import flatpak-1.12.4-2.el9

.flatpak.metadata

@@ -1 +1 @@
-d4d771e7bfa4ab275845cf7259f9b25784ccc095 SOURCES/flatpak-1.10.5.tar.xz
+7745ab42122080e89fef75a6dc2e7d98703c7b2c SOURCES/flatpak-1.12.4.tar.xz

.gitignore

@@ -1 +1 @@
-SOURCES/flatpak-1.10.5.tar.xz
+SOURCES/flatpak-1.12.4.tar.xz

SOURCES/0001-Fix-handling-of-syscalls-only-allowed-by-devel.patch

@@ -1,31 +0,0 @@
-From 24485224223b8ed41976ead5801cb04c4d961f93 Mon Sep 17 00:00:00 2001
-From: Simon McVittie <smcv@collabora.com>
-Date: Fri, 8 Oct 2021 19:00:13 +0100
-Subject: [PATCH] Fix handling of syscalls only allowed by --devel
-
-This was incorrectly looking at errno instead of -r.
-
-Fixes: 0b38b0f0 "run: Handle unknown syscalls as intended"
-Signed-off-by: Simon McVittie <smcv@collabora.com>
-(cherry picked from commit 3fc8c672676ae016f8e7cc90481b2feecbad9861)
-(cherry picked from commit 97e128c2c1520202486b5e165e1734cbb421568a)
----
- common/flatpak-run.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/common/flatpak-run.c b/common/flatpak-run.c
-index 6142daafa56d..4048476bf455 100644
---- a/common/flatpak-run.c
-+++ b/common/flatpak-run.c
-@@ -2992,7 +2992,7 @@ setup_seccomp (FlatpakBwrap   *bwrap,
-             r = seccomp_rule_add (seccomp, SCMP_ACT_ERRNO (errnum), scall, 0);
- 
-           /* See above for the meaning of EFAULT. */
--          if (errno == EFAULT)
-+          if (r == -EFAULT)
-             flatpak_debug2 ("Unable to block syscall %d: syscall not known to libseccomp?",
-                             scall);
-           else if (r < 0)
--- 
-2.31.1
-

SOURCES/flatpak-add-fedora-repos.service

@@ -1,14 +0,0 @@
-[Unit]
-Description=Add Fedora flatpak repositories
-ConditionPathExists=!/var/lib/flatpak/.fedora-initialized
-Before=flatpak-system-helper.service
-
-[Service]
-Type=oneshot
-RemainAfterExit=yes
-ExecStart=/usr/bin/flatpak remote-add --system --if-not-exists --title "Fedora Flatpaks" fedora oci+https://registry.fedoraproject.org
-ExecStart=/usr/bin/flatpak remote-add --system --if-not-exists --disable --title "Fedora Flatpaks (testing)" fedora-testing oci+https://registry.fedoraproject.org#testing
-ExecStartPost=/usr/bin/touch /var/lib/flatpak/.fedora-initialized
-
-[Install]
-WantedBy=multi-user.target

SOURCES/flatpak-dir-Use-SHA256-not-SHA1-to-name-the-cache-for-a-filt.patch

@@ -0,0 +1,38 @@
+From 7dd160f33054863b1ea6f75ac279a42121a16430 Mon Sep 17 00:00:00 2001
+From: Debarshi Ray <debarshir@gnome.org>
+Date: Mon, 31 Jan 2022 21:17:29 +0100
+Subject: [PATCH] dir: Use SHA256, not SHA1, to name the cache for a filtered
+ remote
+
+SHA1 hashes are considered weak these days. Some distributions have
+static analysis tools to detect the use of such weak hashes, and they
+get triggered by flatpak. While this particular use of SHA1 in flatpak
+is likely not security sensitive, it's also easy to move to SHA256 to
+avoid any debate.
+
+Here, the SHA1 hash of a named remote's filter file is used to generate
+the name of the directory where the refs from that remote are cached.
+One can reasonably assume that the cache is frequently invalidated
+because the list of refs on the remote changes all the time. Hence,
+it's not big problem if it gets invalidated once more because of this
+change.
+---
+ common/flatpak-dir.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/common/flatpak-dir.c b/common/flatpak-dir.c
+index 18384bd432fc..c6d08e85b41f 100644
+--- a/common/flatpak-dir.c
++++ b/common/flatpak-dir.c
+@@ -10923,7 +10923,7 @@ remote_filter_load (GFile *path, GError **error)
+     }
+ 
+   filter = g_new0 (RemoteFilter, 1);
+-  filter->checksum = g_compute_checksum_for_data (G_CHECKSUM_SHA1, (guchar *)data, data_size);
++  filter->checksum = g_compute_checksum_for_data (G_CHECKSUM_SHA256, (guchar *)data, data_size);
+   filter->path = g_object_ref (path);
+   filter->mtime = mtime;
+   filter->last_mtime_check = g_get_monotonic_time ();
+-- 
+2.34.1
+

SPECS/flatpak.spec

@@ -2,18 +2,21 @@
 %global ostree_version 2020.8
 
 Name:           flatpak
-Version:        1.10.5
-Release:        1%{?dist}
+Version:        1.12.4
+Release:        2%{?dist}
 Summary:        Application deployment framework for desktop apps
 
 License:        LGPLv2+
 URL:            http://flatpak.org/
 Source0:        https://github.com/flatpak/flatpak/releases/download/%{version}/%{name}-%{version}.tar.xz
+
+%if 0%{?fedora}
 # Add Fedora flatpak repositories
 Source1:        flatpak-add-fedora-repos.service
+%endif
 
-# https://github.com/flatpak/flatpak/pull/4473
-Patch0:         0001-Fix-handling-of-syscalls-only-allowed-by-devel.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=1935508
+Patch0:         flatpak-dir-Use-SHA256-not-SHA1-to-name-the-cache-for-a-filt.patch
 
 BuildRequires:  pkgconfig(appstream-glib)
 BuildRequires:  pkgconfig(dconf)
@@ -44,8 +47,6 @@ BuildRequires:  /usr/bin/xdg-dbus-proxy
 BuildRequires:  /usr/bin/xmlto
 BuildRequires:  /usr/bin/xsltproc
 
-%{?systemd_requires}
-
 Requires:       bubblewrap >= %{bubblewrap_version}
 Requires:       librsvg2%{?_isa}
 Requires:       ostree-libs%{?_isa} >= %{ostree_version}
@@ -151,8 +152,12 @@ install -pm 644 NEWS README.md %{buildroot}/%{_pkgdocdir}
 # The system repo is not installed by the flatpak build system.
 install -d %{buildroot}%{_localstatedir}/lib/flatpak
 install -d %{buildroot}%{_sysconfdir}/flatpak/remotes.d
-install -D -t %{buildroot}%{_unitdir} %{SOURCE1}
 rm -f %{buildroot}%{_libdir}/libflatpak.la
+
+%if 0%{?fedora}
+install -D -t %{buildroot}%{_unitdir} %{SOURCE1}
+%endif
+
 %find_lang %{name}
 
 # Work around selinux denials, see
@@ -169,27 +174,27 @@ getent passwd flatpak >/dev/null || \
 exit 0
 
 
+%if 0%{?fedora}
 %post
 %systemd_post flatpak-add-fedora-repos.service
+%endif
 
-if [ $1 -gt 1 ] ; then
-        # Apply the preset also on package updates to support F29->F31 upgrade
-        # path. systemd_post macro only handles initial installs and not the
-        # case when a new .service file appears on a package update.
-        # Should be fine to drop in F32.
-        systemctl --no-reload preset flatpak-add-fedora-repos.service >/dev/null 2>&1 || :
-fi
 
 %post selinux
 %selinux_modules_install %{_datadir}/selinux/packages/flatpak.pp.bz2
 
 
+%if 0%{?fedora}
 %preun
 %systemd_preun flatpak-add-fedora-repos.service
+%endif
 
 
+%if 0%{?fedora}
 %postun
 %systemd_postun_with_restart flatpak-add-fedora-repos.service
+%endif
+
 
 %postun selinux
 if [ $1 -eq 0 ]; then
@@ -232,12 +237,15 @@ fi
 %{_sysconfdir}/flatpak/remotes.d
 %{_sysconfdir}/profile.d/flatpak.sh
 %{_sysusersdir}/flatpak.conf
-%{_unitdir}/flatpak-add-fedora-repos.service
 %{_unitdir}/flatpak-system-helper.service
 %{_userunitdir}/flatpak-oci-authenticator.service
 %{_userunitdir}/flatpak-portal.service
 %{_systemd_user_env_generator_dir}/60-flatpak
 
+%if 0%{?fedora}
+%{_unitdir}/flatpak-add-fedora-repos.service
+%endif
+
 %files devel
 %{_datadir}/gir-1.0/Flatpak-1.0.gir
 %{_datadir}/gtk-doc/
@@ -267,6 +275,23 @@ fi
 
 
 %changelog
+* Tue Feb 08 2022 Debarshi Ray <rishi@fedoraproject.org> - 1.12.4-2
+- Don't try to add Fedora's OCI Flatpak repository on RHEL
+- Remove an obsolete Fedora-specific update path
+Resolves: #2051697
+
+* Mon Feb 07 2022 Neal Gompa <ngompa@centosproject.org> - 1.12.4-1
+- Rebase to 1.12.4
+Resolves: #2050302
+
+* Thu Feb 03 2022 Debarshi Ray <rishi@fedoraproject.org> - 1.10.7-2
+- Use SHA256, not SHA1, to name the cache for a filtered remote
+Resolves: #1935508
+
+* Wed Feb 02 2022 Debarshi Ray <rishi@fedoraproject.org> - 1.10.7-1
+- Update to 1.10.7 (CVE-2021-43860)
+Resolves: #2041973
+
 * Tue Oct 26 2021 Debarshi Ray <rishi@fedoraproject.org> - 1.10.5-1
 - Update to 1.10.5 (CVE-2021-41133)
 Resolves: #2012862