import flatpak-1.8.7-1.el8

2022-03-29 12:02:38 -04:00 · 2022-03-29 12:02:38 -04:00 · d73b310c72
commit d73b310c72
parent 66cacff2f5
5 changed files with 23 additions and 167 deletions
--- a/.flatpak.metadata
+++ b/.flatpak.metadata
@ -1 +1 @@
-a3dcd13e85090e9d8156f1db2a375074e459aa79 SOURCES/flatpak-1.8.5.tar.xz
+ea9cd44ca1e6cdab1e450a8abc7c5e760194ac25 SOURCES/flatpak-1.8.7.tar.xz
--- a/.gitignore
+++ b/.gitignore
@ -1 +1 @@
-SOURCES/flatpak-1.8.5.tar.xz
+SOURCES/flatpak-1.8.7.tar.xz
--- a/SOURCES/flatpak-1.8.5-fix-CVE-2021-21381.patch
+++ b/SOURCES/flatpak-1.8.5-fix-CVE-2021-21381.patch
@ -1,86 +0,0 @@
-From cb6fce9e4122ace2960c437def3b1a197bb49b3a Mon Sep 17 00:00:00 2001
-From: Ryan Gonzalez <rymg19@gmail.com>
-Date: Tue, 2 Mar 2021 13:20:07 -0600
-Subject: [PATCH 1/3] Disallow @@ and @@u usage in desktop files
-
-Fixes #4146.
---
- common/flatpak-dir.c | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/common/flatpak-dir.c b/common/flatpak-dir.c
-index e6e4d6fb3..7d3374dad 100644
--- a/common/flatpak-dir.c
-+++ b/common/flatpak-dir.c
-@@ -7139,6 +7139,8 @@ export_desktop_file (const char         *app,
-                 g_string_append_printf (new_exec, " @@ %s @@", arg);
-               else if (strcasecmp (arg, "%u") == 0)
-                 g_string_append_printf (new_exec, " @@u %s @@", arg);
-+              else if (strcmp (arg, "@@") == 0 || strcmp (arg, "@@u") == 0)
-+                g_print (_("Skipping invalid Exec argument %s\n"), arg);
-               else
-                 g_string_append_printf (new_exec, " %s", arg);
-             }
-
-From 0bdcb88b2d0013aa435dc03950fb42cef2cbd359 Mon Sep 17 00:00:00 2001
-From: Simon McVittie <smcv@collabora.com>
-Date: Fri, 5 Mar 2021 13:49:36 +0000
-Subject: [PATCH 2/3] dir: Reserve the whole @@ prefix
-
-If we add new features analogous to file forwarding later, we might
-find that we need a different magic token. Let's reserve the whole
-@@* namespace so we can call it @@something-else.
-
-Signed-off-by: Simon McVittie <smcv@collabora.com>
---
- common/flatpak-dir.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/common/flatpak-dir.c b/common/flatpak-dir.c
-index 7d3374dad..facfab37a 100644
--- a/common/flatpak-dir.c
-+++ b/common/flatpak-dir.c
-@@ -7139,7 +7139,7 @@ export_desktop_file (const char         *app,
-                 g_string_append_printf (new_exec, " @@ %s @@", arg);
-               else if (strcasecmp (arg, "%u") == 0)
-                 g_string_append_printf (new_exec, " @@u %s @@", arg);
-              else if (strcmp (arg, "@@") == 0 || strcmp (arg, "@@u") == 0)
-+              else if (g_str_has_prefix (arg, "@@"))
-                 g_print (_("Skipping invalid Exec argument %s\n"), arg);
-               else
-                 g_string_append_printf (new_exec, " %s", arg);
-
-From 230f4c3521cd0dffa446ab9b70e958cdd9241bbe Mon Sep 17 00:00:00 2001
-From: Simon McVittie <smcv@collabora.com>
-Date: Fri, 5 Mar 2021 13:51:33 +0000
-Subject: [PATCH 3/3] dir: Refuse to export .desktop files with suspicious uses
- of @@ tokens
-
-This is either a malicious/compromised app trying to do an attack, or
-a mistake that will break handling of %f, %u and so on. Either way,
-if we refuse to export the .desktop file, resulting in installation
-failing, then it makes the rejection more obvious than quietly
-removing the magic tokens.
-
-Signed-off-by: Simon McVittie <smcv@collabora.com>
---
- common/flatpak-dir.c | 6 +++++-
- 1 file changed, 5 insertions(+), 1 deletion(-)
-
-diff --git a/common/flatpak-dir.c b/common/flatpak-dir.c
-index facfab37a..c5edf346f 100644
--- a/common/flatpak-dir.c
-+++ b/common/flatpak-dir.c
-@@ -7140,7 +7140,11 @@ export_desktop_file (const char         *app,
-               else if (strcasecmp (arg, "%u") == 0)
-                 g_string_append_printf (new_exec, " @@u %s @@", arg);
-               else if (g_str_has_prefix (arg, "@@"))
-                g_print (_("Skipping invalid Exec argument %s\n"), arg);
-+                {
-+                  flatpak_fail_error (error, FLATPAK_ERROR_EXPORT_FAILED,
-+                                     _("Invalid Exec argument %s"), arg);
-+                  goto out;
-+                }
-               else
-                 g_string_append_printf (new_exec, " %s", arg);
-             }
--- a/SOURCES/flatpak-1.8.5-post-cve-fixes.patch
+++ b/SOURCES/flatpak-1.8.5-post-cve-fixes.patch
@ -1,73 +0,0 @@
-From 93ecea3488081a726bcd2ddb04d557decaa87f80 Mon Sep 17 00:00:00 2001
-From: Simon McVittie <smcv@collabora.com>
-Date: Mon, 18 Jan 2021 17:52:13 +0000
-Subject: [PATCH] build: Convert environment into a sequence of bwrap arguments
-
-This means we can systematically pass the environment variables
-through bwrap(1), even if it is setuid and thus is filtering out
-security-sensitive environment variables. bwrap itself ends up being
-run with an empty environment instead.
-
-This fixes a regression when CVE-2021-21261 was fixed: before the
-CVE fixes, LD_LIBRARY_PATH would have been passed through like this
-and appeared in the `flatpak build` shell, but during the CVE fixes,
-the special case that protected LD_LIBRARY_PATH was removed in favour
-of the more general flatpak_bwrap_envp_to_args(). That reasoning only
-works if we use flatpak_bwrap_envp_to_args(), consistently, everywhere
-that we run the potentially-setuid bwrap.
-
-Fixes: 6d1773d2 "run: Convert all environment variables into bwrap arguments"
-Resolves: https://github.com/flatpak/flatpak/issues/4080
-Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=980323
-Signed-off-by: Simon McVittie <smcv@collabora.com>
-(cherry picked from commit 9a61d2c44f0a58cebcb9b2787ae88db07ca68bb0)
---
- app/flatpak-builtins-build.c | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/app/flatpak-builtins-build.c b/app/flatpak-builtins-build.c
-index 8da0de814..07ef6fc07 100644
--- a/app/flatpak-builtins-build.c
-+++ b/app/flatpak-builtins-build.c
-@@ -569,6 +569,8 @@ flatpak_builtin_build (int argc, char **argv, GCancellable *cancellable, GError
-                               NULL);
-     }
- 
-+  flatpak_bwrap_envp_to_args (bwrap);
-+
-   if (!flatpak_bwrap_bundle_args (bwrap, 1, -1, FALSE, error))
-     return FALSE;
- 
-From f91857c07ede7ef5150a38d6b8e49ee43d6b3d50 Mon Sep 17 00:00:00 2001
-From: Simon McVittie <smcv@collabora.com>
-Date: Mon, 18 Jan 2021 18:07:38 +0000
-Subject: [PATCH] dir: Pass environment via bwrap --setenv when running
- apply_extra
-
-This means we can systematically pass the environment variables
-through bwrap(1), even if it is setuid and thus is filtering out
-security-sensitive environment variables. bwrap ends up being
-run with an empty environment instead.
-
-As with the previous commit, this regressed while fixing CVE-2021-21261.
-
-Fixes: 6d1773d2 "run: Convert all environment variables into bwrap arguments"
-Signed-off-by: Simon McVittie <smcv@collabora.com>
-(cherry picked from commit fb473cad801c6b61706353256cab32330557374a)
---
- common/flatpak-dir.c | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/common/flatpak-dir.c b/common/flatpak-dir.c
-index ed1248e74..40767fa77 100644
--- a/common/flatpak-dir.c
-+++ b/common/flatpak-dir.c
-@@ -7426,6 +7426,8 @@ apply_extra_data (FlatpakDir   *self,
-                                          app_context, NULL, NULL, NULL, cancellable, error))
-     return FALSE;
- 
-+  flatpak_bwrap_envp_to_args (bwrap);
-+
-   flatpak_bwrap_add_arg (bwrap, "/app/bin/apply_extra");
- 
-   flatpak_bwrap_finish (bwrap);
--- a/SPECS/flatpak.spec
+++ b/SPECS/flatpak.spec
@ -2,18 +2,16 @@
 %global ostree_version 2018.9

 Name:           flatpak
-Version:        1.8.5
-Release:        4%{?dist}
+Version:        1.8.7
+Release:        1%{?dist}
 Summary:        Application deployment framework for desktop apps

 License:        LGPLv2+
 URL:            http://flatpak.org/
 Source0:        https://github.com/flatpak/flatpak/releases/download/%{version}/%{name}-%{version}.tar.xz
-# https://bugzilla.redhat.com/show_bug.cgi?id=1918776
-Patch0:         flatpak-1.8.5-post-cve-fixes.patch
-# https://bugzilla.redhat.com/show_bug.cgi?id=1938064
-Patch1:         flatpak-1.8.5-fix-CVE-2021-21381.patch

+BuildRequires:  autoconf
+BuildRequires:  automake
 BuildRequires:  pkgconfig(appstream-glib)
 BuildRequires:  pkgconfig(dconf)
 BuildRequires:  pkgconfig(fuse)
@ -35,8 +33,11 @@ BuildRequires:  bubblewrap >= %{bubblewrap_version}
 BuildRequires:  docbook-dtds
 BuildRequires:  docbook-style-xsl
 BuildRequires:  gettext
+BuildRequires:  gettext-devel
 BuildRequires:  gpgme-devel
+BuildRequires:  gtk-doc
 BuildRequires:  libcap-devel
+BuildRequires:  libtool
 BuildRequires:  python3-pyparsing
 BuildRequires:  systemd
 BuildRequires:  /usr/bin/python3
@ -125,6 +126,8 @@ This package contains installed tests for %{name}.


 %build
+autoreconf --force --install --verbose
+
 (if ! test -x configure; then NOCONFIGURE=1 ./autogen.sh; CONFIGFLAGS=--enable-gtk-doc; fi;
 # Generate consistent IDs between runs to avoid multilib problems.
 export XMLTO_FLAGS="--stringparam generate.consistent.ids=1"
@ -244,6 +247,18 @@ fi


 %changelog
+* Thu Feb 03 2022 Debarshi Ray <rishi@fedoraproject.org> - 1.8.7-1
+- Rebase to 1.8.7 (#2041972)
+
+* Tue Jan 25 2022 Debarshi Ray <rishi@fedoraproject.org> - 1.8.6-1
+- Rebase to 1.8.6 (#2010533)
+
+* Tue Oct 26 2021 Debarshi Ray <rishi@fedoraproject.org> - 1.8.5-6
+- Fix CVE-2021-41133 (#2012869)
+
+* Tue Oct 05 2021 Debarshi Ray <rishi@fedoraproject.org> - 1.8.5-5
+- Disable gvfs plugins when listing flatpak installations (#1980438)
+
 * Wed Jul 28 2021 Tomas Popela <tpopela@redhat.com> - 1.8.5-4
 - Ship flatpak-devel in CRB (#1938064)