import flatpak-1.8.5-2.el8

SOURCES/flatpak-1.8.5-post-cve-fixes.patch

@@ -0,0 +1,73 @@
+From 93ecea3488081a726bcd2ddb04d557decaa87f80 Mon Sep 17 00:00:00 2001
+From: Simon McVittie <smcv@collabora.com>
+Date: Mon, 18 Jan 2021 17:52:13 +0000
+Subject: [PATCH] build: Convert environment into a sequence of bwrap arguments
+
+This means we can systematically pass the environment variables
+through bwrap(1), even if it is setuid and thus is filtering out
+security-sensitive environment variables. bwrap itself ends up being
+run with an empty environment instead.
+
+This fixes a regression when CVE-2021-21261 was fixed: before the
+CVE fixes, LD_LIBRARY_PATH would have been passed through like this
+and appeared in the `flatpak build` shell, but during the CVE fixes,
+the special case that protected LD_LIBRARY_PATH was removed in favour
+of the more general flatpak_bwrap_envp_to_args(). That reasoning only
+works if we use flatpak_bwrap_envp_to_args(), consistently, everywhere
+that we run the potentially-setuid bwrap.
+
+Fixes: 6d1773d2 "run: Convert all environment variables into bwrap arguments"
+Resolves: https://github.com/flatpak/flatpak/issues/4080
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=980323
+Signed-off-by: Simon McVittie <smcv@collabora.com>
+(cherry picked from commit 9a61d2c44f0a58cebcb9b2787ae88db07ca68bb0)
+---
+ app/flatpak-builtins-build.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/app/flatpak-builtins-build.c b/app/flatpak-builtins-build.c
+index 8da0de814..07ef6fc07 100644
+--- a/app/flatpak-builtins-build.c
++++ b/app/flatpak-builtins-build.c
+@@ -569,6 +569,8 @@ flatpak_builtin_build (int argc, char **argv, GCancellable *cancellable, GError
+                               NULL);
+     }
+ 
++  flatpak_bwrap_envp_to_args (bwrap);
++
+   if (!flatpak_bwrap_bundle_args (bwrap, 1, -1, FALSE, error))
+     return FALSE;
+ 
+From f91857c07ede7ef5150a38d6b8e49ee43d6b3d50 Mon Sep 17 00:00:00 2001
+From: Simon McVittie <smcv@collabora.com>
+Date: Mon, 18 Jan 2021 18:07:38 +0000
+Subject: [PATCH] dir: Pass environment via bwrap --setenv when running
+ apply_extra
+
+This means we can systematically pass the environment variables
+through bwrap(1), even if it is setuid and thus is filtering out
+security-sensitive environment variables. bwrap ends up being
+run with an empty environment instead.
+
+As with the previous commit, this regressed while fixing CVE-2021-21261.
+
+Fixes: 6d1773d2 "run: Convert all environment variables into bwrap arguments"
+Signed-off-by: Simon McVittie <smcv@collabora.com>
+(cherry picked from commit fb473cad801c6b61706353256cab32330557374a)
+---
+ common/flatpak-dir.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/common/flatpak-dir.c b/common/flatpak-dir.c
+index ed1248e74..40767fa77 100644
+--- a/common/flatpak-dir.c
++++ b/common/flatpak-dir.c
+@@ -7426,6 +7426,8 @@ apply_extra_data (FlatpakDir   *self,
+                                          app_context, NULL, NULL, NULL, cancellable, error))
+     return FALSE;
+ 
++  flatpak_bwrap_envp_to_args (bwrap);
++
+   flatpak_bwrap_add_arg (bwrap, "/app/bin/apply_extra");
+ 
+   flatpak_bwrap_finish (bwrap);

SPECS/flatpak.spec

@@ -3,12 +3,14 @@
 
 Name:           flatpak
 Version:        1.8.5
-Release:        1%{?dist}
+Release:        2%{?dist}
 Summary:        Application deployment framework for desktop apps
 
 License:        LGPLv2+
 URL:            http://flatpak.org/
 Source0:        https://github.com/flatpak/flatpak/releases/download/%{version}/%{name}-%{version}.tar.xz
+# https://bugzilla.redhat.com/show_bug.cgi?id=1918776
+Patch0:         flatpak-1.8.5-post-cve-fixes.patch
 
 BuildRequires:  pkgconfig(appstream-glib)
 BuildRequires:  pkgconfig(dconf)
@@ -240,6 +242,9 @@ fi
 
 
 %changelog
+* Mon Jan 25 2021 David King <dking@redhat.com> - 1.8.5-2
+- Apply post-release CVE fixes (#1918776)
+
 * Thu Jan 14 2021 David King <dking@redhat.com> - 1.8.5-1
 - Rebase to 1.8.5 (#1851958)