Compare commits
No commits in common. "imports/c8s/flatpak-1.8.5-5.el8" and "c8" have entirely different histories.
imports/c8
...
c8
@ -1 +1 @@
|
|||||||
a3dcd13e85090e9d8156f1db2a375074e459aa79 SOURCES/flatpak-1.8.5.tar.xz
|
41429400eab33868b6c6045fe235e86e1086a056 SOURCES/flatpak-1.12.9.tar.xz
|
||||||
|
2
.gitignore
vendored
2
.gitignore
vendored
@ -1 +1 @@
|
|||||||
SOURCES/flatpak-1.8.5.tar.xz
|
SOURCES/flatpak-1.12.9.tar.xz
|
||||||
|
330
SOURCES/flatpak-1.12.x-CVE-2024-42472.patch
Normal file
330
SOURCES/flatpak-1.12.x-CVE-2024-42472.patch
Normal file
@ -0,0 +1,330 @@
|
|||||||
|
From 8451fa0ae30397b83705a193aa0d3f7752486dda Mon Sep 17 00:00:00 2001
|
||||||
|
From: Alexander Larsson <alexl@redhat.com>
|
||||||
|
Date: Mon, 3 Jun 2024 12:22:30 +0200
|
||||||
|
Subject: [PATCH 1/4] Don't follow symlinks when mounting persisted directories
|
||||||
|
|
||||||
|
These directories are in a location under application control, so we
|
||||||
|
can't trust them to not be a symlink outside of the files accessibe to
|
||||||
|
the application.
|
||||||
|
|
||||||
|
Continue to treat --persist=/foo as --persist=foo for backwards compat,
|
||||||
|
since this is how it (accidentally) worked before, but print a warning.
|
||||||
|
|
||||||
|
Don't allow ".." elements in persist paths: these would not be useful
|
||||||
|
anyway, and are unlikely to be in use, however they could potentially
|
||||||
|
be used to confuse the persist path handling.
|
||||||
|
|
||||||
|
This partially addresses CVE-2024-42472. If only one instance of the
|
||||||
|
malicious or compromised app is run at a time, the vulnerability
|
||||||
|
is avoided. If two instances can run concurrently, there is a
|
||||||
|
time-of-check/time-of-use issue remaining, which can only be resolved
|
||||||
|
with changes to bubblewrap; this will be resolved in a separate commit,
|
||||||
|
because the bubblewrap dependency might be more difficult to provide in
|
||||||
|
LTS distributions.
|
||||||
|
|
||||||
|
Helps: CVE-2024-42472, GHSA-7hgv-f2j8-xw87
|
||||||
|
[smcv: Make whitespace consistent]
|
||||||
|
[smcv: Use g_warning() if unable to create --persist paths]
|
||||||
|
[smcv: Use stat() to detect symlinks and warn about them]
|
||||||
|
[smcv: Use glnx_steal_fd() for portability to older GLib]
|
||||||
|
Co-authored-by: Simon McVittie <smcv@collabora.com>
|
||||||
|
Signed-off-by: Simon McVittie <smcv@collabora.com>
|
||||||
|
---
|
||||||
|
common/flatpak-context.c | 108 +++++++++++++++++++++++++++++++++++++--
|
||||||
|
1 file changed, 105 insertions(+), 3 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/common/flatpak-context.c b/common/flatpak-context.c
|
||||||
|
index 53b79807..8c784acf 100644
|
||||||
|
--- a/common/flatpak-context.c
|
||||||
|
+++ b/common/flatpak-context.c
|
||||||
|
@@ -2686,6 +2686,90 @@ flatpak_context_get_exports_full (FlatpakContext *context,
|
||||||
|
return g_steal_pointer (&exports);
|
||||||
|
}
|
||||||
|
|
||||||
|
+/* This creates zero or more directories unders base_fd+basedir, each
|
||||||
|
+ * being guaranteed to either exist and be a directory (no symlinks)
|
||||||
|
+ * or be created as a directory. The last directory is opened
|
||||||
|
+ * and the fd is returned.
|
||||||
|
+ */
|
||||||
|
+static gboolean
|
||||||
|
+mkdir_p_open_nofollow_at (int base_fd,
|
||||||
|
+ const char *basedir,
|
||||||
|
+ int mode,
|
||||||
|
+ const char *subdir,
|
||||||
|
+ int *out_fd,
|
||||||
|
+ GError **error)
|
||||||
|
+{
|
||||||
|
+ glnx_autofd int parent_fd = -1;
|
||||||
|
+
|
||||||
|
+ if (g_path_is_absolute (subdir))
|
||||||
|
+ {
|
||||||
|
+ const char *skipped_prefix = subdir;
|
||||||
|
+
|
||||||
|
+ while (*skipped_prefix == '/')
|
||||||
|
+ skipped_prefix++;
|
||||||
|
+
|
||||||
|
+ g_warning ("--persist=\"%s\" is deprecated, treating it as --persist=\"%s\"", subdir, skipped_prefix);
|
||||||
|
+ subdir = skipped_prefix;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ g_autofree char *subdir_dirname = g_path_get_dirname (subdir);
|
||||||
|
+
|
||||||
|
+ if (strcmp (subdir_dirname, ".") == 0)
|
||||||
|
+ {
|
||||||
|
+ /* It is ok to open basedir with follow=true */
|
||||||
|
+ if (!glnx_opendirat (base_fd, basedir, TRUE, &parent_fd, error))
|
||||||
|
+ return FALSE;
|
||||||
|
+ }
|
||||||
|
+ else if (strcmp (subdir_dirname, "..") == 0)
|
||||||
|
+ {
|
||||||
|
+ return glnx_throw (error, "'..' not supported in --persist paths");
|
||||||
|
+ }
|
||||||
|
+ else
|
||||||
|
+ {
|
||||||
|
+ if (!mkdir_p_open_nofollow_at (base_fd, basedir, mode,
|
||||||
|
+ subdir_dirname, &parent_fd, error))
|
||||||
|
+ return FALSE;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ g_autofree char *subdir_basename = g_path_get_basename (subdir);
|
||||||
|
+
|
||||||
|
+ if (strcmp (subdir_basename, ".") == 0)
|
||||||
|
+ {
|
||||||
|
+ *out_fd = glnx_steal_fd (&parent_fd);
|
||||||
|
+ return TRUE;
|
||||||
|
+ }
|
||||||
|
+ else if (strcmp (subdir_basename, "..") == 0)
|
||||||
|
+ {
|
||||||
|
+ return glnx_throw (error, "'..' not supported in --persist paths");
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ if (!glnx_shutil_mkdir_p_at (parent_fd, subdir_basename, mode, NULL, error))
|
||||||
|
+ return FALSE;
|
||||||
|
+
|
||||||
|
+ int fd = openat (parent_fd, subdir_basename, O_PATH | O_NONBLOCK | O_DIRECTORY | O_CLOEXEC | O_NOCTTY | O_NOFOLLOW);
|
||||||
|
+ if (fd == -1)
|
||||||
|
+ {
|
||||||
|
+ int saved_errno = errno;
|
||||||
|
+ struct stat stat_buf;
|
||||||
|
+
|
||||||
|
+ /* If it's a symbolic link, that could be a user trying to offload
|
||||||
|
+ * large data to another filesystem, but it could equally well be
|
||||||
|
+ * a malicious or compromised app trying to exploit GHSA-7hgv-f2j8-xw87.
|
||||||
|
+ * Produce a clearer error message in this case.
|
||||||
|
+ * Unfortunately the errno we get in this case is ENOTDIR, so we have
|
||||||
|
+ * to ask again to find out whether it's really a symlink. */
|
||||||
|
+ if (saved_errno == ENOTDIR &&
|
||||||
|
+ fstatat (parent_fd, subdir_basename, &stat_buf, AT_SYMLINK_NOFOLLOW) == 0 &&
|
||||||
|
+ S_ISLNK (stat_buf.st_mode))
|
||||||
|
+ return glnx_throw (error, "Symbolic link \"%s\" not allowed to avoid sandbox escape", subdir_basename);
|
||||||
|
+
|
||||||
|
+ return glnx_throw_errno_prefix (error, "openat(%s)", subdir_basename);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ *out_fd = fd;
|
||||||
|
+ return TRUE;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
void
|
||||||
|
flatpak_context_append_bwrap_filesystem (FlatpakContext *context,
|
||||||
|
FlatpakBwrap *bwrap,
|
||||||
|
@@ -2709,12 +2793,30 @@ flatpak_context_append_bwrap_filesystem (FlatpakContext *context,
|
||||||
|
while (g_hash_table_iter_next (&iter, &key, NULL))
|
||||||
|
{
|
||||||
|
const char *persist = key;
|
||||||
|
- g_autofree char *src = g_build_filename (g_get_home_dir (), ".var/app", app_id, persist, NULL);
|
||||||
|
+ g_autofree char *appdir = g_build_filename (g_get_home_dir (), ".var/app", app_id, NULL);
|
||||||
|
g_autofree char *dest = g_build_filename (g_get_home_dir (), persist, NULL);
|
||||||
|
+ g_autoptr(GError) local_error = NULL;
|
||||||
|
+
|
||||||
|
+ if (g_mkdir_with_parents (appdir, 0755) != 0)
|
||||||
|
+ {
|
||||||
|
+ g_warning ("Unable to create directory %s", appdir);
|
||||||
|
+ continue;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ /* Don't follow symlinks from the persist directory, as it is under user control */
|
||||||
|
+ glnx_autofd int src_fd = -1;
|
||||||
|
+ if (!mkdir_p_open_nofollow_at (AT_FDCWD, appdir, 0755,
|
||||||
|
+ persist, &src_fd,
|
||||||
|
+ &local_error))
|
||||||
|
+ {
|
||||||
|
+ g_warning ("Failed to create persist path %s: %s", persist, local_error->message);
|
||||||
|
+ continue;
|
||||||
|
+ }
|
||||||
|
|
||||||
|
- g_mkdir_with_parents (src, 0755);
|
||||||
|
+ g_autofree char *src_via_proc = g_strdup_printf ("/proc/self/fd/%d", src_fd);
|
||||||
|
|
||||||
|
- flatpak_bwrap_add_bind_arg (bwrap, "--bind", src, dest);
|
||||||
|
+ flatpak_bwrap_add_fd (bwrap, glnx_steal_fd (&src_fd));
|
||||||
|
+ flatpak_bwrap_add_bind_arg (bwrap, "--bind", src_via_proc, dest);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
--
|
||||||
|
2.46.0
|
||||||
|
|
||||||
|
|
||||||
|
From 5462c9b1e1a34b1104c8a0843a10382e90c9bb6b Mon Sep 17 00:00:00 2001
|
||||||
|
From: Alexander Larsson <alexl@redhat.com>
|
||||||
|
Date: Mon, 3 Jun 2024 12:59:05 +0200
|
||||||
|
Subject: [PATCH 2/4] Add test coverage for --persist
|
||||||
|
|
||||||
|
This adds three "positive" tests: the common case --persist=.persist, the
|
||||||
|
deprecated spelling --persist=/.persist, and the less common special case
|
||||||
|
--persist=. as used by Steam.
|
||||||
|
|
||||||
|
It also adds "negative" tests for CVE-2024-42472: if the --persist
|
||||||
|
directory is a symbolic link or contains path segment "..", we want that
|
||||||
|
to be rejected.
|
||||||
|
|
||||||
|
Reproduces: CVE-2024-42472, GHSA-7hgv-f2j8-xw87
|
||||||
|
[smcv: Add "positive" tests]
|
||||||
|
[smcv: Exercise --persist=..]
|
||||||
|
[smcv: Assert that --persist with a symlink produces expected message]
|
||||||
|
Co-authored-by: Simon McVittie <smcv@collabora.com>
|
||||||
|
Signed-off-by: Simon McVittie <smcv@collabora.com>
|
||||||
|
---
|
||||||
|
tests/test-run.sh | 41 ++++++++++++++++++++++++++++++++++++++++-
|
||||||
|
1 file changed, 40 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/tests/test-run.sh b/tests/test-run.sh
|
||||||
|
index dd371df3..bca0845d 100644
|
||||||
|
--- a/tests/test-run.sh
|
||||||
|
+++ b/tests/test-run.sh
|
||||||
|
@@ -24,7 +24,7 @@ set -euo pipefail
|
||||||
|
skip_without_bwrap
|
||||||
|
skip_revokefs_without_fuse
|
||||||
|
|
||||||
|
-echo "1..20"
|
||||||
|
+echo "1..21"
|
||||||
|
|
||||||
|
# Use stable rather than master as the branch so we can test that the run
|
||||||
|
# command automatically finds the branch correctly
|
||||||
|
@@ -512,3 +512,42 @@ ${FLATPAK} ${U} info -m org.test.App > out
|
||||||
|
assert_file_has_content out "^sdk=org\.test\.Sdk/$(flatpak --default-arch)/stable$"
|
||||||
|
|
||||||
|
ok "--sdk option"
|
||||||
|
+
|
||||||
|
+rm -fr "$HOME/.var/app/org.test.Hello"
|
||||||
|
+mkdir -p "$HOME/.var/app/org.test.Hello"
|
||||||
|
+run --command=sh --persist=.persist org.test.Hello -c 'echo can-persist > .persist/rc'
|
||||||
|
+sed -e 's,^,#--persist=.persist# ,g' < "$HOME/.var/app/org.test.Hello/.persist/rc" >&2
|
||||||
|
+assert_file_has_content "$HOME/.var/app/org.test.Hello/.persist/rc" "can-persist"
|
||||||
|
+
|
||||||
|
+ok "--persist=.persist persists a directory"
|
||||||
|
+
|
||||||
|
+rm -fr "$HOME/.var/app/org.test.Hello"
|
||||||
|
+mkdir -p "$HOME/.var/app/org.test.Hello"
|
||||||
|
+# G_DEBUG= to avoid the deprecation warning being fatal
|
||||||
|
+G_DEBUG= run --command=sh --persist=/.persist org.test.Hello -c 'echo can-persist > .persist/rc'
|
||||||
|
+sed -e 's,^,#--persist=/.persist# ,g' < "$HOME/.var/app/org.test.Hello/.persist/rc" >&2
|
||||||
|
+assert_file_has_content "$HOME/.var/app/org.test.Hello/.persist/rc" "can-persist"
|
||||||
|
+
|
||||||
|
+ok "--persist=/.persist is a deprecated form of --persist=.persist"
|
||||||
|
+
|
||||||
|
+rm -fr "$HOME/.var/app/org.test.Hello"
|
||||||
|
+mkdir -p "$HOME/.var/app/org.test.Hello"
|
||||||
|
+run --command=sh --persist=. org.test.Hello -c 'echo can-persist > .persistrc'
|
||||||
|
+sed -e 's,^,#--persist=.# ,g' < "$HOME/.var/app/org.test.Hello/.persistrc" >&2
|
||||||
|
+assert_file_has_content "$HOME/.var/app/org.test.Hello/.persistrc" "can-persist"
|
||||||
|
+
|
||||||
|
+ok "--persist=. persists all files"
|
||||||
|
+
|
||||||
|
+mkdir "${TEST_DATA_DIR}/inaccessible"
|
||||||
|
+echo FOO > ${TEST_DATA_DIR}/inaccessible/secret-file
|
||||||
|
+rm -fr "$HOME/.var/app/org.test.Hello"
|
||||||
|
+mkdir -p "$HOME/.var/app/org.test.Hello"
|
||||||
|
+ln -fns "${TEST_DATA_DIR}/inaccessible" "$HOME/.var/app/org.test.Hello/persist"
|
||||||
|
+# G_DEBUG= to avoid the warnings being fatal when we reject a --persist option.
|
||||||
|
+# LC_ALL=C so we get the expected non-localized string.
|
||||||
|
+LC_ALL=C G_DEBUG= run --command=ls --persist=persist --persist=relative/../escape org.test.Hello -la ~/persist &> hello_out || true
|
||||||
|
+sed -e 's,^,#--persist=symlink# ,g' < hello_out >&2
|
||||||
|
+assert_file_has_content hello_out "not allowed to avoid sandbox escape"
|
||||||
|
+assert_not_file_has_content hello_out "secret-file"
|
||||||
|
+
|
||||||
|
+ok "--persist doesn't allow sandbox escape via a symlink (CVE-2024-42472)"
|
||||||
|
--
|
||||||
|
2.46.0
|
||||||
|
|
||||||
|
|
||||||
|
From 04d8ad3009cd8a4350fba6cf7cc6c7819ccdfd34 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Simon McVittie <smcv@collabora.com>
|
||||||
|
Date: Mon, 12 Aug 2024 19:48:18 +0100
|
||||||
|
Subject: [PATCH 3/4] build: Require a version of bubblewrap with the --bind-fd
|
||||||
|
option
|
||||||
|
|
||||||
|
We need this for the --bind-fd option, which will close a race
|
||||||
|
condition in our solution to CVE-2024-42472.
|
||||||
|
|
||||||
|
For this stable branch, check the --help output for a --bind-fd option
|
||||||
|
instead of requiring a specific version number, to accommodate possible
|
||||||
|
backports in LTS distributions.
|
||||||
|
|
||||||
|
Signed-off-by: Simon McVittie <smcv@collabora.com>
|
||||||
|
---
|
||||||
|
configure.ac | 3 +++
|
||||||
|
1 file changed, 3 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/configure.ac b/configure.ac
|
||||||
|
index 0a44e11a..0c8e2d0e 100644
|
||||||
|
--- a/configure.ac
|
||||||
|
+++ b/configure.ac
|
||||||
|
@@ -175,6 +175,9 @@ if test "x$BWRAP" != xfalse; then
|
||||||
|
BWRAP_VERSION=`$BWRAP --version | sed 's,.*\ \([0-9]*\.[0-9]*\.[0-9]*\)$,\1,'`
|
||||||
|
AX_COMPARE_VERSION([$SYSTEM_BWRAP_REQS],[gt],[$BWRAP_VERSION],
|
||||||
|
[AC_MSG_ERROR([You need at least version $SYSTEM_BWRAP_REQS of bubblewrap to use the system installed version])])
|
||||||
|
+ AS_IF([$BWRAP --help | grep '@<:@-@:>@-bind-fd' >/dev/null],
|
||||||
|
+ [:],
|
||||||
|
+ [AC_MSG_ERROR([$BWRAP does not list required option --bind-fd in its --help])])
|
||||||
|
AM_CONDITIONAL([WITH_SYSTEM_BWRAP], [true])
|
||||||
|
else
|
||||||
|
AC_CHECK_LIB(cap, cap_from_text, CAP_LIB=-lcap)
|
||||||
|
--
|
||||||
|
2.46.0
|
||||||
|
|
||||||
|
|
||||||
|
From 2772f19e50c0e809dde8cf3c105d90ee8baf4fa8 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Simon McVittie <smcv@collabora.com>
|
||||||
|
Date: Wed, 14 Aug 2024 13:44:30 +0100
|
||||||
|
Subject: [PATCH 4/4] persist directories: Pass using new bwrap --bind-fd
|
||||||
|
option
|
||||||
|
|
||||||
|
Instead of passing a /proc/self/fd bind mount we use --bind-fd, which
|
||||||
|
has two advantages:
|
||||||
|
* bwrap closes the fd when used, so it doesn't leak into the started app
|
||||||
|
* bwrap ensures that what was mounted was the passed in fd (same dev/ino),
|
||||||
|
as there is a small (required) gap between symlink resolve and mount
|
||||||
|
where the target path could be replaced.
|
||||||
|
|
||||||
|
Please note that this change requires an updated version of bubblewrap.
|
||||||
|
|
||||||
|
Resolves: CVE-2024-42472, GHSA-7hgv-f2j8-xw87
|
||||||
|
[smcv: Make whitespace consistent]
|
||||||
|
Co-authored-by: Simon McVittie <smcv@collabora.com>
|
||||||
|
Signed-off-by: Simon McVittie <smcv@collabora.com>
|
||||||
|
---
|
||||||
|
common/flatpak-context.c | 4 ++--
|
||||||
|
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/common/flatpak-context.c b/common/flatpak-context.c
|
||||||
|
index 8c784acf..baa62728 100644
|
||||||
|
--- a/common/flatpak-context.c
|
||||||
|
+++ b/common/flatpak-context.c
|
||||||
|
@@ -2813,10 +2813,10 @@ flatpak_context_append_bwrap_filesystem (FlatpakContext *context,
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
|
||||||
|
- g_autofree char *src_via_proc = g_strdup_printf ("/proc/self/fd/%d", src_fd);
|
||||||
|
+ g_autofree char *src_via_proc = g_strdup_printf ("%d", src_fd);
|
||||||
|
|
||||||
|
flatpak_bwrap_add_fd (bwrap, glnx_steal_fd (&src_fd));
|
||||||
|
- flatpak_bwrap_add_bind_arg (bwrap, "--bind", src_via_proc, dest);
|
||||||
|
+ flatpak_bwrap_add_bind_arg (bwrap, "--bind-fd", src_via_proc, dest);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
--
|
||||||
|
2.46.0
|
||||||
|
|
@ -1,86 +0,0 @@
|
|||||||
From cb6fce9e4122ace2960c437def3b1a197bb49b3a Mon Sep 17 00:00:00 2001
|
|
||||||
From: Ryan Gonzalez <rymg19@gmail.com>
|
|
||||||
Date: Tue, 2 Mar 2021 13:20:07 -0600
|
|
||||||
Subject: [PATCH 1/3] Disallow @@ and @@u usage in desktop files
|
|
||||||
|
|
||||||
Fixes #4146.
|
|
||||||
---
|
|
||||||
common/flatpak-dir.c | 2 ++
|
|
||||||
1 file changed, 2 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/common/flatpak-dir.c b/common/flatpak-dir.c
|
|
||||||
index e6e4d6fb3..7d3374dad 100644
|
|
||||||
--- a/common/flatpak-dir.c
|
|
||||||
+++ b/common/flatpak-dir.c
|
|
||||||
@@ -7139,6 +7139,8 @@ export_desktop_file (const char *app,
|
|
||||||
g_string_append_printf (new_exec, " @@ %s @@", arg);
|
|
||||||
else if (strcasecmp (arg, "%u") == 0)
|
|
||||||
g_string_append_printf (new_exec, " @@u %s @@", arg);
|
|
||||||
+ else if (strcmp (arg, "@@") == 0 || strcmp (arg, "@@u") == 0)
|
|
||||||
+ g_print (_("Skipping invalid Exec argument %s\n"), arg);
|
|
||||||
else
|
|
||||||
g_string_append_printf (new_exec, " %s", arg);
|
|
||||||
}
|
|
||||||
|
|
||||||
From 0bdcb88b2d0013aa435dc03950fb42cef2cbd359 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Simon McVittie <smcv@collabora.com>
|
|
||||||
Date: Fri, 5 Mar 2021 13:49:36 +0000
|
|
||||||
Subject: [PATCH 2/3] dir: Reserve the whole @@ prefix
|
|
||||||
|
|
||||||
If we add new features analogous to file forwarding later, we might
|
|
||||||
find that we need a different magic token. Let's reserve the whole
|
|
||||||
@@* namespace so we can call it @@something-else.
|
|
||||||
|
|
||||||
Signed-off-by: Simon McVittie <smcv@collabora.com>
|
|
||||||
---
|
|
||||||
common/flatpak-dir.c | 2 +-
|
|
||||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/common/flatpak-dir.c b/common/flatpak-dir.c
|
|
||||||
index 7d3374dad..facfab37a 100644
|
|
||||||
--- a/common/flatpak-dir.c
|
|
||||||
+++ b/common/flatpak-dir.c
|
|
||||||
@@ -7139,7 +7139,7 @@ export_desktop_file (const char *app,
|
|
||||||
g_string_append_printf (new_exec, " @@ %s @@", arg);
|
|
||||||
else if (strcasecmp (arg, "%u") == 0)
|
|
||||||
g_string_append_printf (new_exec, " @@u %s @@", arg);
|
|
||||||
- else if (strcmp (arg, "@@") == 0 || strcmp (arg, "@@u") == 0)
|
|
||||||
+ else if (g_str_has_prefix (arg, "@@"))
|
|
||||||
g_print (_("Skipping invalid Exec argument %s\n"), arg);
|
|
||||||
else
|
|
||||||
g_string_append_printf (new_exec, " %s", arg);
|
|
||||||
|
|
||||||
From 230f4c3521cd0dffa446ab9b70e958cdd9241bbe Mon Sep 17 00:00:00 2001
|
|
||||||
From: Simon McVittie <smcv@collabora.com>
|
|
||||||
Date: Fri, 5 Mar 2021 13:51:33 +0000
|
|
||||||
Subject: [PATCH 3/3] dir: Refuse to export .desktop files with suspicious uses
|
|
||||||
of @@ tokens
|
|
||||||
|
|
||||||
This is either a malicious/compromised app trying to do an attack, or
|
|
||||||
a mistake that will break handling of %f, %u and so on. Either way,
|
|
||||||
if we refuse to export the .desktop file, resulting in installation
|
|
||||||
failing, then it makes the rejection more obvious than quietly
|
|
||||||
removing the magic tokens.
|
|
||||||
|
|
||||||
Signed-off-by: Simon McVittie <smcv@collabora.com>
|
|
||||||
---
|
|
||||||
common/flatpak-dir.c | 6 +++++-
|
|
||||||
1 file changed, 5 insertions(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/common/flatpak-dir.c b/common/flatpak-dir.c
|
|
||||||
index facfab37a..c5edf346f 100644
|
|
||||||
--- a/common/flatpak-dir.c
|
|
||||||
+++ b/common/flatpak-dir.c
|
|
||||||
@@ -7140,7 +7140,11 @@ export_desktop_file (const char *app,
|
|
||||||
else if (strcasecmp (arg, "%u") == 0)
|
|
||||||
g_string_append_printf (new_exec, " @@u %s @@", arg);
|
|
||||||
else if (g_str_has_prefix (arg, "@@"))
|
|
||||||
- g_print (_("Skipping invalid Exec argument %s\n"), arg);
|
|
||||||
+ {
|
|
||||||
+ flatpak_fail_error (error, FLATPAK_ERROR_EXPORT_FAILED,
|
|
||||||
+ _("Invalid Exec argument %s"), arg);
|
|
||||||
+ goto out;
|
|
||||||
+ }
|
|
||||||
else
|
|
||||||
g_string_append_printf (new_exec, " %s", arg);
|
|
||||||
}
|
|
@ -1,73 +0,0 @@
|
|||||||
From 93ecea3488081a726bcd2ddb04d557decaa87f80 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Simon McVittie <smcv@collabora.com>
|
|
||||||
Date: Mon, 18 Jan 2021 17:52:13 +0000
|
|
||||||
Subject: [PATCH] build: Convert environment into a sequence of bwrap arguments
|
|
||||||
|
|
||||||
This means we can systematically pass the environment variables
|
|
||||||
through bwrap(1), even if it is setuid and thus is filtering out
|
|
||||||
security-sensitive environment variables. bwrap itself ends up being
|
|
||||||
run with an empty environment instead.
|
|
||||||
|
|
||||||
This fixes a regression when CVE-2021-21261 was fixed: before the
|
|
||||||
CVE fixes, LD_LIBRARY_PATH would have been passed through like this
|
|
||||||
and appeared in the `flatpak build` shell, but during the CVE fixes,
|
|
||||||
the special case that protected LD_LIBRARY_PATH was removed in favour
|
|
||||||
of the more general flatpak_bwrap_envp_to_args(). That reasoning only
|
|
||||||
works if we use flatpak_bwrap_envp_to_args(), consistently, everywhere
|
|
||||||
that we run the potentially-setuid bwrap.
|
|
||||||
|
|
||||||
Fixes: 6d1773d2 "run: Convert all environment variables into bwrap arguments"
|
|
||||||
Resolves: https://github.com/flatpak/flatpak/issues/4080
|
|
||||||
Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=980323
|
|
||||||
Signed-off-by: Simon McVittie <smcv@collabora.com>
|
|
||||||
(cherry picked from commit 9a61d2c44f0a58cebcb9b2787ae88db07ca68bb0)
|
|
||||||
---
|
|
||||||
app/flatpak-builtins-build.c | 2 ++
|
|
||||||
1 file changed, 2 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/app/flatpak-builtins-build.c b/app/flatpak-builtins-build.c
|
|
||||||
index 8da0de814..07ef6fc07 100644
|
|
||||||
--- a/app/flatpak-builtins-build.c
|
|
||||||
+++ b/app/flatpak-builtins-build.c
|
|
||||||
@@ -569,6 +569,8 @@ flatpak_builtin_build (int argc, char **argv, GCancellable *cancellable, GError
|
|
||||||
NULL);
|
|
||||||
}
|
|
||||||
|
|
||||||
+ flatpak_bwrap_envp_to_args (bwrap);
|
|
||||||
+
|
|
||||||
if (!flatpak_bwrap_bundle_args (bwrap, 1, -1, FALSE, error))
|
|
||||||
return FALSE;
|
|
||||||
|
|
||||||
From f91857c07ede7ef5150a38d6b8e49ee43d6b3d50 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Simon McVittie <smcv@collabora.com>
|
|
||||||
Date: Mon, 18 Jan 2021 18:07:38 +0000
|
|
||||||
Subject: [PATCH] dir: Pass environment via bwrap --setenv when running
|
|
||||||
apply_extra
|
|
||||||
|
|
||||||
This means we can systematically pass the environment variables
|
|
||||||
through bwrap(1), even if it is setuid and thus is filtering out
|
|
||||||
security-sensitive environment variables. bwrap ends up being
|
|
||||||
run with an empty environment instead.
|
|
||||||
|
|
||||||
As with the previous commit, this regressed while fixing CVE-2021-21261.
|
|
||||||
|
|
||||||
Fixes: 6d1773d2 "run: Convert all environment variables into bwrap arguments"
|
|
||||||
Signed-off-by: Simon McVittie <smcv@collabora.com>
|
|
||||||
(cherry picked from commit fb473cad801c6b61706353256cab32330557374a)
|
|
||||||
---
|
|
||||||
common/flatpak-dir.c | 2 ++
|
|
||||||
1 file changed, 2 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/common/flatpak-dir.c b/common/flatpak-dir.c
|
|
||||||
index ed1248e74..40767fa77 100644
|
|
||||||
--- a/common/flatpak-dir.c
|
|
||||||
+++ b/common/flatpak-dir.c
|
|
||||||
@@ -7426,6 +7426,8 @@ apply_extra_data (FlatpakDir *self,
|
|
||||||
app_context, NULL, NULL, NULL, cancellable, error))
|
|
||||||
return FALSE;
|
|
||||||
|
|
||||||
+ flatpak_bwrap_envp_to_args (bwrap);
|
|
||||||
+
|
|
||||||
flatpak_bwrap_add_arg (bwrap, "/app/bin/apply_extra");
|
|
||||||
|
|
||||||
flatpak_bwrap_finish (bwrap);
|
|
@ -1,30 +0,0 @@
|
|||||||
From e61282d89bffe0b2ed923d9a0158cee35996e8e4 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Mourad De Clerck <bugs-debian@aquazul.com>
|
|
||||||
Date: Wed, 25 Nov 2020 13:55:28 +0100
|
|
||||||
Subject: [PATCH] profile.d: Disable gvfs plugins when listing flatpak
|
|
||||||
installations
|
|
||||||
|
|
||||||
This avoids gvfs-daemon being started when logging in as root via ssh.
|
|
||||||
|
|
||||||
Bug-Debian: https://bugs.debian.org/975710
|
|
||||||
(cherry picked from commit f69a35ceec7322e02007b45d676e0b6f1e9376b0)
|
|
||||||
---
|
|
||||||
profile/flatpak.sh | 2 +-
|
|
||||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/profile/flatpak.sh b/profile/flatpak.sh
|
|
||||||
index 6c6e113ffd89..9dc6cf901ffd 100644
|
|
||||||
--- a/profile/flatpak.sh
|
|
||||||
+++ b/profile/flatpak.sh
|
|
||||||
@@ -5,7 +5,7 @@ if command -v flatpak > /dev/null; then
|
|
||||||
(
|
|
||||||
unset G_MESSAGES_DEBUG
|
|
||||||
echo "${XDG_DATA_HOME:-"$HOME/.local/share"}/flatpak"
|
|
||||||
- flatpak --installations
|
|
||||||
+ GIO_USE_VFS=local flatpak --installations
|
|
||||||
) | (
|
|
||||||
new_dirs=
|
|
||||||
while read -r install_path
|
|
||||||
--
|
|
||||||
2.31.1
|
|
||||||
|
|
@ -0,0 +1,28 @@
|
|||||||
|
From 1c73110795b865246ce3595042dcd2d5e7891359 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Debarshi Ray <debarshir@gnome.org>
|
||||||
|
Date: Mon, 6 Nov 2023 20:27:16 +0100
|
||||||
|
Subject: [PATCH] Revert "selinux: Permit using systemd-userdbd"
|
||||||
|
|
||||||
|
This reverts commit 399710ada185c1ee232bc3e6266a71688eb152b7.
|
||||||
|
---
|
||||||
|
selinux/flatpak.te | 4 ----
|
||||||
|
1 file changed, 4 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/selinux/flatpak.te b/selinux/flatpak.te
|
||||||
|
index bb3d80e316eb..4cf895c44abe 100644
|
||||||
|
--- a/selinux/flatpak.te
|
||||||
|
+++ b/selinux/flatpak.te
|
||||||
|
@@ -33,10 +33,6 @@ optional_policy(`
|
||||||
|
policykit_dbus_chat(flatpak_helper_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
-optional_policy(`
|
||||||
|
- systemd_userdbd_stream_connect(flatpak_helper_t)
|
||||||
|
-')
|
||||||
|
-
|
||||||
|
optional_policy(`
|
||||||
|
unconfined_domain(flatpak_helper_t)
|
||||||
|
')
|
||||||
|
--
|
||||||
|
2.41.0
|
||||||
|
|
@ -1,20 +1,25 @@
|
|||||||
%global bubblewrap_version 0.4.0
|
%global bubblewrap_version 0.4.0-2
|
||||||
%global ostree_version 2018.9
|
%global ostree_version 2020.8
|
||||||
|
|
||||||
Name: flatpak
|
Name: flatpak
|
||||||
Version: 1.8.5
|
Version: 1.12.9
|
||||||
Release: 5%{?dist}
|
Release: 3%{?dist}
|
||||||
Summary: Application deployment framework for desktop apps
|
Summary: Application deployment framework for desktop apps
|
||||||
|
|
||||||
License: LGPLv2+
|
License: LGPLv2+
|
||||||
URL: http://flatpak.org/
|
URL: http://flatpak.org/
|
||||||
Source0: https://github.com/flatpak/flatpak/releases/download/%{version}/%{name}-%{version}.tar.xz
|
Source0: https://github.com/flatpak/flatpak/releases/download/%{version}/%{name}-%{version}.tar.xz
|
||||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1918776
|
|
||||||
Patch0: flatpak-1.8.5-post-cve-fixes.patch
|
%if 0%{?fedora}
|
||||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1938064
|
# Add Fedora flatpak repositories
|
||||||
Patch1: flatpak-1.8.5-fix-CVE-2021-21381.patch
|
Source1: flatpak-add-fedora-repos.service
|
||||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1980438
|
%endif
|
||||||
Patch2: flatpak-1.8.5-profile.d-Disable-gvfs-plugins-when-listing-flatpak-.patch
|
|
||||||
|
# https://issues.redhat.com/browse/RHEL-4220
|
||||||
|
Patch0: flatpak-Revert-selinux-Permit-using-systemd-userdbd.patch
|
||||||
|
|
||||||
|
# Backported upstream patch for CVE-2024-42472
|
||||||
|
Patch1: flatpak-1.12.x-CVE-2024-42472.patch
|
||||||
|
|
||||||
BuildRequires: pkgconfig(appstream-glib)
|
BuildRequires: pkgconfig(appstream-glib)
|
||||||
BuildRequires: pkgconfig(dconf)
|
BuildRequires: pkgconfig(dconf)
|
||||||
@ -22,6 +27,7 @@ BuildRequires: pkgconfig(fuse)
|
|||||||
BuildRequires: pkgconfig(gdk-pixbuf-2.0)
|
BuildRequires: pkgconfig(gdk-pixbuf-2.0)
|
||||||
BuildRequires: pkgconfig(gio-unix-2.0)
|
BuildRequires: pkgconfig(gio-unix-2.0)
|
||||||
BuildRequires: pkgconfig(gobject-introspection-1.0) >= 1.40.0
|
BuildRequires: pkgconfig(gobject-introspection-1.0) >= 1.40.0
|
||||||
|
BuildRequires: pkgconfig(gpgme)
|
||||||
BuildRequires: pkgconfig(json-glib-1.0)
|
BuildRequires: pkgconfig(json-glib-1.0)
|
||||||
BuildRequires: pkgconfig(libarchive) >= 2.8.0
|
BuildRequires: pkgconfig(libarchive) >= 2.8.0
|
||||||
BuildRequires: pkgconfig(libseccomp)
|
BuildRequires: pkgconfig(libseccomp)
|
||||||
@ -37,16 +43,14 @@ BuildRequires: bubblewrap >= %{bubblewrap_version}
|
|||||||
BuildRequires: docbook-dtds
|
BuildRequires: docbook-dtds
|
||||||
BuildRequires: docbook-style-xsl
|
BuildRequires: docbook-style-xsl
|
||||||
BuildRequires: gettext
|
BuildRequires: gettext
|
||||||
BuildRequires: gpgme-devel
|
BuildRequires: libassuan-devel
|
||||||
BuildRequires: libcap-devel
|
BuildRequires: libcap-devel
|
||||||
|
BuildRequires: python3-devel
|
||||||
BuildRequires: python3-pyparsing
|
BuildRequires: python3-pyparsing
|
||||||
BuildRequires: systemd
|
BuildRequires: systemd
|
||||||
BuildRequires: /usr/bin/python3
|
|
||||||
BuildRequires: /usr/bin/xmlto
|
BuildRequires: /usr/bin/xmlto
|
||||||
BuildRequires: /usr/bin/xsltproc
|
BuildRequires: /usr/bin/xsltproc
|
||||||
|
|
||||||
%{?systemd_requires}
|
|
||||||
|
|
||||||
Requires: bubblewrap >= %{bubblewrap_version}
|
Requires: bubblewrap >= %{bubblewrap_version}
|
||||||
Requires: librsvg2%{?_isa}
|
Requires: librsvg2%{?_isa}
|
||||||
Requires: ostree-libs%{?_isa} >= %{ostree_version}
|
Requires: ostree-libs%{?_isa} >= %{ostree_version}
|
||||||
@ -124,6 +128,8 @@ This package contains installed tests for %{name}.
|
|||||||
|
|
||||||
%prep
|
%prep
|
||||||
%autosetup -p1
|
%autosetup -p1
|
||||||
|
# Make sure to use the RHEL-lifetime supported Python and no other
|
||||||
|
%py3_shebang_fix scripts/* subprojects/variant-schema-compiler/* tests/*
|
||||||
|
|
||||||
|
|
||||||
%build
|
%build
|
||||||
@ -147,8 +153,18 @@ install -pm 644 NEWS README.md %{buildroot}/%{_pkgdocdir}
|
|||||||
install -d %{buildroot}%{_localstatedir}/lib/flatpak
|
install -d %{buildroot}%{_localstatedir}/lib/flatpak
|
||||||
install -d %{buildroot}%{_sysconfdir}/flatpak/remotes.d
|
install -d %{buildroot}%{_sysconfdir}/flatpak/remotes.d
|
||||||
rm -f %{buildroot}%{_libdir}/libflatpak.la
|
rm -f %{buildroot}%{_libdir}/libflatpak.la
|
||||||
|
|
||||||
|
%if 0%{?fedora}
|
||||||
|
install -D -t %{buildroot}%{_unitdir} %{SOURCE1}
|
||||||
|
%endif
|
||||||
|
|
||||||
%find_lang %{name}
|
%find_lang %{name}
|
||||||
|
|
||||||
|
# Work around selinux denials, see
|
||||||
|
# https://github.com/flatpak/flatpak/issues/4128 for details. Note that we are
|
||||||
|
# going to need the system env generator if we should enable malcontent support
|
||||||
|
# in the future.
|
||||||
|
rm %{buildroot}%{_systemd_system_env_generator_dir}/60-flatpak-system-only
|
||||||
|
|
||||||
%pre
|
%pre
|
||||||
getent group flatpak >/dev/null || groupadd -r flatpak
|
getent group flatpak >/dev/null || groupadd -r flatpak
|
||||||
@ -158,15 +174,28 @@ getent passwd flatpak >/dev/null || \
|
|||||||
exit 0
|
exit 0
|
||||||
|
|
||||||
|
|
||||||
|
%if 0%{?fedora}
|
||||||
%post
|
%post
|
||||||
# Create an (empty) system-wide repo.
|
%systemd_post flatpak-add-fedora-repos.service
|
||||||
flatpak remote-list --system &> /dev/null || :
|
%endif
|
||||||
|
|
||||||
|
|
||||||
%post selinux
|
%post selinux
|
||||||
%selinux_modules_install %{_datadir}/selinux/packages/flatpak.pp.bz2
|
%selinux_modules_install %{_datadir}/selinux/packages/flatpak.pp.bz2
|
||||||
|
|
||||||
|
|
||||||
|
%if 0%{?fedora}
|
||||||
|
%preun
|
||||||
|
%systemd_preun flatpak-add-fedora-repos.service
|
||||||
|
%endif
|
||||||
|
|
||||||
|
|
||||||
|
%if 0%{?fedora}
|
||||||
|
%postun
|
||||||
|
%systemd_postun_with_restart flatpak-add-fedora-repos.service
|
||||||
|
%endif
|
||||||
|
|
||||||
|
|
||||||
%postun selinux
|
%postun selinux
|
||||||
if [ $1 -eq 0 ]; then
|
if [ $1 -eq 0 ]; then
|
||||||
%selinux_modules_uninstall %{_datadir}/selinux/packages/flatpak.pp.bz2
|
%selinux_modules_uninstall %{_datadir}/selinux/packages/flatpak.pp.bz2
|
||||||
@ -209,6 +238,7 @@ fi
|
|||||||
%{_mandir}/man5/flatpak-installation.5*
|
%{_mandir}/man5/flatpak-installation.5*
|
||||||
%{_mandir}/man5/flatpak-remote.5*
|
%{_mandir}/man5/flatpak-remote.5*
|
||||||
%{_sysconfdir}/dbus-1/system.d/org.freedesktop.Flatpak.SystemHelper.conf
|
%{_sysconfdir}/dbus-1/system.d/org.freedesktop.Flatpak.SystemHelper.conf
|
||||||
|
%dir %{_sysconfdir}/flatpak
|
||||||
%{_sysconfdir}/flatpak/remotes.d
|
%{_sysconfdir}/flatpak/remotes.d
|
||||||
%{_sysconfdir}/profile.d/flatpak.sh
|
%{_sysconfdir}/profile.d/flatpak.sh
|
||||||
%{_sysusersdir}/flatpak.conf
|
%{_sysusersdir}/flatpak.conf
|
||||||
@ -217,6 +247,10 @@ fi
|
|||||||
%{_userunitdir}/flatpak-portal.service
|
%{_userunitdir}/flatpak-portal.service
|
||||||
%{_systemd_user_env_generator_dir}/60-flatpak
|
%{_systemd_user_env_generator_dir}/60-flatpak
|
||||||
|
|
||||||
|
%if 0%{?fedora}
|
||||||
|
%{_unitdir}/flatpak-add-fedora-repos.service
|
||||||
|
%endif
|
||||||
|
|
||||||
%files devel
|
%files devel
|
||||||
%{_datadir}/gir-1.0/Flatpak-1.0.gir
|
%{_datadir}/gir-1.0/Flatpak-1.0.gir
|
||||||
%{_datadir}/gtk-doc/
|
%{_datadir}/gtk-doc/
|
||||||
@ -246,6 +280,42 @@ fi
|
|||||||
|
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Wed Sep 04 2024 Kalev Lember <klember@redhat.com> - 1.12.9-3
|
||||||
|
- Fix previous changelog entry
|
||||||
|
|
||||||
|
* Mon Sep 02 2024 Kalev Lember <klember@redhat.com> - 1.12.9-2
|
||||||
|
- Backport upstream patches for CVE-2024-42472
|
||||||
|
- Require bubblewrap version that has new --bind-fd option backported for
|
||||||
|
addressing CVE-2024-42472
|
||||||
|
|
||||||
|
* Tue Apr 30 2024 Kalev Lember <klember@redhat.com> - 1.12.9-1
|
||||||
|
- Update to 1.12.9 (CVE-2024-32462)
|
||||||
|
|
||||||
|
* Mon Nov 06 2023 Debarshi Ray <rishi@fedoraproject.org> - 1.12.8-1
|
||||||
|
- Rebase to 1.12.8 (RHEL-4220)
|
||||||
|
|
||||||
|
* Mon Nov 06 2023 Debarshi Ray <rishi@fedoraproject.org> - 1.10.8-3
|
||||||
|
- Let flatpak own %%{_sysconfdir}/flatpak (RHEL-15822)
|
||||||
|
|
||||||
|
* Mon Sep 04 2023 Miro Hrončok <mhroncok@redhat.com> - 1.10.8-2
|
||||||
|
- Make sure to use the RHEL-lifetime supported Python and no other (RHEL-2225)
|
||||||
|
|
||||||
|
* Tue Jul 11 2023 Debarshi Ray <rishi@fedoraproject.org> - 1.10.8-1
|
||||||
|
- Rebase to 1.10.8 (#2222103)
|
||||||
|
- Fix CVE-2023-28100 and CVE-2023-28101 (#2180311)
|
||||||
|
|
||||||
|
* Wed Mar 09 2022 Debarshi Ray <rishi@fedoraproject.org> - 1.10.7-1
|
||||||
|
- Rebase to 1.10.7 (#2062417)
|
||||||
|
|
||||||
|
* Thu Feb 03 2022 Debarshi Ray <rishi@fedoraproject.org> - 1.8.7-1
|
||||||
|
- Rebase to 1.8.7 (#2041972)
|
||||||
|
|
||||||
|
* Tue Jan 25 2022 Debarshi Ray <rishi@fedoraproject.org> - 1.8.6-1
|
||||||
|
- Rebase to 1.8.6 (#2010533)
|
||||||
|
|
||||||
|
* Tue Oct 26 2021 Debarshi Ray <rishi@fedoraproject.org> - 1.8.5-6
|
||||||
|
- Fix CVE-2021-41133 (#2012869)
|
||||||
|
|
||||||
* Tue Oct 05 2021 Debarshi Ray <rishi@fedoraproject.org> - 1.8.5-5
|
* Tue Oct 05 2021 Debarshi Ray <rishi@fedoraproject.org> - 1.8.5-5
|
||||||
- Disable gvfs plugins when listing flatpak installations (#1980438)
|
- Disable gvfs plugins when listing flatpak installations (#1980438)
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user