From d73b310c725bb7b5c7e11484875ac7ae4acffdc8 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Tue, 29 Mar 2022 12:02:38 -0400 Subject: [PATCH] import flatpak-1.8.7-1.el8 --- .flatpak.metadata | 2 +- .gitignore | 2 +- .../flatpak-1.8.5-fix-CVE-2021-21381.patch | 86 ------------------- SOURCES/flatpak-1.8.5-post-cve-fixes.patch | 73 ---------------- SPECS/flatpak.spec | 27 ++++-- 5 files changed, 23 insertions(+), 167 deletions(-) delete mode 100644 SOURCES/flatpak-1.8.5-fix-CVE-2021-21381.patch delete mode 100644 SOURCES/flatpak-1.8.5-post-cve-fixes.patch diff --git a/.flatpak.metadata b/.flatpak.metadata index 76bd630..5b443f6 100644 --- a/.flatpak.metadata +++ b/.flatpak.metadata @@ -1 +1 @@ -a3dcd13e85090e9d8156f1db2a375074e459aa79 SOURCES/flatpak-1.8.5.tar.xz +ea9cd44ca1e6cdab1e450a8abc7c5e760194ac25 SOURCES/flatpak-1.8.7.tar.xz diff --git a/.gitignore b/.gitignore index 27b08dc..71e6537 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/flatpak-1.8.5.tar.xz +SOURCES/flatpak-1.8.7.tar.xz diff --git a/SOURCES/flatpak-1.8.5-fix-CVE-2021-21381.patch b/SOURCES/flatpak-1.8.5-fix-CVE-2021-21381.patch deleted file mode 100644 index 0d118f1..0000000 --- a/SOURCES/flatpak-1.8.5-fix-CVE-2021-21381.patch +++ /dev/null @@ -1,86 +0,0 @@ -From cb6fce9e4122ace2960c437def3b1a197bb49b3a Mon Sep 17 00:00:00 2001 -From: Ryan Gonzalez -Date: Tue, 2 Mar 2021 13:20:07 -0600 -Subject: [PATCH 1/3] Disallow @@ and @@u usage in desktop files - -Fixes #4146. ---- - common/flatpak-dir.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/common/flatpak-dir.c b/common/flatpak-dir.c -index e6e4d6fb3..7d3374dad 100644 ---- a/common/flatpak-dir.c -+++ b/common/flatpak-dir.c -@@ -7139,6 +7139,8 @@ export_desktop_file (const char *app, - g_string_append_printf (new_exec, " @@ %s @@", arg); - else if (strcasecmp (arg, "%u") == 0) - g_string_append_printf (new_exec, " @@u %s @@", arg); -+ else if (strcmp (arg, "@@") == 0 || strcmp (arg, "@@u") == 0) -+ g_print (_("Skipping invalid Exec argument %s\n"), arg); - else - g_string_append_printf (new_exec, " %s", arg); - } - -From 0bdcb88b2d0013aa435dc03950fb42cef2cbd359 Mon Sep 17 00:00:00 2001 -From: Simon McVittie -Date: Fri, 5 Mar 2021 13:49:36 +0000 -Subject: [PATCH 2/3] dir: Reserve the whole @@ prefix - -If we add new features analogous to file forwarding later, we might -find that we need a different magic token. Let's reserve the whole -@@* namespace so we can call it @@something-else. - -Signed-off-by: Simon McVittie ---- - common/flatpak-dir.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/common/flatpak-dir.c b/common/flatpak-dir.c -index 7d3374dad..facfab37a 100644 ---- a/common/flatpak-dir.c -+++ b/common/flatpak-dir.c -@@ -7139,7 +7139,7 @@ export_desktop_file (const char *app, - g_string_append_printf (new_exec, " @@ %s @@", arg); - else if (strcasecmp (arg, "%u") == 0) - g_string_append_printf (new_exec, " @@u %s @@", arg); -- else if (strcmp (arg, "@@") == 0 || strcmp (arg, "@@u") == 0) -+ else if (g_str_has_prefix (arg, "@@")) - g_print (_("Skipping invalid Exec argument %s\n"), arg); - else - g_string_append_printf (new_exec, " %s", arg); - -From 230f4c3521cd0dffa446ab9b70e958cdd9241bbe Mon Sep 17 00:00:00 2001 -From: Simon McVittie -Date: Fri, 5 Mar 2021 13:51:33 +0000 -Subject: [PATCH 3/3] dir: Refuse to export .desktop files with suspicious uses - of @@ tokens - -This is either a malicious/compromised app trying to do an attack, or -a mistake that will break handling of %f, %u and so on. Either way, -if we refuse to export the .desktop file, resulting in installation -failing, then it makes the rejection more obvious than quietly -removing the magic tokens. - -Signed-off-by: Simon McVittie ---- - common/flatpak-dir.c | 6 +++++- - 1 file changed, 5 insertions(+), 1 deletion(-) - -diff --git a/common/flatpak-dir.c b/common/flatpak-dir.c -index facfab37a..c5edf346f 100644 ---- a/common/flatpak-dir.c -+++ b/common/flatpak-dir.c -@@ -7140,7 +7140,11 @@ export_desktop_file (const char *app, - else if (strcasecmp (arg, "%u") == 0) - g_string_append_printf (new_exec, " @@u %s @@", arg); - else if (g_str_has_prefix (arg, "@@")) -- g_print (_("Skipping invalid Exec argument %s\n"), arg); -+ { -+ flatpak_fail_error (error, FLATPAK_ERROR_EXPORT_FAILED, -+ _("Invalid Exec argument %s"), arg); -+ goto out; -+ } - else - g_string_append_printf (new_exec, " %s", arg); - } diff --git a/SOURCES/flatpak-1.8.5-post-cve-fixes.patch b/SOURCES/flatpak-1.8.5-post-cve-fixes.patch deleted file mode 100644 index a5ee71c..0000000 --- a/SOURCES/flatpak-1.8.5-post-cve-fixes.patch +++ /dev/null @@ -1,73 +0,0 @@ -From 93ecea3488081a726bcd2ddb04d557decaa87f80 Mon Sep 17 00:00:00 2001 -From: Simon McVittie -Date: Mon, 18 Jan 2021 17:52:13 +0000 -Subject: [PATCH] build: Convert environment into a sequence of bwrap arguments - -This means we can systematically pass the environment variables -through bwrap(1), even if it is setuid and thus is filtering out -security-sensitive environment variables. bwrap itself ends up being -run with an empty environment instead. - -This fixes a regression when CVE-2021-21261 was fixed: before the -CVE fixes, LD_LIBRARY_PATH would have been passed through like this -and appeared in the `flatpak build` shell, but during the CVE fixes, -the special case that protected LD_LIBRARY_PATH was removed in favour -of the more general flatpak_bwrap_envp_to_args(). That reasoning only -works if we use flatpak_bwrap_envp_to_args(), consistently, everywhere -that we run the potentially-setuid bwrap. - -Fixes: 6d1773d2 "run: Convert all environment variables into bwrap arguments" -Resolves: https://github.com/flatpak/flatpak/issues/4080 -Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=980323 -Signed-off-by: Simon McVittie -(cherry picked from commit 9a61d2c44f0a58cebcb9b2787ae88db07ca68bb0) ---- - app/flatpak-builtins-build.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/app/flatpak-builtins-build.c b/app/flatpak-builtins-build.c -index 8da0de814..07ef6fc07 100644 ---- a/app/flatpak-builtins-build.c -+++ b/app/flatpak-builtins-build.c -@@ -569,6 +569,8 @@ flatpak_builtin_build (int argc, char **argv, GCancellable *cancellable, GError - NULL); - } - -+ flatpak_bwrap_envp_to_args (bwrap); -+ - if (!flatpak_bwrap_bundle_args (bwrap, 1, -1, FALSE, error)) - return FALSE; - -From f91857c07ede7ef5150a38d6b8e49ee43d6b3d50 Mon Sep 17 00:00:00 2001 -From: Simon McVittie -Date: Mon, 18 Jan 2021 18:07:38 +0000 -Subject: [PATCH] dir: Pass environment via bwrap --setenv when running - apply_extra - -This means we can systematically pass the environment variables -through bwrap(1), even if it is setuid and thus is filtering out -security-sensitive environment variables. bwrap ends up being -run with an empty environment instead. - -As with the previous commit, this regressed while fixing CVE-2021-21261. - -Fixes: 6d1773d2 "run: Convert all environment variables into bwrap arguments" -Signed-off-by: Simon McVittie -(cherry picked from commit fb473cad801c6b61706353256cab32330557374a) ---- - common/flatpak-dir.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/common/flatpak-dir.c b/common/flatpak-dir.c -index ed1248e74..40767fa77 100644 ---- a/common/flatpak-dir.c -+++ b/common/flatpak-dir.c -@@ -7426,6 +7426,8 @@ apply_extra_data (FlatpakDir *self, - app_context, NULL, NULL, NULL, cancellable, error)) - return FALSE; - -+ flatpak_bwrap_envp_to_args (bwrap); -+ - flatpak_bwrap_add_arg (bwrap, "/app/bin/apply_extra"); - - flatpak_bwrap_finish (bwrap); diff --git a/SPECS/flatpak.spec b/SPECS/flatpak.spec index 265250c..a9c988c 100644 --- a/SPECS/flatpak.spec +++ b/SPECS/flatpak.spec @@ -2,18 +2,16 @@ %global ostree_version 2018.9 Name: flatpak -Version: 1.8.5 -Release: 4%{?dist} +Version: 1.8.7 +Release: 1%{?dist} Summary: Application deployment framework for desktop apps License: LGPLv2+ URL: http://flatpak.org/ Source0: https://github.com/flatpak/flatpak/releases/download/%{version}/%{name}-%{version}.tar.xz -# https://bugzilla.redhat.com/show_bug.cgi?id=1918776 -Patch0: flatpak-1.8.5-post-cve-fixes.patch -# https://bugzilla.redhat.com/show_bug.cgi?id=1938064 -Patch1: flatpak-1.8.5-fix-CVE-2021-21381.patch +BuildRequires: autoconf +BuildRequires: automake BuildRequires: pkgconfig(appstream-glib) BuildRequires: pkgconfig(dconf) BuildRequires: pkgconfig(fuse) @@ -35,8 +33,11 @@ BuildRequires: bubblewrap >= %{bubblewrap_version} BuildRequires: docbook-dtds BuildRequires: docbook-style-xsl BuildRequires: gettext +BuildRequires: gettext-devel BuildRequires: gpgme-devel +BuildRequires: gtk-doc BuildRequires: libcap-devel +BuildRequires: libtool BuildRequires: python3-pyparsing BuildRequires: systemd BuildRequires: /usr/bin/python3 @@ -125,6 +126,8 @@ This package contains installed tests for %{name}. %build +autoreconf --force --install --verbose + (if ! test -x configure; then NOCONFIGURE=1 ./autogen.sh; CONFIGFLAGS=--enable-gtk-doc; fi; # Generate consistent IDs between runs to avoid multilib problems. export XMLTO_FLAGS="--stringparam generate.consistent.ids=1" @@ -244,6 +247,18 @@ fi %changelog +* Thu Feb 03 2022 Debarshi Ray - 1.8.7-1 +- Rebase to 1.8.7 (#2041972) + +* Tue Jan 25 2022 Debarshi Ray - 1.8.6-1 +- Rebase to 1.8.6 (#2010533) + +* Tue Oct 26 2021 Debarshi Ray - 1.8.5-6 +- Fix CVE-2021-41133 (#2012869) + +* Tue Oct 05 2021 Debarshi Ray - 1.8.5-5 +- Disable gvfs plugins when listing flatpak installations (#1980438) + * Wed Jul 28 2021 Tomas Popela - 1.8.5-4 - Ship flatpak-devel in CRB (#1938064)