flatpak/CVE-2026-34078-2-utils-add-flatpak-parse-fd.patch

From 8ce576a3b950d6ab735a5e049342d91b36685f94 Mon Sep 17 00:00:00 2001
From: Sebastian Wick <sebastian.wick@redhat.com>
Date: Fri, 6 Feb 2026 17:14:49 +0100
Subject: [PATCH] utils: Add flatpak_parse_fd

This is meant to parse file descriptor strings passed via the command
line. It is not a security mechanism and will happily accept fds 0-3 as
well.
---
 common/flatpak-context.c       | 19 +++++++------------
 common/flatpak-utils-private.h |  3 +++
 common/flatpak-utils.c         | 22 ++++++++++++++++++++++
 3 files changed, 32 insertions(+), 12 deletions(-)

diff --git a/common/flatpak-context.c b/common/flatpak-context.c
index 53b79807..992243e3 100644
--- a/common/flatpak-context.c
+++ b/common/flatpak-context.c
@@ -1304,21 +1304,16 @@ option_env_fd_cb (const gchar *option_name,
                   GError     **error)
 {
   FlatpakContext *context = data;
-  guint64 fd;
-  gchar *endptr;
-  gboolean ret;
+  glnx_autofd int fd = -1;
 
-  fd = g_ascii_strtoull (value, &endptr, 10);
-
-  if (endptr == NULL || *endptr != '\0' || fd > G_MAXINT)
-    return glnx_throw (error, "Not a valid file descriptor: %s", value);
-
-  ret = flatpak_context_parse_env_fd (context, (int) fd, error);
+  fd = flatpak_parse_fd (value, error);
+  if (fd < 0)
+    return FALSE;
 
-  if (fd >= 3)
-    close (fd);
+  if (fd < 3)
+    return glnx_throw (error, "File descriptors 0, 1, 2 are reserved");
 
-  return ret;
+  return flatpak_context_parse_env_fd (context, fd, error);
 }
 
 static gboolean
diff --git a/common/flatpak-utils-private.h b/common/flatpak-utils-private.h
index f79b22c8..754fe412 100644
--- a/common/flatpak-utils-private.h
+++ b/common/flatpak-utils-private.h
@@ -927,6 +927,9 @@ void   flatpak_print_escaped_string (const char        *s,
 gboolean flatpak_validate_path_characters (const char *path,
                                            GError    **error);
 
+int flatpak_parse_fd (const char  *fd_string,
+                      GError     **error);
+
 #define FLATPAK_MESSAGE_ID "c7b39b1e006b464599465e105b361485"
 
 #endif /* __FLATPAK_UTILS_H__ */
diff --git a/common/flatpak-utils.c b/common/flatpak-utils.c
index 0ab84064..c2015941 100644
--- a/common/flatpak-utils.c
+++ b/common/flatpak-utils.c
@@ -9188,3 +9188,25 @@ flatpak_validate_path_characters (const char *path,
 
   return TRUE;
 }
+
+int
+flatpak_parse_fd (const char  *fd_string,
+                  GError     **error)
+{
+  guint64 parsed;
+  char *endptr;
+  int fd;
+  struct stat stbuf;
+
+  parsed = g_ascii_strtoull (fd_string, &endptr, 10);
+
+  if (endptr == NULL || *endptr != '\0' || parsed > G_MAXINT)
+    return glnx_fd_throw (error, "Not a valid file descriptor: %s", fd_string);
+
+  fd = (int) parsed;
+
+  if (!glnx_fstat (fd, &stbuf, error))
+    return -1;
+
+  return fd;
+}
-- 
2.54.0