rpms/flatpak
7
0
Fork 1
Code Issues Pull Requests Releases Activity

import flatpak-1.8.5-4.el8

Browse Source
This commit is contained in:
CentOS Sources 2021-10-05 22:22:13 -04:00 committed by Stepan Oksanichenko
parent 7b337a111f
commit 66cacff2f5
2 changed files with 95 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

86
SOURCES/flatpak-1.8.5-fix-CVE-2021-21381.patch Normal file
View File

@ -0,0 +1,86 @@
From cb6fce9e4122ace2960c437def3b1a197bb49b3a Mon Sep 17 00:00:00 2001
From: Ryan Gonzalez <rymg19@gmail.com>
Date: Tue, 2 Mar 2021 13:20:07 -0600
Subject: [PATCH 1/3] Disallow @@ and @@u usage in desktop files
Fixes #4146.
---
common/flatpak-dir.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/common/flatpak-dir.c b/common/flatpak-dir.c
index e6e4d6fb3..7d3374dad 100644
--- a/common/flatpak-dir.c
+++ b/common/flatpak-dir.c
@@ -7139,6 +7139,8 @@ export_desktop_file (const char *app,
g_string_append_printf (new_exec, " @@ %s @@", arg);
else if (strcasecmp (arg, "%u") == 0)
g_string_append_printf (new_exec, " @@u %s @@", arg);
+ else if (strcmp (arg, "@@") == 0 || strcmp (arg, "@@u") == 0)
+ g_print (_("Skipping invalid Exec argument %s\n"), arg);
else
g_string_append_printf (new_exec, " %s", arg);
}
From 0bdcb88b2d0013aa435dc03950fb42cef2cbd359 Mon Sep 17 00:00:00 2001
From: Simon McVittie <smcv@collabora.com>
Date: Fri, 5 Mar 2021 13:49:36 +0000
Subject: [PATCH 2/3] dir: Reserve the whole @@ prefix
If we add new features analogous to file forwarding later, we might
find that we need a different magic token. Let's reserve the whole
@@* namespace so we can call it @@something-else.
Signed-off-by: Simon McVittie <smcv@collabora.com>
---
common/flatpak-dir.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/common/flatpak-dir.c b/common/flatpak-dir.c
index 7d3374dad..facfab37a 100644
--- a/common/flatpak-dir.c
+++ b/common/flatpak-dir.c
@@ -7139,7 +7139,7 @@ export_desktop_file (const char *app,
g_string_append_printf (new_exec, " @@ %s @@", arg);
else if (strcasecmp (arg, "%u") == 0)
g_string_append_printf (new_exec, " @@u %s @@", arg);
- else if (strcmp (arg, "@@") == 0 || strcmp (arg, "@@u") == 0)
+ else if (g_str_has_prefix (arg, "@@"))
g_print (_("Skipping invalid Exec argument %s\n"), arg);
else
g_string_append_printf (new_exec, " %s", arg);
From 230f4c3521cd0dffa446ab9b70e958cdd9241bbe Mon Sep 17 00:00:00 2001
From: Simon McVittie <smcv@collabora.com>
Date: Fri, 5 Mar 2021 13:51:33 +0000
Subject: [PATCH 3/3] dir: Refuse to export .desktop files with suspicious uses
of @@ tokens
This is either a malicious/compromised app trying to do an attack, or
a mistake that will break handling of %f, %u and so on. Either way,
if we refuse to export the .desktop file, resulting in installation
failing, then it makes the rejection more obvious than quietly
removing the magic tokens.
Signed-off-by: Simon McVittie <smcv@collabora.com>
---
common/flatpak-dir.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/common/flatpak-dir.c b/common/flatpak-dir.c
index facfab37a..c5edf346f 100644
--- a/common/flatpak-dir.c
+++ b/common/flatpak-dir.c
@@ -7140,7 +7140,11 @@ export_desktop_file (const char *app,
else if (strcasecmp (arg, "%u") == 0)
g_string_append_printf (new_exec, " @@u %s @@", arg);
else if (g_str_has_prefix (arg, "@@"))
- g_print (_("Skipping invalid Exec argument %s\n"), arg);
+ {
+ flatpak_fail_error (error, FLATPAK_ERROR_EXPORT_FAILED,
+ _("Invalid Exec argument %s"), arg);
+ goto out;
+ }
else
g_string_append_printf (new_exec, " %s", arg);
}

10
SPECS/flatpak.spec
View File

@ -3,7 +3,7 @@
Name: flatpak Name: flatpak
Version: 1.8.5 Version: 1.8.5
Release: 2%{?dist} Release: 4%{?dist}
Summary: Application deployment framework for desktop apps Summary: Application deployment framework for desktop apps
License: LGPLv2+ License: LGPLv2+
@ -11,6 +11,8 @@ URL: http://flatpak.org/
Source0: https://github.com/flatpak/flatpak/releases/download/%{version}/%{name}-%{version}.tar.xz Source0: https://github.com/flatpak/flatpak/releases/download/%{version}/%{name}-%{version}.tar.xz
# https://bugzilla.redhat.com/show_bug.cgi?id=1918776 # https://bugzilla.redhat.com/show_bug.cgi?id=1918776
Patch0: flatpak-1.8.5-post-cve-fixes.patch Patch0: flatpak-1.8.5-post-cve-fixes.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=1938064
Patch1: flatpak-1.8.5-fix-CVE-2021-21381.patch
BuildRequires: pkgconfig(appstream-glib) BuildRequires: pkgconfig(appstream-glib)
BuildRequires: pkgconfig(dconf) BuildRequires: pkgconfig(dconf)
@ -242,6 +244,12 @@ fi
%changelog %changelog
* Wed Jul 28 2021 Tomas Popela <tpopela@redhat.com> - 1.8.5-4
- Ship flatpak-devel in CRB (#1938064)
* Mon Mar 22 2021 David King <dking@redhat.com> - 1.8.5-3
- Fix CVE-2021-21381 (#1938064)
* Mon Jan 25 2021 David King <dking@redhat.com> - 1.8.5-2 * Mon Jan 25 2021 David King <dking@redhat.com> - 1.8.5-2
- Apply post-release CVE fixes (#1918776) - Apply post-release CVE fixes (#1918776)