a2e50f88da414a46981460a58111750ccf1c23ea2137b3f1a22638e473911f6c1c88d22f2cba641e1c2cbad53e402ed
+SHA512 (flatpak-1.10.8.tar.xz) = 0823aa522d5f5b0a6cb967609ef8db18390a1992578c7c15921494973759d83467f31112d81226797c741a4ed3732087ce6b290bd8d3cc103415094e32d0365a