From 05447785b015c1ceeb19fb077302d15009fa5837 Mon Sep 17 00:00:00 2001 From: wang_yue111 <648774160@qq.com> Date: Mon, 12 Apr 2021 11:15:23 +0800 Subject: [PATCH] Fix CVE-2019-8308 --- CVE-2019-8308.patch | 67 +++++++++++++++++++++++++++++++++++++++++++++ flatpak.spec | 6 +++- 2 files changed, 72 insertions(+), 1 deletion(-) create mode 100644 CVE-2019-8308.patch diff --git a/CVE-2019-8308.patch b/CVE-2019-8308.patch new file mode 100644 index 0000000..37695b2 --- /dev/null +++ b/CVE-2019-8308.patch @@ -0,0 +1,67 @@ +From f2af3137e3e5bdd54cad646046da82218aec3fa7 Mon Sep 17 00:00:00 2001 +From: Alexander Larsson +Date: Sun, 10 Feb 2019 18:23:44 +0100 +Subject: [PATCH] Don't expose /proc when running apply_extra + +As shown by CVE-2019-5736, it is sometimes possible for the sandbox +app to access outside files using /proc/self/exe. This is not +typically an issue for flatpak as the sandbox runs as the user which +has no permissions to e.g. modify the host files. + +However, when installing apps using extra-data into the system repo +we *do* actually run a sandbox as root. So, in this case we disable mounting +/proc in the sandbox, which will neuter attacks like this. + +--- + common/flatpak-common-types-private.h | 1 + + common/flatpak-dir.c | 2 +- + common/flatpak-run.c | 6 +++++- + 3 files changed, 7 insertions(+), 2 deletions(-) + +diff --git a/common/flatpak-common-types-private.h b/common/flatpak-common-types-private.h +index e361777..b8f76b9 100644 +--- a/common/flatpak-common-types-private.h ++++ b/common/flatpak-common-types-private.h +@@ -45,6 +45,7 @@ typedef enum { + FLATPAK_RUN_FLAG_NO_DOCUMENTS_PORTAL = (1 << 15), + FLATPAK_RUN_FLAG_BLUETOOTH = (1 << 16), + FLATPAK_RUN_FLAG_CANBUS = (1 << 17), ++ FLATPAK_RUN_FLAG_NO_PROC = (1 << 19), + } FlatpakRunFlags; + + typedef struct FlatpakDir FlatpakDir; +diff --git a/common/flatpak-dir.c b/common/flatpak-dir.c +index 236de4b..56bca24 100644 +--- a/common/flatpak-dir.c ++++ b/common/flatpak-dir.c +@@ -6511,7 +6511,7 @@ apply_extra_data (FlatpakDir *self, + NULL); + + if (!flatpak_run_setup_base_argv (bwrap, runtime_files, NULL, runtime_ref_parts[2], +- FLATPAK_RUN_FLAG_NO_SESSION_HELPER, ++ FLATPAK_RUN_FLAG_NO_SESSION_HELPER | FLATPAK_RUN_FLAG_NO_PROC, + error)) + return FALSE; + +diff --git a/common/flatpak-run.c b/common/flatpak-run.c +index cd6672e..c5fe6dc 100644 +--- a/common/flatpak-run.c ++++ b/common/flatpak-run.c +@@ -2357,9 +2357,13 @@ flatpak_run_setup_base_argv (FlatpakBwrap *bwrap, + "# Disable user pkcs11 config, because the host modules don't work in the runtime\n" + "user-config: none\n"; + ++ if ((flags & FLATPAK_RUN_FLAG_NO_PROC) == 0) ++ flatpak_bwrap_add_args (bwrap, ++ "--proc", "/proc", ++ NULL); ++ + flatpak_bwrap_add_args (bwrap, + "--unshare-pid", +- "--proc", "/proc", + "--dir", "/tmp", + "--dir", "/var/tmp", + "--dir", "/run/host", +-- +2.30.0 + diff --git a/flatpak.spec b/flatpak.spec index dc6849c..2fb47c4 100644 --- a/flatpak.spec +++ b/flatpak.spec @@ -1,6 +1,6 @@ Name: flatpak Version: 1.0.3 -Release: 4 +Release: 5 Summary: Application deployment framework for desktop apps License: LGPLv2+ URL: http://flatpak.org/ @@ -14,6 +14,7 @@ Patch0005: CVE-2021-21261-5.patch Patch0006: CVE-2021-21381-1.patch Patch0007: CVE-2021-21381-2.patch Patch0008: CVE-2021-21381-3.patch +Patch0009: CVE-2019-8308.patch BuildRequires: pkgconfig(appstream-glib) pkgconfig(gio-unix-2.0) pkgconfig(gobject-introspection-1.0) >= 1.40.0 pkgconfig(json-glib-1.0) pkgconfig(libarchive) >= 2.8.0 BuildRequires: pkgconfig(libsoup-2.4) pkgconfig(libxml-2.0) >= 2.4 pkgconfig(ostree-1) >= 2018.7 pkgconfig(polkit-gobject-1) pkgconfig(libseccomp) pkgconfig(xau) @@ -108,6 +109,9 @@ flatpak remote-list --system &> /dev/null || : %{_mandir}/man5/flatpak-remote.5* %changelog +* Mon Apr 12 2021 wangyue - 1.0.3-5 +- Fix CVE-2019-8308 + * Wed Mar 24 2021 wangxiao - 1.0.3-4 - Fix CVE-2021-21381 -- Gitee