diff --git a/SOURCES/flatpak-1.6.2-fix-CVE-2021-21381.patch b/SOURCES/flatpak-1.6.2-fix-CVE-2021-21381.patch new file mode 100644 index 0000000..0d118f1 --- /dev/null +++ b/SOURCES/flatpak-1.6.2-fix-CVE-2021-21381.patch @@ -0,0 +1,86 @@ +From cb6fce9e4122ace2960c437def3b1a197bb49b3a Mon Sep 17 00:00:00 2001 +From: Ryan Gonzalez +Date: Tue, 2 Mar 2021 13:20:07 -0600 +Subject: [PATCH 1/3] Disallow @@ and @@u usage in desktop files + +Fixes #4146. +--- + common/flatpak-dir.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/common/flatpak-dir.c b/common/flatpak-dir.c +index e6e4d6fb3..7d3374dad 100644 +--- a/common/flatpak-dir.c ++++ b/common/flatpak-dir.c +@@ -7139,6 +7139,8 @@ export_desktop_file (const char *app, + g_string_append_printf (new_exec, " @@ %s @@", arg); + else if (strcasecmp (arg, "%u") == 0) + g_string_append_printf (new_exec, " @@u %s @@", arg); ++ else if (strcmp (arg, "@@") == 0 || strcmp (arg, "@@u") == 0) ++ g_print (_("Skipping invalid Exec argument %s\n"), arg); + else + g_string_append_printf (new_exec, " %s", arg); + } + +From 0bdcb88b2d0013aa435dc03950fb42cef2cbd359 Mon Sep 17 00:00:00 2001 +From: Simon McVittie +Date: Fri, 5 Mar 2021 13:49:36 +0000 +Subject: [PATCH 2/3] dir: Reserve the whole @@ prefix + +If we add new features analogous to file forwarding later, we might +find that we need a different magic token. Let's reserve the whole +@@* namespace so we can call it @@something-else. + +Signed-off-by: Simon McVittie +--- + common/flatpak-dir.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/common/flatpak-dir.c b/common/flatpak-dir.c +index 7d3374dad..facfab37a 100644 +--- a/common/flatpak-dir.c ++++ b/common/flatpak-dir.c +@@ -7139,7 +7139,7 @@ export_desktop_file (const char *app, + g_string_append_printf (new_exec, " @@ %s @@", arg); + else if (strcasecmp (arg, "%u") == 0) + g_string_append_printf (new_exec, " @@u %s @@", arg); +- else if (strcmp (arg, "@@") == 0 || strcmp (arg, "@@u") == 0) ++ else if (g_str_has_prefix (arg, "@@")) + g_print (_("Skipping invalid Exec argument %s\n"), arg); + else + g_string_append_printf (new_exec, " %s", arg); + +From 230f4c3521cd0dffa446ab9b70e958cdd9241bbe Mon Sep 17 00:00:00 2001 +From: Simon McVittie +Date: Fri, 5 Mar 2021 13:51:33 +0000 +Subject: [PATCH 3/3] dir: Refuse to export .desktop files with suspicious uses + of @@ tokens + +This is either a malicious/compromised app trying to do an attack, or +a mistake that will break handling of %f, %u and so on. Either way, +if we refuse to export the .desktop file, resulting in installation +failing, then it makes the rejection more obvious than quietly +removing the magic tokens. + +Signed-off-by: Simon McVittie +--- + common/flatpak-dir.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/common/flatpak-dir.c b/common/flatpak-dir.c +index facfab37a..c5edf346f 100644 +--- a/common/flatpak-dir.c ++++ b/common/flatpak-dir.c +@@ -7140,7 +7140,11 @@ export_desktop_file (const char *app, + else if (strcasecmp (arg, "%u") == 0) + g_string_append_printf (new_exec, " @@u %s @@", arg); + else if (g_str_has_prefix (arg, "@@")) +- g_print (_("Skipping invalid Exec argument %s\n"), arg); ++ { ++ flatpak_fail_error (error, FLATPAK_ERROR_EXPORT_FAILED, ++ _("Invalid Exec argument %s"), arg); ++ goto out; ++ } + else + g_string_append_printf (new_exec, " %s", arg); + } diff --git a/SPECS/flatpak.spec b/SPECS/flatpak.spec index f3881b9..8304f38 100644 --- a/SPECS/flatpak.spec +++ b/SPECS/flatpak.spec @@ -3,7 +3,7 @@ Name: flatpak Version: 1.6.2 -Release: 5%{?dist} +Release: 6%{?dist} Summary: Application deployment framework for desktop apps License: LGPLv2+ @@ -18,6 +18,8 @@ Patch1: flatpak-1.6.2-oci-fixes2.patch Patch2: 3845.patch # https://bugzilla.redhat.com/show_bug.cgi?id=1918774 Patch3: flatpak-1.6.2-fix-CVE-2021-21261.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=1938062 +Patch4: flatpak-1.6.2-fix-CVE-2021-21381.patch BuildRequires: pkgconfig(appstream-glib) BuildRequires: pkgconfig(dconf) @@ -246,6 +248,9 @@ fi %changelog +* Mon Mar 22 2021 David King - 1.6.2-6 +- Fix CVE-2021-21381 (#1938062) + * Tue Jan 26 2021 David King - 1.6.2-5 - Fix CVE-2021-21261 (#1918774)