rpms
/
flatpak
7
0
Fork 1
Code Issues Pull Requests Releases Activity

Use SHA256, not SHA1, to name the cache for a filtered remote 

Resolves: #1935508
This commit is contained in:
Debarshi Ray 2022-02-03 21:45:08 +01:00
parent 4d98b1045c
commit a614a1ba38
2 changed files with 46 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

38
flatpak-dir-Use-SHA256-not-SHA1-to-name-the-cache-for-a-filt.patch Normal file
View File

@ -0,0 +1,38 @@
From 7dd160f33054863b1ea6f75ac279a42121a16430 Mon Sep 17 00:00:00 2001
From: Debarshi Ray <debarshir@gnome.org>
Date: Mon, 31 Jan 2022 21:17:29 +0100
Subject: [PATCH] dir: Use SHA256, not SHA1, to name the cache for a filtered
remote
SHA1 hashes are considered weak these days. Some distributions have
static analysis tools to detect the use of such weak hashes, and they
get triggered by flatpak. While this particular use of SHA1 in flatpak
is likely not security sensitive, it's also easy to move to SHA256 to
avoid any debate.
Here, the SHA1 hash of a named remote's filter file is used to generate
the name of the directory where the refs from that remote are cached.
One can reasonably assume that the cache is frequently invalidated
because the list of refs on the remote changes all the time. Hence,
it's not big problem if it gets invalidated once more because of this
change.
---
common/flatpak-dir.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/common/flatpak-dir.c b/common/flatpak-dir.c
index 18384bd432fc..c6d08e85b41f 100644
--- a/common/flatpak-dir.c
+++ b/common/flatpak-dir.c
@@ -10923,7 +10923,7 @@ remote_filter_load (GFile *path, GError **error)
}
filter = g_new0 (RemoteFilter, 1);
- filter->checksum = g_compute_checksum_for_data (G_CHECKSUM_SHA1, (guchar *)data, data_size);
+ filter->checksum = g_compute_checksum_for_data (G_CHECKSUM_SHA256, (guchar *)data, data_size);
filter->path = g_object_ref (path);
filter->mtime = mtime;
filter->last_mtime_check = g_get_monotonic_time ();
--
2.34.1

9
flatpak.spec
View File

@ -3,7 +3,7 @@
Name: flatpak
Version: 1.10.7
Release: 1%{?dist}
Release: 2%{?dist}
Summary: Application deployment framework for desktop apps
License: LGPLv2+
@ -12,6 +12,9 @@ Source0: https://github.com/flatpak/flatpak/releases/download/%{version}/
# Add Fedora flatpak repositories
Source1: flatpak-add-fedora-repos.service
# https://bugzilla.redhat.com/show_bug.cgi?id=1935508
Patch0: flatpak-dir-Use-SHA256-not-SHA1-to-name-the-cache-for-a-filt.patch
BuildRequires: pkgconfig(appstream-glib)
BuildRequires: pkgconfig(dconf)
BuildRequires: pkgconfig(fuse)
@ -264,6 +267,10 @@ fi
%changelog
* Thu Feb 03 2022 Debarshi Ray <rishi@fedoraproject.org> - 1.10.7-2
- Use SHA256, not SHA1, to name the cache for a filtered remote
Resolves: #1935508
* Wed Feb 02 2022 Debarshi Ray <rishi@fedoraproject.org> - 1.10.7-1
- Update to 1.10.7 (CVE-2021-43860)
Resolves: #2041973