import flatpak-1.10.5-1.el9
This commit is contained in:
parent
b4c89c2c63
commit
312b97f4c8
@ -1 +1 @@
|
||||
1cd25f8577ba55d1370652e9bd24e8a2d254143a SOURCES/flatpak-1.10.2.tar.xz
|
||||
d4d771e7bfa4ab275845cf7259f9b25784ccc095 SOURCES/flatpak-1.10.5.tar.xz
|
||||
|
2
.gitignore
vendored
2
.gitignore
vendored
@ -1 +1 @@
|
||||
SOURCES/flatpak-1.10.2.tar.xz
|
||||
SOURCES/flatpak-1.10.5.tar.xz
|
||||
|
@ -0,0 +1,31 @@
|
||||
From 24485224223b8ed41976ead5801cb04c4d961f93 Mon Sep 17 00:00:00 2001
|
||||
From: Simon McVittie <smcv@collabora.com>
|
||||
Date: Fri, 8 Oct 2021 19:00:13 +0100
|
||||
Subject: [PATCH] Fix handling of syscalls only allowed by --devel
|
||||
|
||||
This was incorrectly looking at errno instead of -r.
|
||||
|
||||
Fixes: 0b38b0f0 "run: Handle unknown syscalls as intended"
|
||||
Signed-off-by: Simon McVittie <smcv@collabora.com>
|
||||
(cherry picked from commit 3fc8c672676ae016f8e7cc90481b2feecbad9861)
|
||||
(cherry picked from commit 97e128c2c1520202486b5e165e1734cbb421568a)
|
||||
---
|
||||
common/flatpak-run.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/common/flatpak-run.c b/common/flatpak-run.c
|
||||
index 6142daafa56d..4048476bf455 100644
|
||||
--- a/common/flatpak-run.c
|
||||
+++ b/common/flatpak-run.c
|
||||
@@ -2992,7 +2992,7 @@ setup_seccomp (FlatpakBwrap *bwrap,
|
||||
r = seccomp_rule_add (seccomp, SCMP_ACT_ERRNO (errnum), scall, 0);
|
||||
|
||||
/* See above for the meaning of EFAULT. */
|
||||
- if (errno == EFAULT)
|
||||
+ if (r == -EFAULT)
|
||||
flatpak_debug2 ("Unable to block syscall %d: syscall not known to libseccomp?",
|
||||
scall);
|
||||
else if (r < 0)
|
||||
--
|
||||
2.31.1
|
||||
|
@ -1,34 +0,0 @@
|
||||
From adbd286cef9a4c4bed76eb95337d5d6f5e42dd45 Mon Sep 17 00:00:00 2001
|
||||
From: Kalev Lember <klember@redhat.com>
|
||||
Date: Mon, 5 Apr 2021 10:40:26 +0200
|
||||
Subject: [PATCH] OCI: Switch to pax format for tar archives
|
||||
|
||||
For reasons unknown, libarchive appears to generate broken gnutar format
|
||||
tar archives when the archive contains files that are larger than 2 GB.
|
||||
This commit switches to the pax format to work this around.
|
||||
|
||||
This should be a better default as it also removes 256 char filename
|
||||
length limitation and matches what other libraries are doing, e.g.
|
||||
Python 3.8 switched to the pax format by default as well.
|
||||
|
||||
See https://pagure.io/fedora-infrastructure/issue/9840
|
||||
---
|
||||
common/flatpak-oci-registry.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/common/flatpak-oci-registry.c b/common/flatpak-oci-registry.c
|
||||
index 6aa68c27..2a7f3ba1 100644
|
||||
--- a/common/flatpak-oci-registry.c
|
||||
+++ b/common/flatpak-oci-registry.c
|
||||
@@ -1476,7 +1476,7 @@ flatpak_oci_registry_write_layer (FlatpakOciRegistry *self,
|
||||
}
|
||||
|
||||
a = archive_write_new ();
|
||||
- if (archive_write_set_format_gnutar (a) != ARCHIVE_OK ||
|
||||
+ if (archive_write_set_format_pax (a) != ARCHIVE_OK ||
|
||||
archive_write_add_filter_none (a) != ARCHIVE_OK)
|
||||
{
|
||||
propagate_libarchive_error (error, a);
|
||||
--
|
||||
2.30.2
|
||||
|
@ -1,126 +0,0 @@
|
||||
From 49e8bfcea516e96eb950109d0fa45811a352a517 Mon Sep 17 00:00:00 2001
|
||||
From: Alexander Larsson <alexl@redhat.com>
|
||||
Date: Wed, 17 Mar 2021 17:12:32 +0100
|
||||
Subject: [PATCH] system-helper: Fix deploys of local remotes
|
||||
|
||||
For updates in remotes with a local (file:) uri we just do a deploy
|
||||
with a LOCAL_PULL flag set and an empty arg_repo_path. However, our
|
||||
arg_repo_path checking at some point seemed to stop properly handling
|
||||
the case where it is empty. I got it to report "No such file" wich
|
||||
broke the tests.
|
||||
---
|
||||
system-helper/flatpak-system-helper.c | 89 ++++++++++++++-------------
|
||||
1 file changed, 46 insertions(+), 43 deletions(-)
|
||||
|
||||
diff --git a/system-helper/flatpak-system-helper.c b/system-helper/flatpak-system-helper.c
|
||||
index b202c94105..adcfe61a86 100644
|
||||
--- a/system-helper/flatpak-system-helper.c
|
||||
+++ b/system-helper/flatpak-system-helper.c
|
||||
@@ -410,61 +410,64 @@ handle_deploy (FlatpakSystemHelper *object,
|
||||
return G_DBUS_METHOD_INVOCATION_HANDLED;
|
||||
}
|
||||
|
||||
- src_dir = g_path_get_dirname (arg_repo_path);
|
||||
- ongoing_pull = take_ongoing_pull_by_dir (src_dir);
|
||||
- if (ongoing_pull != NULL)
|
||||
+ if ((arg_flags & ~FLATPAK_HELPER_DEPLOY_FLAGS_ALL) != 0)
|
||||
{
|
||||
- g_autoptr(GError) local_error = NULL;
|
||||
- uid_t uid;
|
||||
+ g_dbus_method_invocation_return_error (invocation, G_DBUS_ERROR, G_DBUS_ERROR_INVALID_ARGS,
|
||||
+ "Unsupported flags enabled: 0x%x", (arg_flags & ~FLATPAK_HELPER_DEPLOY_FLAGS_ALL));
|
||||
+ return G_DBUS_METHOD_INVOCATION_HANDLED;
|
||||
+ }
|
||||
|
||||
- /* Ensure that pull's uid is same as the caller's uid */
|
||||
- if (!get_connection_uid (invocation, &uid, &local_error))
|
||||
+ if (strlen (arg_repo_path) > 0)
|
||||
+ {
|
||||
+ if (!g_file_query_exists (repo_file, NULL))
|
||||
{
|
||||
- g_dbus_method_invocation_return_gerror (invocation, local_error);
|
||||
+ g_dbus_method_invocation_return_error (invocation, G_DBUS_ERROR, G_DBUS_ERROR_INVALID_ARGS,
|
||||
+ "Path does not exist");
|
||||
return G_DBUS_METHOD_INVOCATION_HANDLED;
|
||||
}
|
||||
- else
|
||||
+
|
||||
+ src_dir = g_path_get_dirname (arg_repo_path);
|
||||
+ ongoing_pull = take_ongoing_pull_by_dir (src_dir);
|
||||
+ if (ongoing_pull != NULL)
|
||||
{
|
||||
- if (ongoing_pull->uid != uid)
|
||||
+ g_autoptr(GError) local_error = NULL;
|
||||
+ uid_t uid;
|
||||
+
|
||||
+ /* Ensure that pull's uid is same as the caller's uid */
|
||||
+ if (!get_connection_uid (invocation, &uid, &local_error))
|
||||
{
|
||||
- g_dbus_method_invocation_return_error (invocation, G_DBUS_ERROR, G_DBUS_ERROR_FAILED,
|
||||
- "Ongoing pull's uid(%d) does not match with peer uid(%d)",
|
||||
- ongoing_pull->uid, uid);
|
||||
+ g_dbus_method_invocation_return_gerror (invocation, local_error);
|
||||
return G_DBUS_METHOD_INVOCATION_HANDLED;
|
||||
}
|
||||
- }
|
||||
-
|
||||
- terminate_revokefs_backend (ongoing_pull);
|
||||
-
|
||||
- if (!flatpak_canonicalize_permissions (AT_FDCWD,
|
||||
- arg_repo_path,
|
||||
- getuid() == 0 ? 0 : -1,
|
||||
- getuid() == 0 ? 0 : -1,
|
||||
- &local_error))
|
||||
- {
|
||||
- g_dbus_method_invocation_return_error (invocation, G_DBUS_ERROR, G_DBUS_ERROR_FAILED,
|
||||
- "Failed to canonicalize permissions of repo %s: %s",
|
||||
- arg_repo_path, local_error->message);
|
||||
- return G_DBUS_METHOD_INVOCATION_HANDLED;
|
||||
- }
|
||||
+ else
|
||||
+ {
|
||||
+ if (ongoing_pull->uid != uid)
|
||||
+ {
|
||||
+ g_dbus_method_invocation_return_error (invocation, G_DBUS_ERROR, G_DBUS_ERROR_FAILED,
|
||||
+ "Ongoing pull's uid(%d) does not match with peer uid(%d)",
|
||||
+ ongoing_pull->uid, uid);
|
||||
+ return G_DBUS_METHOD_INVOCATION_HANDLED;
|
||||
+ }
|
||||
+ }
|
||||
|
||||
- /* At this point, the cache-dir's repo is owned by root. Hence, any failure
|
||||
- * from here on, should always cleanup the cache-dir and not preserve it to be re-used. */
|
||||
- ongoing_pull->preserve_pull = FALSE;
|
||||
- }
|
||||
+ terminate_revokefs_backend (ongoing_pull);
|
||||
|
||||
- if ((arg_flags & ~FLATPAK_HELPER_DEPLOY_FLAGS_ALL) != 0)
|
||||
- {
|
||||
- g_dbus_method_invocation_return_error (invocation, G_DBUS_ERROR, G_DBUS_ERROR_INVALID_ARGS,
|
||||
- "Unsupported flags enabled: 0x%x", (arg_flags & ~FLATPAK_HELPER_DEPLOY_FLAGS_ALL));
|
||||
- return G_DBUS_METHOD_INVOCATION_HANDLED;
|
||||
- }
|
||||
+ if (!flatpak_canonicalize_permissions (AT_FDCWD,
|
||||
+ arg_repo_path,
|
||||
+ getuid() == 0 ? 0 : -1,
|
||||
+ getuid() == 0 ? 0 : -1,
|
||||
+ &local_error))
|
||||
+ {
|
||||
+ g_dbus_method_invocation_return_error (invocation, G_DBUS_ERROR, G_DBUS_ERROR_FAILED,
|
||||
+ "Failed to canonicalize permissions of repo %s: %s",
|
||||
+ arg_repo_path, local_error->message);
|
||||
+ return G_DBUS_METHOD_INVOCATION_HANDLED;
|
||||
+ }
|
||||
|
||||
- if (!g_file_query_exists (repo_file, NULL))
|
||||
- {
|
||||
- g_dbus_method_invocation_return_error (invocation, G_DBUS_ERROR, G_DBUS_ERROR_INVALID_ARGS,
|
||||
- "Path does not exist");
|
||||
- return G_DBUS_METHOD_INVOCATION_HANDLED;
|
||||
+ /* At this point, the cache-dir's repo is owned by root. Hence, any failure
|
||||
+ * from here on, should always cleanup the cache-dir and not preserve it to be re-used. */
|
||||
+ ongoing_pull->preserve_pull = FALSE;
|
||||
+ }
|
||||
}
|
||||
|
||||
ref = flatpak_decomposed_new_from_ref (arg_ref, &error);
|
@ -2,8 +2,8 @@
|
||||
%global ostree_version 2020.8
|
||||
|
||||
Name: flatpak
|
||||
Version: 1.10.2
|
||||
Release: 6%{?dist}
|
||||
Version: 1.10.5
|
||||
Release: 1%{?dist}
|
||||
Summary: Application deployment framework for desktop apps
|
||||
|
||||
License: LGPLv2+
|
||||
@ -12,11 +12,8 @@ Source0: https://github.com/flatpak/flatpak/releases/download/%{version}/
|
||||
# Add Fedora flatpak repositories
|
||||
Source1: flatpak-add-fedora-repos.service
|
||||
|
||||
# https://github.com/flatpak/flatpak/pull/4210
|
||||
# https://pagure.io/fedora-infrastructure/issue/9840
|
||||
Patch0: 0001-OCI-Switch-to-pax-format-for-tar-archives.patch
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1982304
|
||||
Patch1: flatpak-1.10.2-system-helper-fix.patch
|
||||
# https://github.com/flatpak/flatpak/pull/4473
|
||||
Patch0: 0001-Fix-handling-of-syscalls-only-allowed-by-devel.patch
|
||||
|
||||
BuildRequires: pkgconfig(appstream-glib)
|
||||
BuildRequires: pkgconfig(dconf)
|
||||
@ -270,6 +267,14 @@ fi
|
||||
|
||||
|
||||
%changelog
|
||||
* Tue Oct 26 2021 Debarshi Ray <rishi@fedoraproject.org> - 1.10.5-1
|
||||
- Update to 1.10.5 (CVE-2021-41133)
|
||||
Resolves: #2012862
|
||||
|
||||
* Wed Sep 22 2021 Debarshi Ray <rishi@fedoraproject.org> - 1.10.3-1
|
||||
- Update to 1.10.3
|
||||
Resolves: #2006554
|
||||
|
||||
* Sat Aug 28 2021 Debarshi Ray <rishi@fedoraproject.org> - 1.10.2-6
|
||||
- Fix local deploys using system helper
|
||||
Resolves: #1982304
|
||||
|
Loading…
Reference in New Issue
Block a user