Compare commits

...

No commits in common. "c8" and "c9-beta" have entirely different histories.
c8 ... c9-beta

6 changed files with 326 additions and 452 deletions

View File

@ -1 +1 @@
41429400eab33868b6c6045fe235e86e1086a056 SOURCES/flatpak-1.12.9.tar.xz aadb61d0d67fa6bc4a3cbe54b0acfb78403a5cd1 SOURCES/flatpak-1.12.8.tar.xz

2
.gitignore vendored
View File

@ -1 +1 @@
SOURCES/flatpak-1.12.9.tar.xz SOURCES/flatpak-1.12.8.tar.xz

View File

@ -1,330 +0,0 @@
From 8451fa0ae30397b83705a193aa0d3f7752486dda Mon Sep 17 00:00:00 2001
From: Alexander Larsson <alexl@redhat.com>
Date: Mon, 3 Jun 2024 12:22:30 +0200
Subject: [PATCH 1/4] Don't follow symlinks when mounting persisted directories
These directories are in a location under application control, so we
can't trust them to not be a symlink outside of the files accessibe to
the application.
Continue to treat --persist=/foo as --persist=foo for backwards compat,
since this is how it (accidentally) worked before, but print a warning.
Don't allow ".." elements in persist paths: these would not be useful
anyway, and are unlikely to be in use, however they could potentially
be used to confuse the persist path handling.
This partially addresses CVE-2024-42472. If only one instance of the
malicious or compromised app is run at a time, the vulnerability
is avoided. If two instances can run concurrently, there is a
time-of-check/time-of-use issue remaining, which can only be resolved
with changes to bubblewrap; this will be resolved in a separate commit,
because the bubblewrap dependency might be more difficult to provide in
LTS distributions.
Helps: CVE-2024-42472, GHSA-7hgv-f2j8-xw87
[smcv: Make whitespace consistent]
[smcv: Use g_warning() if unable to create --persist paths]
[smcv: Use stat() to detect symlinks and warn about them]
[smcv: Use glnx_steal_fd() for portability to older GLib]
Co-authored-by: Simon McVittie <smcv@collabora.com>
Signed-off-by: Simon McVittie <smcv@collabora.com>
---
common/flatpak-context.c | 108 +++++++++++++++++++++++++++++++++++++--
1 file changed, 105 insertions(+), 3 deletions(-)
diff --git a/common/flatpak-context.c b/common/flatpak-context.c
index 53b79807..8c784acf 100644
--- a/common/flatpak-context.c
+++ b/common/flatpak-context.c
@@ -2686,6 +2686,90 @@ flatpak_context_get_exports_full (FlatpakContext *context,
return g_steal_pointer (&exports);
}
+/* This creates zero or more directories unders base_fd+basedir, each
+ * being guaranteed to either exist and be a directory (no symlinks)
+ * or be created as a directory. The last directory is opened
+ * and the fd is returned.
+ */
+static gboolean
+mkdir_p_open_nofollow_at (int base_fd,
+ const char *basedir,
+ int mode,
+ const char *subdir,
+ int *out_fd,
+ GError **error)
+{
+ glnx_autofd int parent_fd = -1;
+
+ if (g_path_is_absolute (subdir))
+ {
+ const char *skipped_prefix = subdir;
+
+ while (*skipped_prefix == '/')
+ skipped_prefix++;
+
+ g_warning ("--persist=\"%s\" is deprecated, treating it as --persist=\"%s\"", subdir, skipped_prefix);
+ subdir = skipped_prefix;
+ }
+
+ g_autofree char *subdir_dirname = g_path_get_dirname (subdir);
+
+ if (strcmp (subdir_dirname, ".") == 0)
+ {
+ /* It is ok to open basedir with follow=true */
+ if (!glnx_opendirat (base_fd, basedir, TRUE, &parent_fd, error))
+ return FALSE;
+ }
+ else if (strcmp (subdir_dirname, "..") == 0)
+ {
+ return glnx_throw (error, "'..' not supported in --persist paths");
+ }
+ else
+ {
+ if (!mkdir_p_open_nofollow_at (base_fd, basedir, mode,
+ subdir_dirname, &parent_fd, error))
+ return FALSE;
+ }
+
+ g_autofree char *subdir_basename = g_path_get_basename (subdir);
+
+ if (strcmp (subdir_basename, ".") == 0)
+ {
+ *out_fd = glnx_steal_fd (&parent_fd);
+ return TRUE;
+ }
+ else if (strcmp (subdir_basename, "..") == 0)
+ {
+ return glnx_throw (error, "'..' not supported in --persist paths");
+ }
+
+ if (!glnx_shutil_mkdir_p_at (parent_fd, subdir_basename, mode, NULL, error))
+ return FALSE;
+
+ int fd = openat (parent_fd, subdir_basename, O_PATH | O_NONBLOCK | O_DIRECTORY | O_CLOEXEC | O_NOCTTY | O_NOFOLLOW);
+ if (fd == -1)
+ {
+ int saved_errno = errno;
+ struct stat stat_buf;
+
+ /* If it's a symbolic link, that could be a user trying to offload
+ * large data to another filesystem, but it could equally well be
+ * a malicious or compromised app trying to exploit GHSA-7hgv-f2j8-xw87.
+ * Produce a clearer error message in this case.
+ * Unfortunately the errno we get in this case is ENOTDIR, so we have
+ * to ask again to find out whether it's really a symlink. */
+ if (saved_errno == ENOTDIR &&
+ fstatat (parent_fd, subdir_basename, &stat_buf, AT_SYMLINK_NOFOLLOW) == 0 &&
+ S_ISLNK (stat_buf.st_mode))
+ return glnx_throw (error, "Symbolic link \"%s\" not allowed to avoid sandbox escape", subdir_basename);
+
+ return glnx_throw_errno_prefix (error, "openat(%s)", subdir_basename);
+ }
+
+ *out_fd = fd;
+ return TRUE;
+}
+
void
flatpak_context_append_bwrap_filesystem (FlatpakContext *context,
FlatpakBwrap *bwrap,
@@ -2709,12 +2793,30 @@ flatpak_context_append_bwrap_filesystem (FlatpakContext *context,
while (g_hash_table_iter_next (&iter, &key, NULL))
{
const char *persist = key;
- g_autofree char *src = g_build_filename (g_get_home_dir (), ".var/app", app_id, persist, NULL);
+ g_autofree char *appdir = g_build_filename (g_get_home_dir (), ".var/app", app_id, NULL);
g_autofree char *dest = g_build_filename (g_get_home_dir (), persist, NULL);
+ g_autoptr(GError) local_error = NULL;
+
+ if (g_mkdir_with_parents (appdir, 0755) != 0)
+ {
+ g_warning ("Unable to create directory %s", appdir);
+ continue;
+ }
+
+ /* Don't follow symlinks from the persist directory, as it is under user control */
+ glnx_autofd int src_fd = -1;
+ if (!mkdir_p_open_nofollow_at (AT_FDCWD, appdir, 0755,
+ persist, &src_fd,
+ &local_error))
+ {
+ g_warning ("Failed to create persist path %s: %s", persist, local_error->message);
+ continue;
+ }
- g_mkdir_with_parents (src, 0755);
+ g_autofree char *src_via_proc = g_strdup_printf ("/proc/self/fd/%d", src_fd);
- flatpak_bwrap_add_bind_arg (bwrap, "--bind", src, dest);
+ flatpak_bwrap_add_fd (bwrap, glnx_steal_fd (&src_fd));
+ flatpak_bwrap_add_bind_arg (bwrap, "--bind", src_via_proc, dest);
}
}
--
2.46.0
From 5462c9b1e1a34b1104c8a0843a10382e90c9bb6b Mon Sep 17 00:00:00 2001
From: Alexander Larsson <alexl@redhat.com>
Date: Mon, 3 Jun 2024 12:59:05 +0200
Subject: [PATCH 2/4] Add test coverage for --persist
This adds three "positive" tests: the common case --persist=.persist, the
deprecated spelling --persist=/.persist, and the less common special case
--persist=. as used by Steam.
It also adds "negative" tests for CVE-2024-42472: if the --persist
directory is a symbolic link or contains path segment "..", we want that
to be rejected.
Reproduces: CVE-2024-42472, GHSA-7hgv-f2j8-xw87
[smcv: Add "positive" tests]
[smcv: Exercise --persist=..]
[smcv: Assert that --persist with a symlink produces expected message]
Co-authored-by: Simon McVittie <smcv@collabora.com>
Signed-off-by: Simon McVittie <smcv@collabora.com>
---
tests/test-run.sh | 41 ++++++++++++++++++++++++++++++++++++++++-
1 file changed, 40 insertions(+), 1 deletion(-)
diff --git a/tests/test-run.sh b/tests/test-run.sh
index dd371df3..bca0845d 100644
--- a/tests/test-run.sh
+++ b/tests/test-run.sh
@@ -24,7 +24,7 @@ set -euo pipefail
skip_without_bwrap
skip_revokefs_without_fuse
-echo "1..20"
+echo "1..21"
# Use stable rather than master as the branch so we can test that the run
# command automatically finds the branch correctly
@@ -512,3 +512,42 @@ ${FLATPAK} ${U} info -m org.test.App > out
assert_file_has_content out "^sdk=org\.test\.Sdk/$(flatpak --default-arch)/stable$"
ok "--sdk option"
+
+rm -fr "$HOME/.var/app/org.test.Hello"
+mkdir -p "$HOME/.var/app/org.test.Hello"
+run --command=sh --persist=.persist org.test.Hello -c 'echo can-persist > .persist/rc'
+sed -e 's,^,#--persist=.persist# ,g' < "$HOME/.var/app/org.test.Hello/.persist/rc" >&2
+assert_file_has_content "$HOME/.var/app/org.test.Hello/.persist/rc" "can-persist"
+
+ok "--persist=.persist persists a directory"
+
+rm -fr "$HOME/.var/app/org.test.Hello"
+mkdir -p "$HOME/.var/app/org.test.Hello"
+# G_DEBUG= to avoid the deprecation warning being fatal
+G_DEBUG= run --command=sh --persist=/.persist org.test.Hello -c 'echo can-persist > .persist/rc'
+sed -e 's,^,#--persist=/.persist# ,g' < "$HOME/.var/app/org.test.Hello/.persist/rc" >&2
+assert_file_has_content "$HOME/.var/app/org.test.Hello/.persist/rc" "can-persist"
+
+ok "--persist=/.persist is a deprecated form of --persist=.persist"
+
+rm -fr "$HOME/.var/app/org.test.Hello"
+mkdir -p "$HOME/.var/app/org.test.Hello"
+run --command=sh --persist=. org.test.Hello -c 'echo can-persist > .persistrc'
+sed -e 's,^,#--persist=.# ,g' < "$HOME/.var/app/org.test.Hello/.persistrc" >&2
+assert_file_has_content "$HOME/.var/app/org.test.Hello/.persistrc" "can-persist"
+
+ok "--persist=. persists all files"
+
+mkdir "${TEST_DATA_DIR}/inaccessible"
+echo FOO > ${TEST_DATA_DIR}/inaccessible/secret-file
+rm -fr "$HOME/.var/app/org.test.Hello"
+mkdir -p "$HOME/.var/app/org.test.Hello"
+ln -fns "${TEST_DATA_DIR}/inaccessible" "$HOME/.var/app/org.test.Hello/persist"
+# G_DEBUG= to avoid the warnings being fatal when we reject a --persist option.
+# LC_ALL=C so we get the expected non-localized string.
+LC_ALL=C G_DEBUG= run --command=ls --persist=persist --persist=relative/../escape org.test.Hello -la ~/persist &> hello_out || true
+sed -e 's,^,#--persist=symlink# ,g' < hello_out >&2
+assert_file_has_content hello_out "not allowed to avoid sandbox escape"
+assert_not_file_has_content hello_out "secret-file"
+
+ok "--persist doesn't allow sandbox escape via a symlink (CVE-2024-42472)"
--
2.46.0
From 04d8ad3009cd8a4350fba6cf7cc6c7819ccdfd34 Mon Sep 17 00:00:00 2001
From: Simon McVittie <smcv@collabora.com>
Date: Mon, 12 Aug 2024 19:48:18 +0100
Subject: [PATCH 3/4] build: Require a version of bubblewrap with the --bind-fd
option
We need this for the --bind-fd option, which will close a race
condition in our solution to CVE-2024-42472.
For this stable branch, check the --help output for a --bind-fd option
instead of requiring a specific version number, to accommodate possible
backports in LTS distributions.
Signed-off-by: Simon McVittie <smcv@collabora.com>
---
configure.ac | 3 +++
1 file changed, 3 insertions(+)
diff --git a/configure.ac b/configure.ac
index 0a44e11a..0c8e2d0e 100644
--- a/configure.ac
+++ b/configure.ac
@@ -175,6 +175,9 @@ if test "x$BWRAP" != xfalse; then
BWRAP_VERSION=`$BWRAP --version | sed 's,.*\ \([0-9]*\.[0-9]*\.[0-9]*\)$,\1,'`
AX_COMPARE_VERSION([$SYSTEM_BWRAP_REQS],[gt],[$BWRAP_VERSION],
[AC_MSG_ERROR([You need at least version $SYSTEM_BWRAP_REQS of bubblewrap to use the system installed version])])
+ AS_IF([$BWRAP --help | grep '@<:@-@:>@-bind-fd' >/dev/null],
+ [:],
+ [AC_MSG_ERROR([$BWRAP does not list required option --bind-fd in its --help])])
AM_CONDITIONAL([WITH_SYSTEM_BWRAP], [true])
else
AC_CHECK_LIB(cap, cap_from_text, CAP_LIB=-lcap)
--
2.46.0
From 2772f19e50c0e809dde8cf3c105d90ee8baf4fa8 Mon Sep 17 00:00:00 2001
From: Simon McVittie <smcv@collabora.com>
Date: Wed, 14 Aug 2024 13:44:30 +0100
Subject: [PATCH 4/4] persist directories: Pass using new bwrap --bind-fd
option
Instead of passing a /proc/self/fd bind mount we use --bind-fd, which
has two advantages:
* bwrap closes the fd when used, so it doesn't leak into the started app
* bwrap ensures that what was mounted was the passed in fd (same dev/ino),
as there is a small (required) gap between symlink resolve and mount
where the target path could be replaced.
Please note that this change requires an updated version of bubblewrap.
Resolves: CVE-2024-42472, GHSA-7hgv-f2j8-xw87
[smcv: Make whitespace consistent]
Co-authored-by: Simon McVittie <smcv@collabora.com>
Signed-off-by: Simon McVittie <smcv@collabora.com>
---
common/flatpak-context.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/common/flatpak-context.c b/common/flatpak-context.c
index 8c784acf..baa62728 100644
--- a/common/flatpak-context.c
+++ b/common/flatpak-context.c
@@ -2813,10 +2813,10 @@ flatpak_context_append_bwrap_filesystem (FlatpakContext *context,
continue;
}
- g_autofree char *src_via_proc = g_strdup_printf ("/proc/self/fd/%d", src_fd);
+ g_autofree char *src_via_proc = g_strdup_printf ("%d", src_fd);
flatpak_bwrap_add_fd (bwrap, glnx_steal_fd (&src_fd));
- flatpak_bwrap_add_bind_arg (bwrap, "--bind", src_via_proc, dest);
+ flatpak_bwrap_add_bind_arg (bwrap, "--bind-fd", src_via_proc, dest);
}
}
--
2.46.0

View File

@ -1,28 +0,0 @@
From 1c73110795b865246ce3595042dcd2d5e7891359 Mon Sep 17 00:00:00 2001
From: Debarshi Ray <debarshir@gnome.org>
Date: Mon, 6 Nov 2023 20:27:16 +0100
Subject: [PATCH] Revert "selinux: Permit using systemd-userdbd"
This reverts commit 399710ada185c1ee232bc3e6266a71688eb152b7.
---
selinux/flatpak.te | 4 ----
1 file changed, 4 deletions(-)
diff --git a/selinux/flatpak.te b/selinux/flatpak.te
index bb3d80e316eb..4cf895c44abe 100644
--- a/selinux/flatpak.te
+++ b/selinux/flatpak.te
@@ -33,10 +33,6 @@ optional_policy(`
policykit_dbus_chat(flatpak_helper_t)
')
-optional_policy(`
- systemd_userdbd_stream_connect(flatpak_helper_t)
-')
-
optional_policy(`
unconfined_domain(flatpak_helper_t)
')
--
2.41.0

View File

@ -0,0 +1,38 @@
From 7dd160f33054863b1ea6f75ac279a42121a16430 Mon Sep 17 00:00:00 2001
From: Debarshi Ray <debarshir@gnome.org>
Date: Mon, 31 Jan 2022 21:17:29 +0100
Subject: [PATCH] dir: Use SHA256, not SHA1, to name the cache for a filtered
remote
SHA1 hashes are considered weak these days. Some distributions have
static analysis tools to detect the use of such weak hashes, and they
get triggered by flatpak. While this particular use of SHA1 in flatpak
is likely not security sensitive, it's also easy to move to SHA256 to
avoid any debate.
Here, the SHA1 hash of a named remote's filter file is used to generate
the name of the directory where the refs from that remote are cached.
One can reasonably assume that the cache is frequently invalidated
because the list of refs on the remote changes all the time. Hence,
it's not big problem if it gets invalidated once more because of this
change.
---
common/flatpak-dir.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/common/flatpak-dir.c b/common/flatpak-dir.c
index 18384bd432fc..c6d08e85b41f 100644
--- a/common/flatpak-dir.c
+++ b/common/flatpak-dir.c
@@ -10923,7 +10923,7 @@ remote_filter_load (GFile *path, GError **error)
}
filter = g_new0 (RemoteFilter, 1);
- filter->checksum = g_compute_checksum_for_data (G_CHECKSUM_SHA1, (guchar *)data, data_size);
+ filter->checksum = g_compute_checksum_for_data (G_CHECKSUM_SHA256, (guchar *)data, data_size);
filter->path = g_object_ref (path);
filter->mtime = mtime;
filter->last_mtime_check = g_get_monotonic_time ();
--
2.34.1

View File

@ -1,9 +1,9 @@
%global bubblewrap_version 0.4.0-2 %global bubblewrap_version 0.4.0
%global ostree_version 2020.8 %global ostree_version 2020.8
Name: flatpak Name: flatpak
Version: 1.12.9 Version: 1.12.8
Release: 3%{?dist} Release: 1%{?dist}
Summary: Application deployment framework for desktop apps Summary: Application deployment framework for desktop apps
License: LGPLv2+ License: LGPLv2+
@ -15,11 +15,8 @@ Source0: https://github.com/flatpak/flatpak/releases/download/%{version}/
Source1: flatpak-add-fedora-repos.service Source1: flatpak-add-fedora-repos.service
%endif %endif
# https://issues.redhat.com/browse/RHEL-4220 # https://bugzilla.redhat.com/show_bug.cgi?id=1935508
Patch0: flatpak-Revert-selinux-Permit-using-systemd-userdbd.patch Patch0: flatpak-dir-Use-SHA256-not-SHA1-to-name-the-cache-for-a-filt.patch
# Backported upstream patch for CVE-2024-42472
Patch1: flatpak-1.12.x-CVE-2024-42472.patch
BuildRequires: pkgconfig(appstream-glib) BuildRequires: pkgconfig(appstream-glib)
BuildRequires: pkgconfig(dconf) BuildRequires: pkgconfig(dconf)
@ -43,17 +40,17 @@ BuildRequires: bubblewrap >= %{bubblewrap_version}
BuildRequires: docbook-dtds BuildRequires: docbook-dtds
BuildRequires: docbook-style-xsl BuildRequires: docbook-style-xsl
BuildRequires: gettext BuildRequires: gettext
BuildRequires: libassuan-devel
BuildRequires: libcap-devel BuildRequires: libcap-devel
BuildRequires: python3-devel
BuildRequires: python3-pyparsing BuildRequires: python3-pyparsing
BuildRequires: systemd BuildRequires: systemd
BuildRequires: /usr/bin/xdg-dbus-proxy
BuildRequires: /usr/bin/xmlto BuildRequires: /usr/bin/xmlto
BuildRequires: /usr/bin/xsltproc BuildRequires: /usr/bin/xsltproc
Requires: bubblewrap >= %{bubblewrap_version} Requires: bubblewrap >= %{bubblewrap_version}
Requires: librsvg2%{?_isa} Requires: librsvg2%{?_isa}
Requires: ostree-libs%{?_isa} >= %{ostree_version} Requires: ostree-libs%{?_isa} >= %{ostree_version}
Requires: /usr/bin/xdg-dbus-proxy
# https://fedoraproject.org/wiki/SELinux/IndependentPolicy # https://fedoraproject.org/wiki/SELinux/IndependentPolicy
Requires: (flatpak-selinux = %{?epoch:%{epoch}:}%{version}-%{release} if selinux-policy-targeted) Requires: (flatpak-selinux = %{?epoch:%{epoch}:}%{version}-%{release} if selinux-policy-targeted)
Requires: %{name}-session-helper%{?_isa} = %{?epoch:%{epoch}:}%{version}-%{release} Requires: %{name}-session-helper%{?_isa} = %{?epoch:%{epoch}:}%{version}-%{release}
@ -62,8 +59,6 @@ Recommends: p11-kit-server
# Make sure the document portal is installed # Make sure the document portal is installed
%if 0%{?fedora} || 0%{?rhel} > 7 %if 0%{?fedora} || 0%{?rhel} > 7
Recommends: xdg-desktop-portal > 0.10 Recommends: xdg-desktop-portal > 0.10
# Remove in F30.
Conflicts: xdg-desktop-portal < 0.10
%else %else
Requires: xdg-desktop-portal > 0.10 Requires: xdg-desktop-portal > 0.10
%endif %endif
@ -97,6 +92,7 @@ Summary: SELinux policy module for %{name}
License: LGPLv2+ License: LGPLv2+
BuildRequires: selinux-policy BuildRequires: selinux-policy
BuildRequires: selinux-policy-devel BuildRequires: selinux-policy-devel
BuildRequires: make
BuildArch: noarch BuildArch: noarch
%{?selinux_requires} %{?selinux_requires}
@ -128,11 +124,14 @@ This package contains installed tests for %{name}.
%prep %prep
%autosetup -p1 %autosetup -p1
# Make sure to use the RHEL-lifetime supported Python and no other
%py3_shebang_fix scripts/* subprojects/variant-schema-compiler/* tests/*
%build %build
# gobject introspection does not work with LTO. There is an effort to fix this
# in the appropriate project upstreams, so hopefully LTO can be enabled someday
# Disable LTO.
%define _lto_cflags %{nil}
(if ! test -x configure; then NOCONFIGURE=1 ./autogen.sh; CONFIGFLAGS=--enable-gtk-doc; fi; (if ! test -x configure; then NOCONFIGURE=1 ./autogen.sh; CONFIGFLAGS=--enable-gtk-doc; fi;
# Generate consistent IDs between runs to avoid multilib problems. # Generate consistent IDs between runs to avoid multilib problems.
export XMLTO_FLAGS="--stringparam generate.consistent.ids=1" export XMLTO_FLAGS="--stringparam generate.consistent.ids=1"
@ -142,6 +141,7 @@ This package contains installed tests for %{name}.
--enable-selinux-module \ --enable-selinux-module \
--with-priv-mode=none \ --with-priv-mode=none \
--with-system-bubblewrap \ --with-system-bubblewrap \
--with-system-dbus-proxy \
$CONFIGFLAGS) $CONFIGFLAGS)
%make_build V=1 %make_build V=1
@ -202,9 +202,6 @@ if [ $1 -eq 0 ]; then
fi fi
%ldconfig_scriptlets libs
%files -f %{name}.lang %files -f %{name}.lang
%license COPYING %license COPYING
# Comply with the packaging guidelines about not mixing relative and absolute # Comply with the packaging guidelines about not mixing relative and absolute
@ -219,12 +216,11 @@ fi
%{_datadir}/dbus-1/services/org.flatpak.Authenticator.Oci.service %{_datadir}/dbus-1/services/org.flatpak.Authenticator.Oci.service
%{_datadir}/dbus-1/services/org.freedesktop.portal.Flatpak.service %{_datadir}/dbus-1/services/org.freedesktop.portal.Flatpak.service
%{_datadir}/dbus-1/system-services/org.freedesktop.Flatpak.SystemHelper.service %{_datadir}/dbus-1/system-services/org.freedesktop.Flatpak.SystemHelper.service
%{_datadir}/fish %{_datadir}/fish/
%{_datadir}/%{name} %{_datadir}/%{name}
%{_datadir}/polkit-1/actions/org.freedesktop.Flatpak.policy %{_datadir}/polkit-1/actions/org.freedesktop.Flatpak.policy
%{_datadir}/polkit-1/rules.d/org.freedesktop.Flatpak.rules %{_datadir}/polkit-1/rules.d/org.freedesktop.Flatpak.rules
%{_datadir}/zsh/site-functions %{_datadir}/zsh/site-functions
%{_libexecdir}/flatpak-dbus-proxy
%{_libexecdir}/flatpak-oci-authenticator %{_libexecdir}/flatpak-oci-authenticator
%{_libexecdir}/flatpak-portal %{_libexecdir}/flatpak-portal
%{_libexecdir}/flatpak-system-helper %{_libexecdir}/flatpak-system-helper
@ -280,121 +276,319 @@ fi
%changelog %changelog
* Wed Sep 04 2024 Kalev Lember <klember@redhat.com> - 1.12.9-3 * Tue Jul 11 2023 Debarshi Ray <rishi@fedoraproject.org> - 1.12.8-1
- Fix previous changelog entry - Update to 1.12.8 (CVE-2023-28100, CVE-2023-28101)
Resolves: #2180312, #2221792
* Mon Sep 02 2024 Kalev Lember <klember@redhat.com> - 1.12.9-2 * Mon Jun 27 2022 Debarshi Ray <rishi@fedoraproject.org> - 1.12.7-2
- Backport upstream patches for CVE-2024-42472 - Let flatpak own %%{_sysconfdir}/flatpak
- Require bubblewrap version that has new --bind-fd option backported for Resolves: #2101456
addressing CVE-2024-42472
* Tue Apr 30 2024 Kalev Lember <klember@redhat.com> - 1.12.9-1 * Thu Mar 17 2022 Debarshi Ray <rishi@fedoraproject.org> - 1.12.7-1
- Update to 1.12.9 (CVE-2024-32462) - Update to 1.12.7
Resolves: #2058633
* Mon Nov 06 2023 Debarshi Ray <rishi@fedoraproject.org> - 1.12.8-1 * Mon Mar 07 2022 Debarshi Ray <rishi@fedoraproject.org> - 1.12.5-2
- Rebase to 1.12.8 (RHEL-4220) - Cope better with /var/lib/flatpak existing but being empty
Resolves: #2062806
* Mon Nov 06 2023 Debarshi Ray <rishi@fedoraproject.org> - 1.10.8-3 * Sun Feb 20 2022 Debarshi Ray <rishi@fedoraproject.org> - 1.12.5-1
- Let flatpak own %%{_sysconfdir}/flatpak (RHEL-15822) - Update to 1.12.5
Resolves: #2054215
* Mon Sep 04 2023 Miro Hrončok <mhroncok@redhat.com> - 1.10.8-2 * Tue Feb 08 2022 Debarshi Ray <rishi@fedoraproject.org> - 1.12.4-2
- Make sure to use the RHEL-lifetime supported Python and no other (RHEL-2225) - Don't try to add Fedora's OCI Flatpak repository on RHEL
- Remove an obsolete Fedora-specific update path
Resolves: #2051697
* Tue Jul 11 2023 Debarshi Ray <rishi@fedoraproject.org> - 1.10.8-1 * Mon Feb 07 2022 Neal Gompa <ngompa@centosproject.org> - 1.12.4-1
- Rebase to 1.10.8 (#2222103) - Rebase to 1.12.4
- Fix CVE-2023-28100 and CVE-2023-28101 (#2180311) Resolves: #2050302
* Wed Mar 09 2022 Debarshi Ray <rishi@fedoraproject.org> - 1.10.7-1 * Thu Feb 03 2022 Debarshi Ray <rishi@fedoraproject.org> - 1.10.7-2
- Rebase to 1.10.7 (#2062417) - Use SHA256, not SHA1, to name the cache for a filtered remote
Resolves: #1935508
* Thu Feb 03 2022 Debarshi Ray <rishi@fedoraproject.org> - 1.8.7-1 * Wed Feb 02 2022 Debarshi Ray <rishi@fedoraproject.org> - 1.10.7-1
- Rebase to 1.8.7 (#2041972) - Update to 1.10.7 (CVE-2021-43860)
Resolves: #2041973
* Tue Jan 25 2022 Debarshi Ray <rishi@fedoraproject.org> - 1.8.6-1 * Tue Oct 26 2021 Debarshi Ray <rishi@fedoraproject.org> - 1.10.5-1
- Rebase to 1.8.6 (#2010533) - Update to 1.10.5 (CVE-2021-41133)
Resolves: #2012862
* Tue Oct 26 2021 Debarshi Ray <rishi@fedoraproject.org> - 1.8.5-6 * Wed Sep 22 2021 Debarshi Ray <rishi@fedoraproject.org> - 1.10.3-1
- Fix CVE-2021-41133 (#2012869) - Update to 1.10.3
Resolves: #2006554
* Tue Oct 05 2021 Debarshi Ray <rishi@fedoraproject.org> - 1.8.5-5 * Sat Aug 28 2021 Debarshi Ray <rishi@fedoraproject.org> - 1.10.2-6
- Disable gvfs plugins when listing flatpak installations (#1980438) - Fix local deploys using system helper
Resolves: #1982304
* Wed Jul 28 2021 Tomas Popela <tpopela@redhat.com> - 1.8.5-4 * Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 1.10.2-5
- Ship flatpak-devel in CRB (#1938064) - Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
Related: rhbz#1991688
* Mon Mar 22 2021 David King <dking@redhat.com> - 1.8.5-3 * Fri May 07 2021 Kalev Lember <klember@redhat.com> - 1.10.2-4
- Fix CVE-2021-21381 (#1938064) - Disable system env generator to work around selinux denials (#1947214)
* Mon Jan 25 2021 David King <dking@redhat.com> - 1.8.5-2 * Thu Apr 15 2021 Mohan Boddu <mboddu@redhat.com> - 1.10.2-3
- Apply post-release CVE fixes (#1918776) - Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
* Thu Jan 14 2021 David King <dking@redhat.com> - 1.8.5-1 * Mon Apr 05 2021 Kalev Lember <klember@redhat.com> - 1.10.2-2
- Rebase to 1.8.5 (#1851958) - OCI: Switch to pax format for tar archives
* Tue Nov 17 2020 David King <dking@redhat.com> - 1.8.3-1 * Wed Mar 10 2021 Kalev Lember <klember@redhat.com> - 1.10.2-1
- Rebase to 1.8.3 (#1851958) - Update to 1.10.2
* Mon Oct 05 2020 David King <dking@redhat.com> - 1.8.2-1 * Tue Mar 02 2021 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 1.10.1-4
- Rebase to 1.8.2 (#1851958) - Rebuilt for updated systemd-rpm-macros
See https://pagure.io/fesco/issue/2583.
* Mon Sep 14 2020 Kalev Lember <klember@redhat.com> - 1.6.2-4 * Fri Feb 12 2021 Kalev Lember <klember@redhat.com> - 1.10.1-3
- OCI: extract appstream data for runtimes (#1878231) - Add G_BEGIN_DECLS/G_END_DECLS to public headers (#1927439)
- Drop unneeded ldconfig_scriptlets macro call
* Wed Jun 17 2020 David King <dking@redhat.com> - 1.6.2-3 * Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1.10.1-2
- Further fixes for OCI authenticator (#1847201) - Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
* Fri Mar 20 2020 David King <dking@redhat.com> - 1.6.2-2 * Thu Jan 21 2021 Kalev Lember <klember@redhat.com> - 1.10.1-1
- Fixes for OCI authenticator (#1814045) - Update to 1.10.1
* Thu Feb 13 2020 David King <dking@redhat.com> - 1.6.2-1 * Thu Jan 14 2021 Kalev Lember <klember@redhat.com> - 1.10.0-1
- Rebase to 1.6.2 (#1775339) - Update to 1.10.0
* Thu Jan 23 2020 David King <dking@redhat.com> - 1.6.1-1 * Mon Jan 11 2021 Kalev Lember <klember@redhat.com> - 1.9.3-2
- Rebase to 1.6.1 (#1775339) - Use "Fedora Flatpaks" as the visible repo name
* Fri Jan 17 2020 David King <dking@redhat.com> - 1.6.0-2 * Tue Dec 22 2020 David King <amigadave@amigadave.com> - 1.9.3-1
- Remove broken python3 sed hack (#1775339) - Update to 1.9.3 (#1910054)
* Sat Dec 21 2019 David King <dking@redhat.com> - 1.6.0-1 * Fri Nov 20 2020 Kalev Lember <klember@redhat.com> - 1.9.2-1
- Rebase to 1.6.0 (#1775339) - Update to 1.9.2
* Fri Nov 08 2019 David King <dking@redhat.com> - 1.4.3-2 * Thu Nov 19 2020 Kalev Lember <klember@redhat.com> - 1.9.1-1
- Update to 1.9.1
* Wed Nov 18 2020 David King <amigadave@amigadave.com> - 1.8.3-2
- Drop obsolete Requires on system-release
* Tue Nov 17 2020 Kalev Lember <klember@redhat.com> - 1.8.3-1
- Update to 1.8.3
* Sat Oct 31 2020 Jeff Law <law@redhat.com> - 1.8.2-3
- Fix bogus volatiles caught by gcc-11
* Fri Sep 11 2020 Kalev Lember <klember@redhat.com> - 1.8.2-2
- Backport various OCI fixes from upstream
* Fri Aug 21 2020 Kalev Lember <klember@redhat.com> - 1.8.2-1
- Update to 1.8.2
* Mon Jul 27 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.8.1-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Fri Jul 03 2020 David King <amigadave@amigadave.com> - 1.8.1-1
- Update to 1.8.1 (#1853667)
* Tue Jun 30 2020 Jeff Law <law@redhat.com> - 1.8.0-2
- Disable LTO
* Wed Jun 24 2020 David King <amigadave@amigadave.com> - 1.8.0-1
- Update to 1.8.0 (#1850676)
* Wed Jun 10 2020 David King <amigadave@amigadave.com> - 1.7.3-1
- Update to 1.7.3 (#1820762)
* Fri Apr 03 2020 Kalev Lember <klember@redhat.com> - 1.7.2-1
- Update to 1.7.2
* Mon Mar 30 2020 David King <amigadave@amigadave.com> - 1.7.1-1
- Update to 1.7.1 (#1818882)
* Mon Mar 30 2020 Kalev Lember <klember@redhat.com> - 1.6.3-1
- Update to 1.6.3
* Thu Feb 13 2020 David King <amigadave@amigadave.com> - 1.6.2-1
- Update to 1.6.2 (#1802609)
* Tue Jan 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.6.1-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
* Thu Jan 23 2020 David King <amigadave@amigadave.com> - 1.6.1-1
- Update to 1.6.1
* Fri Jan 17 2020 David King <amigadave@amigadave.com> - 1.6.0-2
- Remove broken python3 sed hack
* Fri Dec 20 2019 David King <amigadave@amigadave.com> - 1.6.0-1
- Update to 1.6.0
* Mon Dec 16 2019 David King <amigadave@amigadave.com> - 1.5.2-1
- Update to 1.5.2
* Thu Nov 28 2019 David King <amigadave@amigadave.com> - 1.5.1-1
- Update to 1.5.1
* Fri Nov 01 2019 Orion Poplawski <orion@nwra.com> - 1.5.0-2
- Use %%{?selinux_requires} for proper install ordering - Use %%{?selinux_requires} for proper install ordering
* Tue Oct 08 2019 David King <dking@redhat.com> - 1.4.3-1 * Thu Oct 03 2019 David King <amigadave@amigadave.com> - 1.5.0-1
- Rebase to 1.4.3 (#1748276) - Update to 1.5.0
* Fri Sep 20 2019 Kalev Lember <klember@redhat.com> - 1.0.9-1 * Thu Sep 19 2019 Kalev Lember <klember@redhat.com> - 1.4.3-1
- Update to 1.0.9 (#1753613) - Update to 1.4.3
* Tue May 14 2019 David King <dking@redhat.com> - 1.0.6-4 * Wed Sep 18 2019 Debarshi Ray <rishi@fedoraproject.org> - 1.4.2-6
- Bump release (#1700654) - Trim unused shared library linkages from the session helper
* Mon Apr 29 2019 David King <dking@redhat.com> - 1.0.6-3 * Wed Aug 7 2019 Owen Taylor <otaylor@redhat.com> - 1.4.2-5
- Fix IOCSTI sandbox bypass (#1700654) - Add patch fixing problem with downloading icons for OCI remotes (#1683375)
* Wed Feb 13 2019 David King <dking@redhat.com> - 1.0.6-2 * Thu Jul 25 2019 Tim Zabel <tjzabel21@gmail.com> - 1.4.2-4
- Do not mount /proc in root sandbox (#1675776) - SELinux needs additional Requires (#1732132)
* Tue Dec 18 2018 Kalev Lember <klember@redhat.com> - 1.0.6-1 * Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.4.2-3
- Update to 1.0.6 (#1630249) - Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
* Tue Jul 09 2019 Kalev Lember <klember@redhat.com> - 1.4.2-2
- Backport a patch that fixes a fairly large memory leak in gnome-software
* Fri Jun 28 2019 David King <amigadave@amigadave.com> - 1.4.2-1
- Update to 1.4.2 (#1725071)
* Tue Jun 25 2019 David King <amigadave@amigadave.com> - 1.4.1-3
- Use Requires(post) for selinux-policy (#1723118)
* Tue Jun 25 2019 Debarshi Ray <rishi@fedoraproject.org> - 1.4.1-2
- Split the session helper into a separate sub-package
* Thu Jun 13 2019 Kalev Lember <klember@redhat.com> - 1.4.1-1
- Update to 1.4.1
* Wed Jun 12 2019 Kalev Lember <klember@redhat.com> - 1.4.0-2
- Backport an upstream patch to fix gnome-software CI
* Tue May 28 2019 Kalev Lember <klember@redhat.com> - 1.4.0-1
- Update to 1.4.0
* Fri May 10 2019 Kalev Lember <klember@redhat.com> - 1.3.4-1
- Update to 1.3.4
* Tue Apr 30 2019 David King <amigadave@amigadave.com> - 1.3.3-2
- Generate consistent anchor IDs
* Fri Apr 26 2019 David King <amigadave@amigadave.com> - 1.3.3-1
- Update to 1.3.3 (#1699338)
* Wed Apr 17 2019 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 1.3.2-2
- Fixup selinux requires
* Fri Apr 12 2019 David King <amigadave@amigadave.com> - 1.3.2-1
- Update to 1.3.2 (#1699338)
* Wed Apr 03 2019 Kalev Lember <klember@redhat.com> - 1.3.1-2
- Add a oneshot systemd service to add Fedora flatpak repos
- Remove the post script to create system repo now that we have the service
* Wed Mar 27 2019 David King <amigadave@amigadave.com> - 1.3.1-1
- Update to 1.3.1 (#1693207)
* Tue Mar 12 2019 David King <amigadave@amigadave.com> - 1.3.0-1
- Update to 1.3.0
* Thu Feb 14 2019 David King <amigadave@amigadave.com> - 1.2.3-2
- Remove an obsolete Conflicts
- Use xdg-dbus-proxy
* Mon Feb 11 2019 David King <amigadave@amigadave.com> - 1.2.3-1
- Update to 1.2.3
* Wed Feb 06 2019 David King <amigadave@amigadave.com> - 1.2.2-1
- Update to 1.2.2
* Tue Feb 05 2019 Kalev Lember <klember@redhat.com> - 1.2.1-1
- Update to 1.2.1
* Mon Feb 4 2019 fedora-toolbox <otaylor@redhat.com> - 1.2.0-4
- Add an upstream patch to add flatpak build-export --disable-sandbox
* Thu Jan 31 2019 Bastien Nocera <bnocera@redhat.com> - 1.2.0-3
- Require librsvg2 so SVG icons can be exported
* Tue Jan 29 2019 Kalev Lember <klember@redhat.com> - 1.2.0-2
- Enable libsystemd support
* Mon Jan 28 2019 David King <amigadave@amigadave.com> - 1.2.0-1
- Update to 1.2.0
* Tue Jan 15 2019 Kalev Lember <klember@redhat.com> - 1.1.3-1
- Update to 1.1.3
* Fri Dec 21 2018 David King <amigadave@amigadave.com> - 1.1.2-1
- Update to 1.1.2
* Mon Dec 17 2018 David King <amigadave@amigadave.com> - 1.1.1-2
- Enable installed tests and add to tests subpackage
* Mon Dec 10 2018 Kalev Lember <klember@redhat.com> - 1.1.1-1
- Update to 1.1.1
* Fri Nov 30 2018 fedora-toolbox <otaylor@redhat.com> - 1.0.6-3
- Add a patch to fix OCI system remotes
- Add patch fixing permissions on icons downloaded from an OCI registry
* Fri Nov 16 2018 Kalev Lember <klember@redhat.com> - 1.0.6-1
- Update to 1.0.6
* Mon Nov 12 2018 Kalev Lember <klember@redhat.com> - 1.0.5-2
- Recommend p11-kit-server instead of just p11-kit (#1649049) - Recommend p11-kit-server instead of just p11-kit (#1649049)
* Mon Dec 10 2018 David King <dking@redhat.com> - 1.0.4-2 * Mon Nov 12 2018 Kalev Lember <klember@redhat.com> - 1.0.5-1
- Backport patches to improve OCI support (#1657306) - Update to 1.0.5
* Fri Oct 12 2018 Kalev Lember <klember@redhat.com> - 1.0.4-1 * Fri Oct 12 2018 Kalev Lember <klember@redhat.com> - 1.0.4-1
- Update to 1.0.4 (#1630249) - Update to 1.0.4
* Thu Oct 04 2018 Kalev Lember <klember@redhat.com> - 1.0.3-1
- Update to 1.0.3
* Thu Sep 13 2018 Kalev Lember <klember@redhat.com> - 1.0.2-1 * Thu Sep 13 2018 Kalev Lember <klember@redhat.com> - 1.0.2-1
- Update to 1.0.2 (#1630249) - Update to 1.0.2
* Tue Aug 28 2018 David King <dking@redhat.com> - 1.0.1-1 * Tue Aug 28 2018 David King <amigadave@amigadave.com> - 1.0.1-1
- Update to 1.0.1 (#1621401) - Update to 1.0.1
* Wed Aug 01 2018 David King <dking@redhat.com> - 0.99.3-1 * Mon Aug 20 2018 David King <amigadave@amigadave.com> - 1.0.0-2
- Fix double dash in XML documentation
* Mon Aug 20 2018 David King <amigadave@amigadave.com> - 1.0.0-1
- Update to 1.0.0
* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.99.3-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
* Tue Jul 10 2018 Kalev Lember <klember@redhat.com> - 0.99.3-1
- Update to 0.99.3 - Update to 0.99.3
* Wed Jun 27 2018 Kalev Lember <klember@redhat.com> - 0.99.2-1
- Update to 0.99.2
* Thu Jun 21 2018 David King <amigadave@amigadave.com> - 0.99.1-1
- Update to 0.99.1
* Wed Jun 13 2018 David King <amigadave@amigadave.com> - 0.11.8.3-1
- Update to 0.11.8.3 (#1590808)
* Mon Jun 11 2018 David King <amigadave@amigadave.com> - 0.11.8.2-1
- Update to 0.11.8.2 (#1589810)
* Fri Jun 08 2018 David King <amigadave@amigadave.com> - 0.11.8.1-1
- Update to 0.11.8.1 (#1588868)
* Fri Jun 08 2018 David King <amigadave@amigadave.com> - 0.11.8-1
- Update to 0.11.8 (#1588868)
* Wed May 23 2018 Adam Jackson <ajax@redhat.com> - 0.11.7-2 * Wed May 23 2018 Adam Jackson <ajax@redhat.com> - 0.11.7-2
- Remove Requires: kernel >= 4.0.4-202, which corresponds to rawhide - Remove Requires: kernel >= 4.0.4-202, which corresponds to rawhide
somewhere before Fedora 22 which this spec file certainly no longer somewhere before Fedora 22 which this spec file certainly no longer