Compare commits
No commits in common. "imports/c8s/flatpak-1.8.5-5.el8" and "c8" have entirely different histories.
imports/c8
...
c8
|
@ -1 +0,0 @@
|
|||
a3dcd13e85090e9d8156f1db2a375074e459aa79 SOURCES/flatpak-1.8.5.tar.xz
|
|
@ -1 +1 @@
|
|||
SOURCES/flatpak-1.8.5.tar.xz
|
||||
SOURCES/flatpak-1.10.8.tar.xz
|
||||
|
|
|
@ -1,86 +0,0 @@
|
|||
From cb6fce9e4122ace2960c437def3b1a197bb49b3a Mon Sep 17 00:00:00 2001
|
||||
From: Ryan Gonzalez <rymg19@gmail.com>
|
||||
Date: Tue, 2 Mar 2021 13:20:07 -0600
|
||||
Subject: [PATCH 1/3] Disallow @@ and @@u usage in desktop files
|
||||
|
||||
Fixes #4146.
|
||||
---
|
||||
common/flatpak-dir.c | 2 ++
|
||||
1 file changed, 2 insertions(+)
|
||||
|
||||
diff --git a/common/flatpak-dir.c b/common/flatpak-dir.c
|
||||
index e6e4d6fb3..7d3374dad 100644
|
||||
--- a/common/flatpak-dir.c
|
||||
+++ b/common/flatpak-dir.c
|
||||
@@ -7139,6 +7139,8 @@ export_desktop_file (const char *app,
|
||||
g_string_append_printf (new_exec, " @@ %s @@", arg);
|
||||
else if (strcasecmp (arg, "%u") == 0)
|
||||
g_string_append_printf (new_exec, " @@u %s @@", arg);
|
||||
+ else if (strcmp (arg, "@@") == 0 || strcmp (arg, "@@u") == 0)
|
||||
+ g_print (_("Skipping invalid Exec argument %s\n"), arg);
|
||||
else
|
||||
g_string_append_printf (new_exec, " %s", arg);
|
||||
}
|
||||
|
||||
From 0bdcb88b2d0013aa435dc03950fb42cef2cbd359 Mon Sep 17 00:00:00 2001
|
||||
From: Simon McVittie <smcv@collabora.com>
|
||||
Date: Fri, 5 Mar 2021 13:49:36 +0000
|
||||
Subject: [PATCH 2/3] dir: Reserve the whole @@ prefix
|
||||
|
||||
If we add new features analogous to file forwarding later, we might
|
||||
find that we need a different magic token. Let's reserve the whole
|
||||
@@* namespace so we can call it @@something-else.
|
||||
|
||||
Signed-off-by: Simon McVittie <smcv@collabora.com>
|
||||
---
|
||||
common/flatpak-dir.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/common/flatpak-dir.c b/common/flatpak-dir.c
|
||||
index 7d3374dad..facfab37a 100644
|
||||
--- a/common/flatpak-dir.c
|
||||
+++ b/common/flatpak-dir.c
|
||||
@@ -7139,7 +7139,7 @@ export_desktop_file (const char *app,
|
||||
g_string_append_printf (new_exec, " @@ %s @@", arg);
|
||||
else if (strcasecmp (arg, "%u") == 0)
|
||||
g_string_append_printf (new_exec, " @@u %s @@", arg);
|
||||
- else if (strcmp (arg, "@@") == 0 || strcmp (arg, "@@u") == 0)
|
||||
+ else if (g_str_has_prefix (arg, "@@"))
|
||||
g_print (_("Skipping invalid Exec argument %s\n"), arg);
|
||||
else
|
||||
g_string_append_printf (new_exec, " %s", arg);
|
||||
|
||||
From 230f4c3521cd0dffa446ab9b70e958cdd9241bbe Mon Sep 17 00:00:00 2001
|
||||
From: Simon McVittie <smcv@collabora.com>
|
||||
Date: Fri, 5 Mar 2021 13:51:33 +0000
|
||||
Subject: [PATCH 3/3] dir: Refuse to export .desktop files with suspicious uses
|
||||
of @@ tokens
|
||||
|
||||
This is either a malicious/compromised app trying to do an attack, or
|
||||
a mistake that will break handling of %f, %u and so on. Either way,
|
||||
if we refuse to export the .desktop file, resulting in installation
|
||||
failing, then it makes the rejection more obvious than quietly
|
||||
removing the magic tokens.
|
||||
|
||||
Signed-off-by: Simon McVittie <smcv@collabora.com>
|
||||
---
|
||||
common/flatpak-dir.c | 6 +++++-
|
||||
1 file changed, 5 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/common/flatpak-dir.c b/common/flatpak-dir.c
|
||||
index facfab37a..c5edf346f 100644
|
||||
--- a/common/flatpak-dir.c
|
||||
+++ b/common/flatpak-dir.c
|
||||
@@ -7140,7 +7140,11 @@ export_desktop_file (const char *app,
|
||||
else if (strcasecmp (arg, "%u") == 0)
|
||||
g_string_append_printf (new_exec, " @@u %s @@", arg);
|
||||
else if (g_str_has_prefix (arg, "@@"))
|
||||
- g_print (_("Skipping invalid Exec argument %s\n"), arg);
|
||||
+ {
|
||||
+ flatpak_fail_error (error, FLATPAK_ERROR_EXPORT_FAILED,
|
||||
+ _("Invalid Exec argument %s"), arg);
|
||||
+ goto out;
|
||||
+ }
|
||||
else
|
||||
g_string_append_printf (new_exec, " %s", arg);
|
||||
}
|
|
@ -1,73 +0,0 @@
|
|||
From 93ecea3488081a726bcd2ddb04d557decaa87f80 Mon Sep 17 00:00:00 2001
|
||||
From: Simon McVittie <smcv@collabora.com>
|
||||
Date: Mon, 18 Jan 2021 17:52:13 +0000
|
||||
Subject: [PATCH] build: Convert environment into a sequence of bwrap arguments
|
||||
|
||||
This means we can systematically pass the environment variables
|
||||
through bwrap(1), even if it is setuid and thus is filtering out
|
||||
security-sensitive environment variables. bwrap itself ends up being
|
||||
run with an empty environment instead.
|
||||
|
||||
This fixes a regression when CVE-2021-21261 was fixed: before the
|
||||
CVE fixes, LD_LIBRARY_PATH would have been passed through like this
|
||||
and appeared in the `flatpak build` shell, but during the CVE fixes,
|
||||
the special case that protected LD_LIBRARY_PATH was removed in favour
|
||||
of the more general flatpak_bwrap_envp_to_args(). That reasoning only
|
||||
works if we use flatpak_bwrap_envp_to_args(), consistently, everywhere
|
||||
that we run the potentially-setuid bwrap.
|
||||
|
||||
Fixes: 6d1773d2 "run: Convert all environment variables into bwrap arguments"
|
||||
Resolves: https://github.com/flatpak/flatpak/issues/4080
|
||||
Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=980323
|
||||
Signed-off-by: Simon McVittie <smcv@collabora.com>
|
||||
(cherry picked from commit 9a61d2c44f0a58cebcb9b2787ae88db07ca68bb0)
|
||||
---
|
||||
app/flatpak-builtins-build.c | 2 ++
|
||||
1 file changed, 2 insertions(+)
|
||||
|
||||
diff --git a/app/flatpak-builtins-build.c b/app/flatpak-builtins-build.c
|
||||
index 8da0de814..07ef6fc07 100644
|
||||
--- a/app/flatpak-builtins-build.c
|
||||
+++ b/app/flatpak-builtins-build.c
|
||||
@@ -569,6 +569,8 @@ flatpak_builtin_build (int argc, char **argv, GCancellable *cancellable, GError
|
||||
NULL);
|
||||
}
|
||||
|
||||
+ flatpak_bwrap_envp_to_args (bwrap);
|
||||
+
|
||||
if (!flatpak_bwrap_bundle_args (bwrap, 1, -1, FALSE, error))
|
||||
return FALSE;
|
||||
|
||||
From f91857c07ede7ef5150a38d6b8e49ee43d6b3d50 Mon Sep 17 00:00:00 2001
|
||||
From: Simon McVittie <smcv@collabora.com>
|
||||
Date: Mon, 18 Jan 2021 18:07:38 +0000
|
||||
Subject: [PATCH] dir: Pass environment via bwrap --setenv when running
|
||||
apply_extra
|
||||
|
||||
This means we can systematically pass the environment variables
|
||||
through bwrap(1), even if it is setuid and thus is filtering out
|
||||
security-sensitive environment variables. bwrap ends up being
|
||||
run with an empty environment instead.
|
||||
|
||||
As with the previous commit, this regressed while fixing CVE-2021-21261.
|
||||
|
||||
Fixes: 6d1773d2 "run: Convert all environment variables into bwrap arguments"
|
||||
Signed-off-by: Simon McVittie <smcv@collabora.com>
|
||||
(cherry picked from commit fb473cad801c6b61706353256cab32330557374a)
|
||||
---
|
||||
common/flatpak-dir.c | 2 ++
|
||||
1 file changed, 2 insertions(+)
|
||||
|
||||
diff --git a/common/flatpak-dir.c b/common/flatpak-dir.c
|
||||
index ed1248e74..40767fa77 100644
|
||||
--- a/common/flatpak-dir.c
|
||||
+++ b/common/flatpak-dir.c
|
||||
@@ -7426,6 +7426,8 @@ apply_extra_data (FlatpakDir *self,
|
||||
app_context, NULL, NULL, NULL, cancellable, error))
|
||||
return FALSE;
|
||||
|
||||
+ flatpak_bwrap_envp_to_args (bwrap);
|
||||
+
|
||||
flatpak_bwrap_add_arg (bwrap, "/app/bin/apply_extra");
|
||||
|
||||
flatpak_bwrap_finish (bwrap);
|
|
@ -1,30 +0,0 @@
|
|||
From e61282d89bffe0b2ed923d9a0158cee35996e8e4 Mon Sep 17 00:00:00 2001
|
||||
From: Mourad De Clerck <bugs-debian@aquazul.com>
|
||||
Date: Wed, 25 Nov 2020 13:55:28 +0100
|
||||
Subject: [PATCH] profile.d: Disable gvfs plugins when listing flatpak
|
||||
installations
|
||||
|
||||
This avoids gvfs-daemon being started when logging in as root via ssh.
|
||||
|
||||
Bug-Debian: https://bugs.debian.org/975710
|
||||
(cherry picked from commit f69a35ceec7322e02007b45d676e0b6f1e9376b0)
|
||||
---
|
||||
profile/flatpak.sh | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/profile/flatpak.sh b/profile/flatpak.sh
|
||||
index 6c6e113ffd89..9dc6cf901ffd 100644
|
||||
--- a/profile/flatpak.sh
|
||||
+++ b/profile/flatpak.sh
|
||||
@@ -5,7 +5,7 @@ if command -v flatpak > /dev/null; then
|
||||
(
|
||||
unset G_MESSAGES_DEBUG
|
||||
echo "${XDG_DATA_HOME:-"$HOME/.local/share"}/flatpak"
|
||||
- flatpak --installations
|
||||
+ GIO_USE_VFS=local flatpak --installations
|
||||
) | (
|
||||
new_dirs=
|
||||
while read -r install_path
|
||||
--
|
||||
2.31.1
|
||||
|
|
@ -1,20 +1,14 @@
|
|||
%global bubblewrap_version 0.4.0
|
||||
%global ostree_version 2018.9
|
||||
%global ostree_version 2020.8
|
||||
|
||||
Name: flatpak
|
||||
Version: 1.8.5
|
||||
Release: 5%{?dist}
|
||||
Version: 1.10.8
|
||||
Release: 2%{?dist}
|
||||
Summary: Application deployment framework for desktop apps
|
||||
|
||||
License: LGPLv2+
|
||||
URL: http://flatpak.org/
|
||||
Source0: https://github.com/flatpak/flatpak/releases/download/%{version}/%{name}-%{version}.tar.xz
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1918776
|
||||
Patch0: flatpak-1.8.5-post-cve-fixes.patch
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1938064
|
||||
Patch1: flatpak-1.8.5-fix-CVE-2021-21381.patch
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1980438
|
||||
Patch2: flatpak-1.8.5-profile.d-Disable-gvfs-plugins-when-listing-flatpak-.patch
|
||||
|
||||
BuildRequires: pkgconfig(appstream-glib)
|
||||
BuildRequires: pkgconfig(dconf)
|
||||
|
@ -22,6 +16,7 @@ BuildRequires: pkgconfig(fuse)
|
|||
BuildRequires: pkgconfig(gdk-pixbuf-2.0)
|
||||
BuildRequires: pkgconfig(gio-unix-2.0)
|
||||
BuildRequires: pkgconfig(gobject-introspection-1.0) >= 1.40.0
|
||||
BuildRequires: pkgconfig(gpgme)
|
||||
BuildRequires: pkgconfig(json-glib-1.0)
|
||||
BuildRequires: pkgconfig(libarchive) >= 2.8.0
|
||||
BuildRequires: pkgconfig(libseccomp)
|
||||
|
@ -37,11 +32,11 @@ BuildRequires: bubblewrap >= %{bubblewrap_version}
|
|||
BuildRequires: docbook-dtds
|
||||
BuildRequires: docbook-style-xsl
|
||||
BuildRequires: gettext
|
||||
BuildRequires: gpgme-devel
|
||||
BuildRequires: libassuan-devel
|
||||
BuildRequires: libcap-devel
|
||||
BuildRequires: python3-devel
|
||||
BuildRequires: python3-pyparsing
|
||||
BuildRequires: systemd
|
||||
BuildRequires: /usr/bin/python3
|
||||
BuildRequires: /usr/bin/xmlto
|
||||
BuildRequires: /usr/bin/xsltproc
|
||||
|
||||
|
@ -124,6 +119,8 @@ This package contains installed tests for %{name}.
|
|||
|
||||
%prep
|
||||
%autosetup -p1
|
||||
# Make sure to use the RHEL-lifetime supported Python and no other
|
||||
%py3_shebang_fix scripts/* variant-schema-compiler/*
|
||||
|
||||
|
||||
%build
|
||||
|
@ -149,6 +146,11 @@ install -d %{buildroot}%{_sysconfdir}/flatpak/remotes.d
|
|||
rm -f %{buildroot}%{_libdir}/libflatpak.la
|
||||
%find_lang %{name}
|
||||
|
||||
# Work around selinux denials, see
|
||||
# https://github.com/flatpak/flatpak/issues/4128 for details. Note that we are
|
||||
# going to need the system env generator if we should enable malcontent support
|
||||
# in the future.
|
||||
rm %{buildroot}%{_systemd_system_env_generator_dir}/60-flatpak-system-only
|
||||
|
||||
%pre
|
||||
getent group flatpak >/dev/null || groupadd -r flatpak
|
||||
|
@ -246,6 +248,25 @@ fi
|
|||
|
||||
|
||||
%changelog
|
||||
* Mon Sep 04 2023 Miro Hrončok <mhroncok@redhat.com> - 1.10.8-2
|
||||
- Make sure to use the RHEL-lifetime supported Python and no other (RHEL-2225)
|
||||
|
||||
* Tue Jul 11 2023 Debarshi Ray <rishi@fedoraproject.org> - 1.10.8-1
|
||||
- Rebase to 1.10.8 (#2222103)
|
||||
- Fix CVE-2023-28100 and CVE-2023-28101 (#2180311)
|
||||
|
||||
* Wed Mar 09 2022 Debarshi Ray <rishi@fedoraproject.org> - 1.10.7-1
|
||||
- Rebase to 1.10.7 (#2062417)
|
||||
|
||||
* Thu Feb 03 2022 Debarshi Ray <rishi@fedoraproject.org> - 1.8.7-1
|
||||
- Rebase to 1.8.7 (#2041972)
|
||||
|
||||
* Tue Jan 25 2022 Debarshi Ray <rishi@fedoraproject.org> - 1.8.6-1
|
||||
- Rebase to 1.8.6 (#2010533)
|
||||
|
||||
* Tue Oct 26 2021 Debarshi Ray <rishi@fedoraproject.org> - 1.8.5-6
|
||||
- Fix CVE-2021-41133 (#2012869)
|
||||
|
||||
* Tue Oct 05 2021 Debarshi Ray <rishi@fedoraproject.org> - 1.8.5-5
|
||||
- Disable gvfs plugins when listing flatpak installations (#1980438)
|
||||
|
||||
|
|
Loading…
Reference in New Issue