Compare commits
No commits in common. "c8" and "imports/c8s/flatpak-1.8.5-2.el8" have entirely different histories.
c8
...
imports/c8
|
@ -1 +1 @@
|
||||||
41429400eab33868b6c6045fe235e86e1086a056 SOURCES/flatpak-1.12.9.tar.xz
|
a3dcd13e85090e9d8156f1db2a375074e459aa79 SOURCES/flatpak-1.8.5.tar.xz
|
||||||
|
|
|
@ -1 +1 @@
|
||||||
SOURCES/flatpak-1.12.9.tar.xz
|
SOURCES/flatpak-1.8.5.tar.xz
|
||||||
|
|
|
@ -0,0 +1,73 @@
|
||||||
|
From 93ecea3488081a726bcd2ddb04d557decaa87f80 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Simon McVittie <smcv@collabora.com>
|
||||||
|
Date: Mon, 18 Jan 2021 17:52:13 +0000
|
||||||
|
Subject: [PATCH] build: Convert environment into a sequence of bwrap arguments
|
||||||
|
|
||||||
|
This means we can systematically pass the environment variables
|
||||||
|
through bwrap(1), even if it is setuid and thus is filtering out
|
||||||
|
security-sensitive environment variables. bwrap itself ends up being
|
||||||
|
run with an empty environment instead.
|
||||||
|
|
||||||
|
This fixes a regression when CVE-2021-21261 was fixed: before the
|
||||||
|
CVE fixes, LD_LIBRARY_PATH would have been passed through like this
|
||||||
|
and appeared in the `flatpak build` shell, but during the CVE fixes,
|
||||||
|
the special case that protected LD_LIBRARY_PATH was removed in favour
|
||||||
|
of the more general flatpak_bwrap_envp_to_args(). That reasoning only
|
||||||
|
works if we use flatpak_bwrap_envp_to_args(), consistently, everywhere
|
||||||
|
that we run the potentially-setuid bwrap.
|
||||||
|
|
||||||
|
Fixes: 6d1773d2 "run: Convert all environment variables into bwrap arguments"
|
||||||
|
Resolves: https://github.com/flatpak/flatpak/issues/4080
|
||||||
|
Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=980323
|
||||||
|
Signed-off-by: Simon McVittie <smcv@collabora.com>
|
||||||
|
(cherry picked from commit 9a61d2c44f0a58cebcb9b2787ae88db07ca68bb0)
|
||||||
|
---
|
||||||
|
app/flatpak-builtins-build.c | 2 ++
|
||||||
|
1 file changed, 2 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/app/flatpak-builtins-build.c b/app/flatpak-builtins-build.c
|
||||||
|
index 8da0de814..07ef6fc07 100644
|
||||||
|
--- a/app/flatpak-builtins-build.c
|
||||||
|
+++ b/app/flatpak-builtins-build.c
|
||||||
|
@@ -569,6 +569,8 @@ flatpak_builtin_build (int argc, char **argv, GCancellable *cancellable, GError
|
||||||
|
NULL);
|
||||||
|
}
|
||||||
|
|
||||||
|
+ flatpak_bwrap_envp_to_args (bwrap);
|
||||||
|
+
|
||||||
|
if (!flatpak_bwrap_bundle_args (bwrap, 1, -1, FALSE, error))
|
||||||
|
return FALSE;
|
||||||
|
|
||||||
|
From f91857c07ede7ef5150a38d6b8e49ee43d6b3d50 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Simon McVittie <smcv@collabora.com>
|
||||||
|
Date: Mon, 18 Jan 2021 18:07:38 +0000
|
||||||
|
Subject: [PATCH] dir: Pass environment via bwrap --setenv when running
|
||||||
|
apply_extra
|
||||||
|
|
||||||
|
This means we can systematically pass the environment variables
|
||||||
|
through bwrap(1), even if it is setuid and thus is filtering out
|
||||||
|
security-sensitive environment variables. bwrap ends up being
|
||||||
|
run with an empty environment instead.
|
||||||
|
|
||||||
|
As with the previous commit, this regressed while fixing CVE-2021-21261.
|
||||||
|
|
||||||
|
Fixes: 6d1773d2 "run: Convert all environment variables into bwrap arguments"
|
||||||
|
Signed-off-by: Simon McVittie <smcv@collabora.com>
|
||||||
|
(cherry picked from commit fb473cad801c6b61706353256cab32330557374a)
|
||||||
|
---
|
||||||
|
common/flatpak-dir.c | 2 ++
|
||||||
|
1 file changed, 2 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/common/flatpak-dir.c b/common/flatpak-dir.c
|
||||||
|
index ed1248e74..40767fa77 100644
|
||||||
|
--- a/common/flatpak-dir.c
|
||||||
|
+++ b/common/flatpak-dir.c
|
||||||
|
@@ -7426,6 +7426,8 @@ apply_extra_data (FlatpakDir *self,
|
||||||
|
app_context, NULL, NULL, NULL, cancellable, error))
|
||||||
|
return FALSE;
|
||||||
|
|
||||||
|
+ flatpak_bwrap_envp_to_args (bwrap);
|
||||||
|
+
|
||||||
|
flatpak_bwrap_add_arg (bwrap, "/app/bin/apply_extra");
|
||||||
|
|
||||||
|
flatpak_bwrap_finish (bwrap);
|
|
@ -1,28 +0,0 @@
|
||||||
From 1c73110795b865246ce3595042dcd2d5e7891359 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Debarshi Ray <debarshir@gnome.org>
|
|
||||||
Date: Mon, 6 Nov 2023 20:27:16 +0100
|
|
||||||
Subject: [PATCH] Revert "selinux: Permit using systemd-userdbd"
|
|
||||||
|
|
||||||
This reverts commit 399710ada185c1ee232bc3e6266a71688eb152b7.
|
|
||||||
---
|
|
||||||
selinux/flatpak.te | 4 ----
|
|
||||||
1 file changed, 4 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/selinux/flatpak.te b/selinux/flatpak.te
|
|
||||||
index bb3d80e316eb..4cf895c44abe 100644
|
|
||||||
--- a/selinux/flatpak.te
|
|
||||||
+++ b/selinux/flatpak.te
|
|
||||||
@@ -33,10 +33,6 @@ optional_policy(`
|
|
||||||
policykit_dbus_chat(flatpak_helper_t)
|
|
||||||
')
|
|
||||||
|
|
||||||
-optional_policy(`
|
|
||||||
- systemd_userdbd_stream_connect(flatpak_helper_t)
|
|
||||||
-')
|
|
||||||
-
|
|
||||||
optional_policy(`
|
|
||||||
unconfined_domain(flatpak_helper_t)
|
|
||||||
')
|
|
||||||
--
|
|
||||||
2.41.0
|
|
||||||
|
|
|
@ -1,22 +1,16 @@
|
||||||
%global bubblewrap_version 0.4.0
|
%global bubblewrap_version 0.4.0
|
||||||
%global ostree_version 2020.8
|
%global ostree_version 2018.9
|
||||||
|
|
||||||
Name: flatpak
|
Name: flatpak
|
||||||
Version: 1.12.9
|
Version: 1.8.5
|
||||||
Release: 1%{?dist}
|
Release: 2%{?dist}
|
||||||
Summary: Application deployment framework for desktop apps
|
Summary: Application deployment framework for desktop apps
|
||||||
|
|
||||||
License: LGPLv2+
|
License: LGPLv2+
|
||||||
URL: http://flatpak.org/
|
URL: http://flatpak.org/
|
||||||
Source0: https://github.com/flatpak/flatpak/releases/download/%{version}/%{name}-%{version}.tar.xz
|
Source0: https://github.com/flatpak/flatpak/releases/download/%{version}/%{name}-%{version}.tar.xz
|
||||||
|
# https://bugzilla.redhat.com/show_bug.cgi?id=1918776
|
||||||
%if 0%{?fedora}
|
Patch0: flatpak-1.8.5-post-cve-fixes.patch
|
||||||
# Add Fedora flatpak repositories
|
|
||||||
Source1: flatpak-add-fedora-repos.service
|
|
||||||
%endif
|
|
||||||
|
|
||||||
# https://issues.redhat.com/browse/RHEL-4220
|
|
||||||
Patch0: flatpak-Revert-selinux-Permit-using-systemd-userdbd.patch
|
|
||||||
|
|
||||||
BuildRequires: pkgconfig(appstream-glib)
|
BuildRequires: pkgconfig(appstream-glib)
|
||||||
BuildRequires: pkgconfig(dconf)
|
BuildRequires: pkgconfig(dconf)
|
||||||
|
@ -24,7 +18,6 @@ BuildRequires: pkgconfig(fuse)
|
||||||
BuildRequires: pkgconfig(gdk-pixbuf-2.0)
|
BuildRequires: pkgconfig(gdk-pixbuf-2.0)
|
||||||
BuildRequires: pkgconfig(gio-unix-2.0)
|
BuildRequires: pkgconfig(gio-unix-2.0)
|
||||||
BuildRequires: pkgconfig(gobject-introspection-1.0) >= 1.40.0
|
BuildRequires: pkgconfig(gobject-introspection-1.0) >= 1.40.0
|
||||||
BuildRequires: pkgconfig(gpgme)
|
|
||||||
BuildRequires: pkgconfig(json-glib-1.0)
|
BuildRequires: pkgconfig(json-glib-1.0)
|
||||||
BuildRequires: pkgconfig(libarchive) >= 2.8.0
|
BuildRequires: pkgconfig(libarchive) >= 2.8.0
|
||||||
BuildRequires: pkgconfig(libseccomp)
|
BuildRequires: pkgconfig(libseccomp)
|
||||||
|
@ -40,14 +33,16 @@ BuildRequires: bubblewrap >= %{bubblewrap_version}
|
||||||
BuildRequires: docbook-dtds
|
BuildRequires: docbook-dtds
|
||||||
BuildRequires: docbook-style-xsl
|
BuildRequires: docbook-style-xsl
|
||||||
BuildRequires: gettext
|
BuildRequires: gettext
|
||||||
BuildRequires: libassuan-devel
|
BuildRequires: gpgme-devel
|
||||||
BuildRequires: libcap-devel
|
BuildRequires: libcap-devel
|
||||||
BuildRequires: python3-devel
|
|
||||||
BuildRequires: python3-pyparsing
|
BuildRequires: python3-pyparsing
|
||||||
BuildRequires: systemd
|
BuildRequires: systemd
|
||||||
|
BuildRequires: /usr/bin/python3
|
||||||
BuildRequires: /usr/bin/xmlto
|
BuildRequires: /usr/bin/xmlto
|
||||||
BuildRequires: /usr/bin/xsltproc
|
BuildRequires: /usr/bin/xsltproc
|
||||||
|
|
||||||
|
%{?systemd_requires}
|
||||||
|
|
||||||
Requires: bubblewrap >= %{bubblewrap_version}
|
Requires: bubblewrap >= %{bubblewrap_version}
|
||||||
Requires: librsvg2%{?_isa}
|
Requires: librsvg2%{?_isa}
|
||||||
Requires: ostree-libs%{?_isa} >= %{ostree_version}
|
Requires: ostree-libs%{?_isa} >= %{ostree_version}
|
||||||
|
@ -125,8 +120,6 @@ This package contains installed tests for %{name}.
|
||||||
|
|
||||||
%prep
|
%prep
|
||||||
%autosetup -p1
|
%autosetup -p1
|
||||||
# Make sure to use the RHEL-lifetime supported Python and no other
|
|
||||||
%py3_shebang_fix scripts/* subprojects/variant-schema-compiler/* tests/*
|
|
||||||
|
|
||||||
|
|
||||||
%build
|
%build
|
||||||
|
@ -150,18 +143,8 @@ install -pm 644 NEWS README.md %{buildroot}/%{_pkgdocdir}
|
||||||
install -d %{buildroot}%{_localstatedir}/lib/flatpak
|
install -d %{buildroot}%{_localstatedir}/lib/flatpak
|
||||||
install -d %{buildroot}%{_sysconfdir}/flatpak/remotes.d
|
install -d %{buildroot}%{_sysconfdir}/flatpak/remotes.d
|
||||||
rm -f %{buildroot}%{_libdir}/libflatpak.la
|
rm -f %{buildroot}%{_libdir}/libflatpak.la
|
||||||
|
|
||||||
%if 0%{?fedora}
|
|
||||||
install -D -t %{buildroot}%{_unitdir} %{SOURCE1}
|
|
||||||
%endif
|
|
||||||
|
|
||||||
%find_lang %{name}
|
%find_lang %{name}
|
||||||
|
|
||||||
# Work around selinux denials, see
|
|
||||||
# https://github.com/flatpak/flatpak/issues/4128 for details. Note that we are
|
|
||||||
# going to need the system env generator if we should enable malcontent support
|
|
||||||
# in the future.
|
|
||||||
rm %{buildroot}%{_systemd_system_env_generator_dir}/60-flatpak-system-only
|
|
||||||
|
|
||||||
%pre
|
%pre
|
||||||
getent group flatpak >/dev/null || groupadd -r flatpak
|
getent group flatpak >/dev/null || groupadd -r flatpak
|
||||||
|
@ -171,28 +154,15 @@ getent passwd flatpak >/dev/null || \
|
||||||
exit 0
|
exit 0
|
||||||
|
|
||||||
|
|
||||||
%if 0%{?fedora}
|
|
||||||
%post
|
%post
|
||||||
%systemd_post flatpak-add-fedora-repos.service
|
# Create an (empty) system-wide repo.
|
||||||
%endif
|
flatpak remote-list --system &> /dev/null || :
|
||||||
|
|
||||||
|
|
||||||
%post selinux
|
%post selinux
|
||||||
%selinux_modules_install %{_datadir}/selinux/packages/flatpak.pp.bz2
|
%selinux_modules_install %{_datadir}/selinux/packages/flatpak.pp.bz2
|
||||||
|
|
||||||
|
|
||||||
%if 0%{?fedora}
|
|
||||||
%preun
|
|
||||||
%systemd_preun flatpak-add-fedora-repos.service
|
|
||||||
%endif
|
|
||||||
|
|
||||||
|
|
||||||
%if 0%{?fedora}
|
|
||||||
%postun
|
|
||||||
%systemd_postun_with_restart flatpak-add-fedora-repos.service
|
|
||||||
%endif
|
|
||||||
|
|
||||||
|
|
||||||
%postun selinux
|
%postun selinux
|
||||||
if [ $1 -eq 0 ]; then
|
if [ $1 -eq 0 ]; then
|
||||||
%selinux_modules_uninstall %{_datadir}/selinux/packages/flatpak.pp.bz2
|
%selinux_modules_uninstall %{_datadir}/selinux/packages/flatpak.pp.bz2
|
||||||
|
@ -235,7 +205,6 @@ fi
|
||||||
%{_mandir}/man5/flatpak-installation.5*
|
%{_mandir}/man5/flatpak-installation.5*
|
||||||
%{_mandir}/man5/flatpak-remote.5*
|
%{_mandir}/man5/flatpak-remote.5*
|
||||||
%{_sysconfdir}/dbus-1/system.d/org.freedesktop.Flatpak.SystemHelper.conf
|
%{_sysconfdir}/dbus-1/system.d/org.freedesktop.Flatpak.SystemHelper.conf
|
||||||
%dir %{_sysconfdir}/flatpak
|
|
||||||
%{_sysconfdir}/flatpak/remotes.d
|
%{_sysconfdir}/flatpak/remotes.d
|
||||||
%{_sysconfdir}/profile.d/flatpak.sh
|
%{_sysconfdir}/profile.d/flatpak.sh
|
||||||
%{_sysusersdir}/flatpak.conf
|
%{_sysusersdir}/flatpak.conf
|
||||||
|
@ -244,10 +213,6 @@ fi
|
||||||
%{_userunitdir}/flatpak-portal.service
|
%{_userunitdir}/flatpak-portal.service
|
||||||
%{_systemd_user_env_generator_dir}/60-flatpak
|
%{_systemd_user_env_generator_dir}/60-flatpak
|
||||||
|
|
||||||
%if 0%{?fedora}
|
|
||||||
%{_unitdir}/flatpak-add-fedora-repos.service
|
|
||||||
%endif
|
|
||||||
|
|
||||||
%files devel
|
%files devel
|
||||||
%{_datadir}/gir-1.0/Flatpak-1.0.gir
|
%{_datadir}/gir-1.0/Flatpak-1.0.gir
|
||||||
%{_datadir}/gtk-doc/
|
%{_datadir}/gtk-doc/
|
||||||
|
@ -277,43 +242,6 @@ fi
|
||||||
|
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
* Tue Apr 30 2024 Kalev Lember <klember@redhat.com> - 1.12.9-1
|
|
||||||
- Update to 1.12.9 (CVE-2024-32462)
|
|
||||||
|
|
||||||
* Mon Nov 06 2023 Debarshi Ray <rishi@fedoraproject.org> - 1.12.8-1
|
|
||||||
- Rebase to 1.12.8 (RHEL-4220)
|
|
||||||
|
|
||||||
* Mon Nov 06 2023 Debarshi Ray <rishi@fedoraproject.org> - 1.10.8-3
|
|
||||||
- Let flatpak own %%{_sysconfdir}/flatpak (RHEL-15822)
|
|
||||||
|
|
||||||
* Mon Sep 04 2023 Miro Hrončok <mhroncok@redhat.com> - 1.10.8-2
|
|
||||||
- Make sure to use the RHEL-lifetime supported Python and no other (RHEL-2225)
|
|
||||||
|
|
||||||
* Tue Jul 11 2023 Debarshi Ray <rishi@fedoraproject.org> - 1.10.8-1
|
|
||||||
- Rebase to 1.10.8 (#2222103)
|
|
||||||
- Fix CVE-2023-28100 and CVE-2023-28101 (#2180311)
|
|
||||||
|
|
||||||
* Wed Mar 09 2022 Debarshi Ray <rishi@fedoraproject.org> - 1.10.7-1
|
|
||||||
- Rebase to 1.10.7 (#2062417)
|
|
||||||
|
|
||||||
* Thu Feb 03 2022 Debarshi Ray <rishi@fedoraproject.org> - 1.8.7-1
|
|
||||||
- Rebase to 1.8.7 (#2041972)
|
|
||||||
|
|
||||||
* Tue Jan 25 2022 Debarshi Ray <rishi@fedoraproject.org> - 1.8.6-1
|
|
||||||
- Rebase to 1.8.6 (#2010533)
|
|
||||||
|
|
||||||
* Tue Oct 26 2021 Debarshi Ray <rishi@fedoraproject.org> - 1.8.5-6
|
|
||||||
- Fix CVE-2021-41133 (#2012869)
|
|
||||||
|
|
||||||
* Tue Oct 05 2021 Debarshi Ray <rishi@fedoraproject.org> - 1.8.5-5
|
|
||||||
- Disable gvfs plugins when listing flatpak installations (#1980438)
|
|
||||||
|
|
||||||
* Wed Jul 28 2021 Tomas Popela <tpopela@redhat.com> - 1.8.5-4
|
|
||||||
- Ship flatpak-devel in CRB (#1938064)
|
|
||||||
|
|
||||||
* Mon Mar 22 2021 David King <dking@redhat.com> - 1.8.5-3
|
|
||||||
- Fix CVE-2021-21381 (#1938064)
|
|
||||||
|
|
||||||
* Mon Jan 25 2021 David King <dking@redhat.com> - 1.8.5-2
|
* Mon Jan 25 2021 David King <dking@redhat.com> - 1.8.5-2
|
||||||
- Apply post-release CVE fixes (#1918776)
|
- Apply post-release CVE fixes (#1918776)
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue