From a614a1ba3885a3ee206e9b593ecc94020f4c70ea Mon Sep 17 00:00:00 2001 From: Debarshi Ray Date: Thu, 3 Feb 2022 21:45:08 +0100 Subject: [PATCH] Use SHA256, not SHA1, to name the cache for a filtered remote Resolves: #1935508 --- ...ot-SHA1-to-name-the-cache-for-a-filt.patch | 38 +++++++++++++++++++ flatpak.spec | 9 ++++- 2 files changed, 46 insertions(+), 1 deletion(-) create mode 100644 flatpak-dir-Use-SHA256-not-SHA1-to-name-the-cache-for-a-filt.patch diff --git a/flatpak-dir-Use-SHA256-not-SHA1-to-name-the-cache-for-a-filt.patch b/flatpak-dir-Use-SHA256-not-SHA1-to-name-the-cache-for-a-filt.patch new file mode 100644 index 0000000..7c8c332 --- /dev/null +++ b/flatpak-dir-Use-SHA256-not-SHA1-to-name-the-cache-for-a-filt.patch @@ -0,0 +1,38 @@ +From 7dd160f33054863b1ea6f75ac279a42121a16430 Mon Sep 17 00:00:00 2001 +From: Debarshi Ray +Date: Mon, 31 Jan 2022 21:17:29 +0100 +Subject: [PATCH] dir: Use SHA256, not SHA1, to name the cache for a filtered + remote + +SHA1 hashes are considered weak these days. Some distributions have +static analysis tools to detect the use of such weak hashes, and they +get triggered by flatpak. While this particular use of SHA1 in flatpak +is likely not security sensitive, it's also easy to move to SHA256 to +avoid any debate. + +Here, the SHA1 hash of a named remote's filter file is used to generate +the name of the directory where the refs from that remote are cached. +One can reasonably assume that the cache is frequently invalidated +because the list of refs on the remote changes all the time. Hence, +it's not big problem if it gets invalidated once more because of this +change. +--- + common/flatpak-dir.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/common/flatpak-dir.c b/common/flatpak-dir.c +index 18384bd432fc..c6d08e85b41f 100644 +--- a/common/flatpak-dir.c ++++ b/common/flatpak-dir.c +@@ -10923,7 +10923,7 @@ remote_filter_load (GFile *path, GError **error) + } + + filter = g_new0 (RemoteFilter, 1); +- filter->checksum = g_compute_checksum_for_data (G_CHECKSUM_SHA1, (guchar *)data, data_size); ++ filter->checksum = g_compute_checksum_for_data (G_CHECKSUM_SHA256, (guchar *)data, data_size); + filter->path = g_object_ref (path); + filter->mtime = mtime; + filter->last_mtime_check = g_get_monotonic_time (); +-- +2.34.1 + diff --git a/flatpak.spec b/flatpak.spec index fe420f5..10d8dff 100644 --- a/flatpak.spec +++ b/flatpak.spec @@ -3,7 +3,7 @@ Name: flatpak Version: 1.10.7 -Release: 1%{?dist} +Release: 2%{?dist} Summary: Application deployment framework for desktop apps License: LGPLv2+ @@ -12,6 +12,9 @@ Source0: https://github.com/flatpak/flatpak/releases/download/%{version}/ # Add Fedora flatpak repositories Source1: flatpak-add-fedora-repos.service +# https://bugzilla.redhat.com/show_bug.cgi?id=1935508 +Patch0: flatpak-dir-Use-SHA256-not-SHA1-to-name-the-cache-for-a-filt.patch + BuildRequires: pkgconfig(appstream-glib) BuildRequires: pkgconfig(dconf) BuildRequires: pkgconfig(fuse) @@ -264,6 +267,10 @@ fi %changelog +* Thu Feb 03 2022 Debarshi Ray - 1.10.7-2 +- Use SHA256, not SHA1, to name the cache for a filtered remote +Resolves: #1935508 + * Wed Feb 02 2022 Debarshi Ray - 1.10.7-1 - Update to 1.10.7 (CVE-2021-43860) Resolves: #2041973