Compare commits

...

No commits in common. "imports/c8s/flatpak-1.8.5-2.el8" and "c8" have entirely different histories.

4 changed files with 41 additions and 81 deletions

View File

@ -1 +0,0 @@
a3dcd13e85090e9d8156f1db2a375074e459aa79 SOURCES/flatpak-1.8.5.tar.xz

2
.gitignore vendored
View File

@ -1 +1 @@
SOURCES/flatpak-1.8.5.tar.xz
SOURCES/flatpak-1.10.8.tar.xz

View File

@ -1,73 +0,0 @@
From 93ecea3488081a726bcd2ddb04d557decaa87f80 Mon Sep 17 00:00:00 2001
From: Simon McVittie <smcv@collabora.com>
Date: Mon, 18 Jan 2021 17:52:13 +0000
Subject: [PATCH] build: Convert environment into a sequence of bwrap arguments
This means we can systematically pass the environment variables
through bwrap(1), even if it is setuid and thus is filtering out
security-sensitive environment variables. bwrap itself ends up being
run with an empty environment instead.
This fixes a regression when CVE-2021-21261 was fixed: before the
CVE fixes, LD_LIBRARY_PATH would have been passed through like this
and appeared in the `flatpak build` shell, but during the CVE fixes,
the special case that protected LD_LIBRARY_PATH was removed in favour
of the more general flatpak_bwrap_envp_to_args(). That reasoning only
works if we use flatpak_bwrap_envp_to_args(), consistently, everywhere
that we run the potentially-setuid bwrap.
Fixes: 6d1773d2 "run: Convert all environment variables into bwrap arguments"
Resolves: https://github.com/flatpak/flatpak/issues/4080
Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=980323
Signed-off-by: Simon McVittie <smcv@collabora.com>
(cherry picked from commit 9a61d2c44f0a58cebcb9b2787ae88db07ca68bb0)
---
app/flatpak-builtins-build.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/app/flatpak-builtins-build.c b/app/flatpak-builtins-build.c
index 8da0de814..07ef6fc07 100644
--- a/app/flatpak-builtins-build.c
+++ b/app/flatpak-builtins-build.c
@@ -569,6 +569,8 @@ flatpak_builtin_build (int argc, char **argv, GCancellable *cancellable, GError
NULL);
}
+ flatpak_bwrap_envp_to_args (bwrap);
+
if (!flatpak_bwrap_bundle_args (bwrap, 1, -1, FALSE, error))
return FALSE;
From f91857c07ede7ef5150a38d6b8e49ee43d6b3d50 Mon Sep 17 00:00:00 2001
From: Simon McVittie <smcv@collabora.com>
Date: Mon, 18 Jan 2021 18:07:38 +0000
Subject: [PATCH] dir: Pass environment via bwrap --setenv when running
apply_extra
This means we can systematically pass the environment variables
through bwrap(1), even if it is setuid and thus is filtering out
security-sensitive environment variables. bwrap ends up being
run with an empty environment instead.
As with the previous commit, this regressed while fixing CVE-2021-21261.
Fixes: 6d1773d2 "run: Convert all environment variables into bwrap arguments"
Signed-off-by: Simon McVittie <smcv@collabora.com>
(cherry picked from commit fb473cad801c6b61706353256cab32330557374a)
---
common/flatpak-dir.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/common/flatpak-dir.c b/common/flatpak-dir.c
index ed1248e74..40767fa77 100644
--- a/common/flatpak-dir.c
+++ b/common/flatpak-dir.c
@@ -7426,6 +7426,8 @@ apply_extra_data (FlatpakDir *self,
app_context, NULL, NULL, NULL, cancellable, error))
return FALSE;
+ flatpak_bwrap_envp_to_args (bwrap);
+
flatpak_bwrap_add_arg (bwrap, "/app/bin/apply_extra");
flatpak_bwrap_finish (bwrap);

View File

@ -1,16 +1,14 @@
%global bubblewrap_version 0.4.0
%global ostree_version 2018.9
%global ostree_version 2020.8
Name: flatpak
Version: 1.8.5
Version: 1.10.8
Release: 2%{?dist}
Summary: Application deployment framework for desktop apps
License: LGPLv2+
URL: http://flatpak.org/
Source0: https://github.com/flatpak/flatpak/releases/download/%{version}/%{name}-%{version}.tar.xz
# https://bugzilla.redhat.com/show_bug.cgi?id=1918776
Patch0: flatpak-1.8.5-post-cve-fixes.patch
BuildRequires: pkgconfig(appstream-glib)
BuildRequires: pkgconfig(dconf)
@ -18,6 +16,7 @@ BuildRequires: pkgconfig(fuse)
BuildRequires: pkgconfig(gdk-pixbuf-2.0)
BuildRequires: pkgconfig(gio-unix-2.0)
BuildRequires: pkgconfig(gobject-introspection-1.0) >= 1.40.0
BuildRequires: pkgconfig(gpgme)
BuildRequires: pkgconfig(json-glib-1.0)
BuildRequires: pkgconfig(libarchive) >= 2.8.0
BuildRequires: pkgconfig(libseccomp)
@ -33,11 +32,11 @@ BuildRequires: bubblewrap >= %{bubblewrap_version}
BuildRequires: docbook-dtds
BuildRequires: docbook-style-xsl
BuildRequires: gettext
BuildRequires: gpgme-devel
BuildRequires: libassuan-devel
BuildRequires: libcap-devel
BuildRequires: python3-devel
BuildRequires: python3-pyparsing
BuildRequires: systemd
BuildRequires: /usr/bin/python3
BuildRequires: /usr/bin/xmlto
BuildRequires: /usr/bin/xsltproc
@ -120,6 +119,8 @@ This package contains installed tests for %{name}.
%prep
%autosetup -p1
# Make sure to use the RHEL-lifetime supported Python and no other
%py3_shebang_fix scripts/* variant-schema-compiler/*
%build
@ -145,6 +146,11 @@ install -d %{buildroot}%{_sysconfdir}/flatpak/remotes.d
rm -f %{buildroot}%{_libdir}/libflatpak.la
%find_lang %{name}
# Work around selinux denials, see
# https://github.com/flatpak/flatpak/issues/4128 for details. Note that we are
# going to need the system env generator if we should enable malcontent support
# in the future.
rm %{buildroot}%{_systemd_system_env_generator_dir}/60-flatpak-system-only
%pre
getent group flatpak >/dev/null || groupadd -r flatpak
@ -242,6 +248,34 @@ fi
%changelog
* Mon Sep 04 2023 Miro Hrončok <mhroncok@redhat.com> - 1.10.8-2
- Make sure to use the RHEL-lifetime supported Python and no other (RHEL-2225)
* Tue Jul 11 2023 Debarshi Ray <rishi@fedoraproject.org> - 1.10.8-1
- Rebase to 1.10.8 (#2222103)
- Fix CVE-2023-28100 and CVE-2023-28101 (#2180311)
* Wed Mar 09 2022 Debarshi Ray <rishi@fedoraproject.org> - 1.10.7-1
- Rebase to 1.10.7 (#2062417)
* Thu Feb 03 2022 Debarshi Ray <rishi@fedoraproject.org> - 1.8.7-1
- Rebase to 1.8.7 (#2041972)
* Tue Jan 25 2022 Debarshi Ray <rishi@fedoraproject.org> - 1.8.6-1
- Rebase to 1.8.6 (#2010533)
* Tue Oct 26 2021 Debarshi Ray <rishi@fedoraproject.org> - 1.8.5-6
- Fix CVE-2021-41133 (#2012869)
* Tue Oct 05 2021 Debarshi Ray <rishi@fedoraproject.org> - 1.8.5-5
- Disable gvfs plugins when listing flatpak installations (#1980438)
* Wed Jul 28 2021 Tomas Popela <tpopela@redhat.com> - 1.8.5-4
- Ship flatpak-devel in CRB (#1938064)
* Mon Mar 22 2021 David King <dking@redhat.com> - 1.8.5-3
- Fix CVE-2021-21381 (#1938064)
* Mon Jan 25 2021 David King <dking@redhat.com> - 1.8.5-2
- Apply post-release CVE fixes (#1918776)