Compare commits

...

No commits in common. "imports/c8s/flatpak-1.8.5-5.el8" and "c8" have entirely different histories.

6 changed files with 33 additions and 202 deletions

View File

@ -1 +0,0 @@
a3dcd13e85090e9d8156f1db2a375074e459aa79 SOURCES/flatpak-1.8.5.tar.xz

2
.gitignore vendored
View File

@ -1 +1 @@
SOURCES/flatpak-1.8.5.tar.xz
SOURCES/flatpak-1.10.8.tar.xz

View File

@ -1,86 +0,0 @@
From cb6fce9e4122ace2960c437def3b1a197bb49b3a Mon Sep 17 00:00:00 2001
From: Ryan Gonzalez <rymg19@gmail.com>
Date: Tue, 2 Mar 2021 13:20:07 -0600
Subject: [PATCH 1/3] Disallow @@ and @@u usage in desktop files
Fixes #4146.
---
common/flatpak-dir.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/common/flatpak-dir.c b/common/flatpak-dir.c
index e6e4d6fb3..7d3374dad 100644
--- a/common/flatpak-dir.c
+++ b/common/flatpak-dir.c
@@ -7139,6 +7139,8 @@ export_desktop_file (const char *app,
g_string_append_printf (new_exec, " @@ %s @@", arg);
else if (strcasecmp (arg, "%u") == 0)
g_string_append_printf (new_exec, " @@u %s @@", arg);
+ else if (strcmp (arg, "@@") == 0 || strcmp (arg, "@@u") == 0)
+ g_print (_("Skipping invalid Exec argument %s\n"), arg);
else
g_string_append_printf (new_exec, " %s", arg);
}
From 0bdcb88b2d0013aa435dc03950fb42cef2cbd359 Mon Sep 17 00:00:00 2001
From: Simon McVittie <smcv@collabora.com>
Date: Fri, 5 Mar 2021 13:49:36 +0000
Subject: [PATCH 2/3] dir: Reserve the whole @@ prefix
If we add new features analogous to file forwarding later, we might
find that we need a different magic token. Let's reserve the whole
@@* namespace so we can call it @@something-else.
Signed-off-by: Simon McVittie <smcv@collabora.com>
---
common/flatpak-dir.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/common/flatpak-dir.c b/common/flatpak-dir.c
index 7d3374dad..facfab37a 100644
--- a/common/flatpak-dir.c
+++ b/common/flatpak-dir.c
@@ -7139,7 +7139,7 @@ export_desktop_file (const char *app,
g_string_append_printf (new_exec, " @@ %s @@", arg);
else if (strcasecmp (arg, "%u") == 0)
g_string_append_printf (new_exec, " @@u %s @@", arg);
- else if (strcmp (arg, "@@") == 0 || strcmp (arg, "@@u") == 0)
+ else if (g_str_has_prefix (arg, "@@"))
g_print (_("Skipping invalid Exec argument %s\n"), arg);
else
g_string_append_printf (new_exec, " %s", arg);
From 230f4c3521cd0dffa446ab9b70e958cdd9241bbe Mon Sep 17 00:00:00 2001
From: Simon McVittie <smcv@collabora.com>
Date: Fri, 5 Mar 2021 13:51:33 +0000
Subject: [PATCH 3/3] dir: Refuse to export .desktop files with suspicious uses
of @@ tokens
This is either a malicious/compromised app trying to do an attack, or
a mistake that will break handling of %f, %u and so on. Either way,
if we refuse to export the .desktop file, resulting in installation
failing, then it makes the rejection more obvious than quietly
removing the magic tokens.
Signed-off-by: Simon McVittie <smcv@collabora.com>
---
common/flatpak-dir.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/common/flatpak-dir.c b/common/flatpak-dir.c
index facfab37a..c5edf346f 100644
--- a/common/flatpak-dir.c
+++ b/common/flatpak-dir.c
@@ -7140,7 +7140,11 @@ export_desktop_file (const char *app,
else if (strcasecmp (arg, "%u") == 0)
g_string_append_printf (new_exec, " @@u %s @@", arg);
else if (g_str_has_prefix (arg, "@@"))
- g_print (_("Skipping invalid Exec argument %s\n"), arg);
+ {
+ flatpak_fail_error (error, FLATPAK_ERROR_EXPORT_FAILED,
+ _("Invalid Exec argument %s"), arg);
+ goto out;
+ }
else
g_string_append_printf (new_exec, " %s", arg);
}

View File

@ -1,73 +0,0 @@
From 93ecea3488081a726bcd2ddb04d557decaa87f80 Mon Sep 17 00:00:00 2001
From: Simon McVittie <smcv@collabora.com>
Date: Mon, 18 Jan 2021 17:52:13 +0000
Subject: [PATCH] build: Convert environment into a sequence of bwrap arguments
This means we can systematically pass the environment variables
through bwrap(1), even if it is setuid and thus is filtering out
security-sensitive environment variables. bwrap itself ends up being
run with an empty environment instead.
This fixes a regression when CVE-2021-21261 was fixed: before the
CVE fixes, LD_LIBRARY_PATH would have been passed through like this
and appeared in the `flatpak build` shell, but during the CVE fixes,
the special case that protected LD_LIBRARY_PATH was removed in favour
of the more general flatpak_bwrap_envp_to_args(). That reasoning only
works if we use flatpak_bwrap_envp_to_args(), consistently, everywhere
that we run the potentially-setuid bwrap.
Fixes: 6d1773d2 "run: Convert all environment variables into bwrap arguments"
Resolves: https://github.com/flatpak/flatpak/issues/4080
Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=980323
Signed-off-by: Simon McVittie <smcv@collabora.com>
(cherry picked from commit 9a61d2c44f0a58cebcb9b2787ae88db07ca68bb0)
---
app/flatpak-builtins-build.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/app/flatpak-builtins-build.c b/app/flatpak-builtins-build.c
index 8da0de814..07ef6fc07 100644
--- a/app/flatpak-builtins-build.c
+++ b/app/flatpak-builtins-build.c
@@ -569,6 +569,8 @@ flatpak_builtin_build (int argc, char **argv, GCancellable *cancellable, GError
NULL);
}
+ flatpak_bwrap_envp_to_args (bwrap);
+
if (!flatpak_bwrap_bundle_args (bwrap, 1, -1, FALSE, error))
return FALSE;
From f91857c07ede7ef5150a38d6b8e49ee43d6b3d50 Mon Sep 17 00:00:00 2001
From: Simon McVittie <smcv@collabora.com>
Date: Mon, 18 Jan 2021 18:07:38 +0000
Subject: [PATCH] dir: Pass environment via bwrap --setenv when running
apply_extra
This means we can systematically pass the environment variables
through bwrap(1), even if it is setuid and thus is filtering out
security-sensitive environment variables. bwrap ends up being
run with an empty environment instead.
As with the previous commit, this regressed while fixing CVE-2021-21261.
Fixes: 6d1773d2 "run: Convert all environment variables into bwrap arguments"
Signed-off-by: Simon McVittie <smcv@collabora.com>
(cherry picked from commit fb473cad801c6b61706353256cab32330557374a)
---
common/flatpak-dir.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/common/flatpak-dir.c b/common/flatpak-dir.c
index ed1248e74..40767fa77 100644
--- a/common/flatpak-dir.c
+++ b/common/flatpak-dir.c
@@ -7426,6 +7426,8 @@ apply_extra_data (FlatpakDir *self,
app_context, NULL, NULL, NULL, cancellable, error))
return FALSE;
+ flatpak_bwrap_envp_to_args (bwrap);
+
flatpak_bwrap_add_arg (bwrap, "/app/bin/apply_extra");
flatpak_bwrap_finish (bwrap);

View File

@ -1,30 +0,0 @@
From e61282d89bffe0b2ed923d9a0158cee35996e8e4 Mon Sep 17 00:00:00 2001
From: Mourad De Clerck <bugs-debian@aquazul.com>
Date: Wed, 25 Nov 2020 13:55:28 +0100
Subject: [PATCH] profile.d: Disable gvfs plugins when listing flatpak
installations
This avoids gvfs-daemon being started when logging in as root via ssh.
Bug-Debian: https://bugs.debian.org/975710
(cherry picked from commit f69a35ceec7322e02007b45d676e0b6f1e9376b0)
---
profile/flatpak.sh | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/profile/flatpak.sh b/profile/flatpak.sh
index 6c6e113ffd89..9dc6cf901ffd 100644
--- a/profile/flatpak.sh
+++ b/profile/flatpak.sh
@@ -5,7 +5,7 @@ if command -v flatpak > /dev/null; then
(
unset G_MESSAGES_DEBUG
echo "${XDG_DATA_HOME:-"$HOME/.local/share"}/flatpak"
- flatpak --installations
+ GIO_USE_VFS=local flatpak --installations
) | (
new_dirs=
while read -r install_path
--
2.31.1

View File

@ -1,20 +1,14 @@
%global bubblewrap_version 0.4.0
%global ostree_version 2018.9
%global ostree_version 2020.8
Name: flatpak
Version: 1.8.5
Release: 5%{?dist}
Version: 1.10.8
Release: 2%{?dist}
Summary: Application deployment framework for desktop apps
License: LGPLv2+
URL: http://flatpak.org/
Source0: https://github.com/flatpak/flatpak/releases/download/%{version}/%{name}-%{version}.tar.xz
# https://bugzilla.redhat.com/show_bug.cgi?id=1918776
Patch0: flatpak-1.8.5-post-cve-fixes.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=1938064
Patch1: flatpak-1.8.5-fix-CVE-2021-21381.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=1980438
Patch2: flatpak-1.8.5-profile.d-Disable-gvfs-plugins-when-listing-flatpak-.patch
BuildRequires: pkgconfig(appstream-glib)
BuildRequires: pkgconfig(dconf)
@ -22,6 +16,7 @@ BuildRequires: pkgconfig(fuse)
BuildRequires: pkgconfig(gdk-pixbuf-2.0)
BuildRequires: pkgconfig(gio-unix-2.0)
BuildRequires: pkgconfig(gobject-introspection-1.0) >= 1.40.0
BuildRequires: pkgconfig(gpgme)
BuildRequires: pkgconfig(json-glib-1.0)
BuildRequires: pkgconfig(libarchive) >= 2.8.0
BuildRequires: pkgconfig(libseccomp)
@ -37,11 +32,11 @@ BuildRequires: bubblewrap >= %{bubblewrap_version}
BuildRequires: docbook-dtds
BuildRequires: docbook-style-xsl
BuildRequires: gettext
BuildRequires: gpgme-devel
BuildRequires: libassuan-devel
BuildRequires: libcap-devel
BuildRequires: python3-devel
BuildRequires: python3-pyparsing
BuildRequires: systemd
BuildRequires: /usr/bin/python3
BuildRequires: /usr/bin/xmlto
BuildRequires: /usr/bin/xsltproc
@ -124,6 +119,8 @@ This package contains installed tests for %{name}.
%prep
%autosetup -p1
# Make sure to use the RHEL-lifetime supported Python and no other
%py3_shebang_fix scripts/* variant-schema-compiler/*
%build
@ -149,6 +146,11 @@ install -d %{buildroot}%{_sysconfdir}/flatpak/remotes.d
rm -f %{buildroot}%{_libdir}/libflatpak.la
%find_lang %{name}
# Work around selinux denials, see
# https://github.com/flatpak/flatpak/issues/4128 for details. Note that we are
# going to need the system env generator if we should enable malcontent support
# in the future.
rm %{buildroot}%{_systemd_system_env_generator_dir}/60-flatpak-system-only
%pre
getent group flatpak >/dev/null || groupadd -r flatpak
@ -246,6 +248,25 @@ fi
%changelog
* Mon Sep 04 2023 Miro Hrončok <mhroncok@redhat.com> - 1.10.8-2
- Make sure to use the RHEL-lifetime supported Python and no other (RHEL-2225)
* Tue Jul 11 2023 Debarshi Ray <rishi@fedoraproject.org> - 1.10.8-1
- Rebase to 1.10.8 (#2222103)
- Fix CVE-2023-28100 and CVE-2023-28101 (#2180311)
* Wed Mar 09 2022 Debarshi Ray <rishi@fedoraproject.org> - 1.10.7-1
- Rebase to 1.10.7 (#2062417)
* Thu Feb 03 2022 Debarshi Ray <rishi@fedoraproject.org> - 1.8.7-1
- Rebase to 1.8.7 (#2041972)
* Tue Jan 25 2022 Debarshi Ray <rishi@fedoraproject.org> - 1.8.6-1
- Rebase to 1.8.6 (#2010533)
* Tue Oct 26 2021 Debarshi Ray <rishi@fedoraproject.org> - 1.8.5-6
- Fix CVE-2021-41133 (#2012869)
* Tue Oct 05 2021 Debarshi Ray <rishi@fedoraproject.org> - 1.8.5-5
- Disable gvfs plugins when listing flatpak installations (#1980438)