.flatpak.metadata

@@ -1 +0,0 @@
-a3dcd13e85090e9d8156f1db2a375074e459aa79 SOURCES/flatpak-1.8.5.tar.xz

.gitignore

@@ -1 +1 @@
-SOURCES/flatpak-1.8.5.tar.xz
+SOURCES/flatpak-1.10.8.tar.xz

SOURCES/flatpak-1.8.5-post-cve-fixes.patch

@@ -1,73 +0,0 @@
-From 93ecea3488081a726bcd2ddb04d557decaa87f80 Mon Sep 17 00:00:00 2001
-From: Simon McVittie <smcv@collabora.com>
-Date: Mon, 18 Jan 2021 17:52:13 +0000
-Subject: [PATCH] build: Convert environment into a sequence of bwrap arguments
-
-This means we can systematically pass the environment variables
-through bwrap(1), even if it is setuid and thus is filtering out
-security-sensitive environment variables. bwrap itself ends up being
-run with an empty environment instead.
-
-This fixes a regression when CVE-2021-21261 was fixed: before the
-CVE fixes, LD_LIBRARY_PATH would have been passed through like this
-and appeared in the `flatpak build` shell, but during the CVE fixes,
-the special case that protected LD_LIBRARY_PATH was removed in favour
-of the more general flatpak_bwrap_envp_to_args(). That reasoning only
-works if we use flatpak_bwrap_envp_to_args(), consistently, everywhere
-that we run the potentially-setuid bwrap.
-
-Fixes: 6d1773d2 "run: Convert all environment variables into bwrap arguments"
-Resolves: https://github.com/flatpak/flatpak/issues/4080
-Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=980323
-Signed-off-by: Simon McVittie <smcv@collabora.com>
-(cherry picked from commit 9a61d2c44f0a58cebcb9b2787ae88db07ca68bb0)
----
- app/flatpak-builtins-build.c | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/app/flatpak-builtins-build.c b/app/flatpak-builtins-build.c
-index 8da0de814..07ef6fc07 100644
---- a/app/flatpak-builtins-build.c
-+++ b/app/flatpak-builtins-build.c
-@@ -569,6 +569,8 @@ flatpak_builtin_build (int argc, char **argv, GCancellable *cancellable, GError
-                               NULL);
-     }
- 
-+  flatpak_bwrap_envp_to_args (bwrap);
-+
-   if (!flatpak_bwrap_bundle_args (bwrap, 1, -1, FALSE, error))
-     return FALSE;
- 
-From f91857c07ede7ef5150a38d6b8e49ee43d6b3d50 Mon Sep 17 00:00:00 2001
-From: Simon McVittie <smcv@collabora.com>
-Date: Mon, 18 Jan 2021 18:07:38 +0000
-Subject: [PATCH] dir: Pass environment via bwrap --setenv when running
- apply_extra
-
-This means we can systematically pass the environment variables
-through bwrap(1), even if it is setuid and thus is filtering out
-security-sensitive environment variables. bwrap ends up being
-run with an empty environment instead.
-
-As with the previous commit, this regressed while fixing CVE-2021-21261.
-
-Fixes: 6d1773d2 "run: Convert all environment variables into bwrap arguments"
-Signed-off-by: Simon McVittie <smcv@collabora.com>
-(cherry picked from commit fb473cad801c6b61706353256cab32330557374a)
----
- common/flatpak-dir.c | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/common/flatpak-dir.c b/common/flatpak-dir.c
-index ed1248e74..40767fa77 100644
---- a/common/flatpak-dir.c
-+++ b/common/flatpak-dir.c
-@@ -7426,6 +7426,8 @@ apply_extra_data (FlatpakDir   *self,
-                                          app_context, NULL, NULL, NULL, cancellable, error))
-     return FALSE;
- 
-+  flatpak_bwrap_envp_to_args (bwrap);
-+
-   flatpak_bwrap_add_arg (bwrap, "/app/bin/apply_extra");
- 
-   flatpak_bwrap_finish (bwrap);

SPECS/flatpak.spec

@@ -1,16 +1,14 @@
 %global bubblewrap_version 0.4.0
-%global ostree_version 2018.9
+%global ostree_version 2020.8
 
 Name:           flatpak
-Version:        1.8.5
+Version:        1.10.8
 Release:        2%{?dist}
 Summary:        Application deployment framework for desktop apps
 
 License:        LGPLv2+
 URL:            http://flatpak.org/
 Source0:        https://github.com/flatpak/flatpak/releases/download/%{version}/%{name}-%{version}.tar.xz
-# https://bugzilla.redhat.com/show_bug.cgi?id=1918776
-Patch0:         flatpak-1.8.5-post-cve-fixes.patch
 
 BuildRequires:  pkgconfig(appstream-glib)
 BuildRequires:  pkgconfig(dconf)
@@ -18,6 +16,7 @@ BuildRequires:  pkgconfig(fuse)
 BuildRequires:  pkgconfig(gdk-pixbuf-2.0)
 BuildRequires:  pkgconfig(gio-unix-2.0)
 BuildRequires:  pkgconfig(gobject-introspection-1.0) >= 1.40.0
+BuildRequires:  pkgconfig(gpgme)
 BuildRequires:  pkgconfig(json-glib-1.0)
 BuildRequires:  pkgconfig(libarchive) >= 2.8.0
 BuildRequires:  pkgconfig(libseccomp)
@@ -33,11 +32,11 @@ BuildRequires:  bubblewrap >= %{bubblewrap_version}
 BuildRequires:  docbook-dtds
 BuildRequires:  docbook-style-xsl
 BuildRequires:  gettext
-BuildRequires:  gpgme-devel
+BuildRequires:  libassuan-devel
 BuildRequires:  libcap-devel
+BuildRequires:  python3-devel
 BuildRequires:  python3-pyparsing
 BuildRequires:  systemd
-BuildRequires:  /usr/bin/python3
 BuildRequires:  /usr/bin/xmlto
 BuildRequires:  /usr/bin/xsltproc
 
@@ -120,6 +119,8 @@ This package contains installed tests for %{name}.
 
 %prep
 %autosetup -p1
+# Make sure to use the RHEL-lifetime supported Python and no other
+%py3_shebang_fix scripts/*  variant-schema-compiler/*
 
 
 %build
@@ -145,6 +146,11 @@ install -d %{buildroot}%{_sysconfdir}/flatpak/remotes.d
 rm -f %{buildroot}%{_libdir}/libflatpak.la
 %find_lang %{name}
 
+# Work around selinux denials, see
+# https://github.com/flatpak/flatpak/issues/4128 for details. Note that we are
+# going to need the system env generator if we should enable malcontent support
+# in the future.
+rm %{buildroot}%{_systemd_system_env_generator_dir}/60-flatpak-system-only
 
 %pre
 getent group flatpak >/dev/null || groupadd -r flatpak
@@ -242,6 +248,34 @@ fi
 
 
 %changelog
+* Mon Sep 04 2023 Miro Hrončok <mhroncok@redhat.com> - 1.10.8-2
+- Make sure to use the RHEL-lifetime supported Python and no other (RHEL-2225)
+
+* Tue Jul 11 2023 Debarshi Ray <rishi@fedoraproject.org> - 1.10.8-1
+- Rebase to 1.10.8 (#2222103)
+- Fix CVE-2023-28100 and CVE-2023-28101 (#2180311)
+
+* Wed Mar 09 2022 Debarshi Ray <rishi@fedoraproject.org> - 1.10.7-1
+- Rebase to 1.10.7 (#2062417)
+
+* Thu Feb 03 2022 Debarshi Ray <rishi@fedoraproject.org> - 1.8.7-1
+- Rebase to 1.8.7 (#2041972)
+
+* Tue Jan 25 2022 Debarshi Ray <rishi@fedoraproject.org> - 1.8.6-1
+- Rebase to 1.8.6 (#2010533)
+
+* Tue Oct 26 2021 Debarshi Ray <rishi@fedoraproject.org> - 1.8.5-6
+- Fix CVE-2021-41133 (#2012869)
+
+* Tue Oct 05 2021 Debarshi Ray <rishi@fedoraproject.org> - 1.8.5-5
+- Disable gvfs plugins when listing flatpak installations (#1980438)
+
+* Wed Jul 28 2021 Tomas Popela <tpopela@redhat.com> - 1.8.5-4
+- Ship flatpak-devel in CRB (#1938064)
+
+* Mon Mar 22 2021 David King <dking@redhat.com> - 1.8.5-3
+- Fix CVE-2021-21381 (#1938064)
+
 * Mon Jan 25 2021 David King <dking@redhat.com> - 1.8.5-2
 - Apply post-release CVE fixes (#1918776)