diff --git a/0001-OCI-Switch-to-pax-format-for-tar-archives.patch b/0001-OCI-Switch-to-pax-format-for-tar-archives.patch new file mode 100644 index 0000000000000000000000000000000000000000..a95238a7c41e0e0d68c7d68292be3f585245a315 --- /dev/null +++ b/0001-OCI-Switch-to-pax-format-for-tar-archives.patch @@ -0,0 +1,34 @@ +From adbd286cef9a4c4bed76eb95337d5d6f5e42dd45 Mon Sep 17 00:00:00 2001 +From: Kalev Lember +Date: Mon, 5 Apr 2021 10:40:26 +0200 +Subject: [PATCH] OCI: Switch to pax format for tar archives + +For reasons unknown, libarchive appears to generate broken gnutar format +tar archives when the archive contains files that are larger than 2 GB. +This commit switches to the pax format to work this around. + +This should be a better default as it also removes 256 char filename +length limitation and matches what other libraries are doing, e.g. +Python 3.8 switched to the pax format by default as well. + +See https://pagure.io/fedora-infrastructure/issue/9840 +--- + common/flatpak-oci-registry.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/common/flatpak-oci-registry.c b/common/flatpak-oci-registry.c +index 6aa68c27..2a7f3ba1 100644 +--- a/common/flatpak-oci-registry.c ++++ b/common/flatpak-oci-registry.c +@@ -1476,7 +1476,7 @@ flatpak_oci_registry_write_layer (FlatpakOciRegistry *self, + } + + a = archive_write_new (); +- if (archive_write_set_format_gnutar (a) != ARCHIVE_OK || ++ if (archive_write_set_format_pax (a) != ARCHIVE_OK || + archive_write_add_filter_none (a) != ARCHIVE_OK) + { + propagate_libarchive_error (error, a); +-- +2.30.2 + diff --git a/CVE-2019-8308.patch b/CVE-2019-8308.patch deleted file mode 100644 index 37695b2f7464d6eb53acb775ae984b981164018c..0000000000000000000000000000000000000000 --- a/CVE-2019-8308.patch +++ /dev/null @@ -1,67 +0,0 @@ -From f2af3137e3e5bdd54cad646046da82218aec3fa7 Mon Sep 17 00:00:00 2001 -From: Alexander Larsson -Date: Sun, 10 Feb 2019 18:23:44 +0100 -Subject: [PATCH] Don't expose /proc when running apply_extra - -As shown by CVE-2019-5736, it is sometimes possible for the sandbox -app to access outside files using /proc/self/exe. This is not -typically an issue for flatpak as the sandbox runs as the user which -has no permissions to e.g. modify the host files. - -However, when installing apps using extra-data into the system repo -we *do* actually run a sandbox as root. So, in this case we disable mounting -/proc in the sandbox, which will neuter attacks like this. - ---- - common/flatpak-common-types-private.h | 1 + - common/flatpak-dir.c | 2 +- - common/flatpak-run.c | 6 +++++- - 3 files changed, 7 insertions(+), 2 deletions(-) - -diff --git a/common/flatpak-common-types-private.h b/common/flatpak-common-types-private.h -index e361777..b8f76b9 100644 ---- a/common/flatpak-common-types-private.h -+++ b/common/flatpak-common-types-private.h -@@ -45,6 +45,7 @@ typedef enum { - FLATPAK_RUN_FLAG_NO_DOCUMENTS_PORTAL = (1 << 15), - FLATPAK_RUN_FLAG_BLUETOOTH = (1 << 16), - FLATPAK_RUN_FLAG_CANBUS = (1 << 17), -+ FLATPAK_RUN_FLAG_NO_PROC = (1 << 19), - } FlatpakRunFlags; - - typedef struct FlatpakDir FlatpakDir; -diff --git a/common/flatpak-dir.c b/common/flatpak-dir.c -index 236de4b..56bca24 100644 ---- a/common/flatpak-dir.c -+++ b/common/flatpak-dir.c -@@ -6511,7 +6511,7 @@ apply_extra_data (FlatpakDir *self, - NULL); - - if (!flatpak_run_setup_base_argv (bwrap, runtime_files, NULL, runtime_ref_parts[2], -- FLATPAK_RUN_FLAG_NO_SESSION_HELPER, -+ FLATPAK_RUN_FLAG_NO_SESSION_HELPER | FLATPAK_RUN_FLAG_NO_PROC, - error)) - return FALSE; - -diff --git a/common/flatpak-run.c b/common/flatpak-run.c -index cd6672e..c5fe6dc 100644 ---- a/common/flatpak-run.c -+++ b/common/flatpak-run.c -@@ -2357,9 +2357,13 @@ flatpak_run_setup_base_argv (FlatpakBwrap *bwrap, - "# Disable user pkcs11 config, because the host modules don't work in the runtime\n" - "user-config: none\n"; - -+ if ((flags & FLATPAK_RUN_FLAG_NO_PROC) == 0) -+ flatpak_bwrap_add_args (bwrap, -+ "--proc", "/proc", -+ NULL); -+ - flatpak_bwrap_add_args (bwrap, - "--unshare-pid", -- "--proc", "/proc", - "--dir", "/tmp", - "--dir", "/var/tmp", - "--dir", "/run/host", --- -2.30.0 - diff --git a/CVE-2021-21261-1.patch b/CVE-2021-21261-1.patch deleted file mode 100644 index 4e8b2795fbf2abcd5f195027aaa0760737d369b8..0000000000000000000000000000000000000000 --- a/CVE-2021-21261-1.patch +++ /dev/null @@ -1,156 +0,0 @@ -From b04ab0f0c4fe4970737187a76389b20029e27488 Mon Sep 17 00:00:00 2001 -From: Simon McVittie -Date: Tue, 12 Jan 2021 12:21:31 +0000 -Subject: [PATCH] run: Convert all environment variables into bwrap - arguments - -This avoids some of them being filtered out by a setuid bwrap. It also -means that if they came from an untrusted source, they cannot be used -to inject arbitrary code into a non-setuid bwrap via mechanisms like -LD_PRELOAD. - -Because they get bundled into a memfd or temporary file, they do not -actually appear in argv, ensuring that they remain inaccessible to -processes running under a different uid (which is important if their -values are tokens or other secrets). - -Signed-off-by: Simon McVittie -Part-of: https://github.com/flatpak/flatpak/security/advisories/GHSA-4ppf-fxf6-vxg2 ---- - common/flatpak-bwrap-private.h | 3 +++ - common/flatpak-bwrap.c | 43 ++++++++++++++++++++++++++++++++++ - common/flatpak-run.c | 24 ++++++++++++------- - 3 files changed, 61 insertions(+), 9 deletions(-) - ---- flatpak.orig/common/flatpak-bwrap-private.h -+++ flatpak/common/flatpak-bwrap-private.h -@@ -43,6 +43,8 @@ void flatpak_bwrap_unset_env (F - const char *variable); - void flatpak_bwrap_add_arg (FlatpakBwrap *bwrap, - const char *arg); -+void flatpak_bwrap_take_arg (FlatpakBwrap *bwrap, -+ char *arg); - void flatpak_bwrap_add_noinherit_fd (FlatpakBwrap *bwrap, - int fd); - void flatpak_bwrap_add_fd (FlatpakBwrap *bwrap, -@@ -73,6 +75,7 @@ void flatpak_bwrap_add_bind_arg - const char *type, - const char *src, - const char *dest); -+void flatpak_bwrap_envp_to_args (FlatpakBwrap *bwrap); - gboolean flatpak_bwrap_bundle_args (FlatpakBwrap *bwrap, - int start, - int end, ---- flatpak.orig/common/flatpak-bwrap.c -+++ flatpak/common/flatpak-bwrap.c -@@ -108,6 +108,18 @@ flatpak_bwrap_add_arg (FlatpakBwrap *bwr - g_ptr_array_add (bwrap->argv, g_strdup (arg)); - } - -+/* -+ * flatpak_bwrap_take_arg: -+ * @arg: (transfer full): Take ownership of this argument -+ * -+ * Add @arg to @bwrap's argv, taking ownership of the pointer. -+ */ -+void -+flatpak_bwrap_take_arg (FlatpakBwrap *bwrap, char *arg) -+{ -+ g_ptr_array_add (bwrap->argv, arg); -+} -+ - void - flatpak_bwrap_finish (FlatpakBwrap *bwrap) - { -@@ -273,6 +285,37 @@ flatpak_bwrap_add_bind_arg (FlatpakBwrap - } - } - -+/* -+ * Convert bwrap->envp into a series of --setenv arguments for bwrap(1), -+ * assumed to be applied to an empty environment. Reset envp to be an -+ * empty environment. -+ */ -+void -+flatpak_bwrap_envp_to_args (FlatpakBwrap *bwrap) -+{ -+ gsize i; -+ -+ for (i = 0; bwrap->envp[i] != NULL; i++) -+ { -+ char *key_val = bwrap->envp[i]; -+ char *eq = strchr (key_val, '='); -+ -+ if (eq) -+ { -+ flatpak_bwrap_add_arg (bwrap, "--setenv"); -+ flatpak_bwrap_take_arg (bwrap, g_strndup (key_val, eq - key_val)); -+ flatpak_bwrap_add_arg (bwrap, eq + 1); -+ } -+ else -+ { -+ g_warn_if_reached (); -+ } -+ } -+ -+ g_strfreev (g_steal_pointer (&bwrap->envp)); -+ bwrap->envp = g_strdupv (flatpak_bwrap_empty_env); -+} -+ - gboolean - flatpak_bwrap_bundle_args (FlatpakBwrap *bwrap, - int start, ---- flatpak.orig/common/flatpak-run.c -+++ flatpak/common/flatpak-run.c -@@ -1120,15 +1120,6 @@ flatpak_run_add_environment_args (Flatpa - flatpak_run_add_system_dbus_args (bwrap, proxy_arg_bwrap, context, flags); - flatpak_run_add_a11y_dbus_args (bwrap, proxy_arg_bwrap, context, flags); - -- if (g_environ_getenv (bwrap->envp, "LD_LIBRARY_PATH") != NULL) -- { -- /* LD_LIBRARY_PATH is overridden for setuid helper, so pass it as cmdline arg */ -- flatpak_bwrap_add_args (bwrap, -- "--setenv", "LD_LIBRARY_PATH", g_environ_getenv (bwrap->envp, "LD_LIBRARY_PATH"), -- NULL); -- flatpak_bwrap_unset_env (bwrap, "LD_LIBRARY_PATH"); -- } -- - /* Must run this before spawning the dbus proxy, to ensure it - ends up in the app cgroup */ - if (!flatpak_run_in_transient_unit (app_id, &my_error)) -@@ -3139,6 +3130,8 @@ flatpak_run_app (const char *app_ref - command = default_command; - } - -+ flatpak_bwrap_envp_to_args (bwrap); -+ - if (!flatpak_bwrap_bundle_args (bwrap, 1, -1, FALSE, error)) - return FALSE; - -@@ -3161,6 +3154,12 @@ flatpak_run_app (const char *app_ref - char pid_str[64]; - g_autofree char *pid_path = NULL; - -+ /* flatpak_bwrap_envp_to_args() moved the environment variables to -+ * be set into --setenv instructions in argv, so the environment -+ * in which the bwrap command runs must be empty. */ -+ g_assert (bwrap->envp != NULL); -+ g_assert (bwrap->envp[0] == NULL); -+ - if (!g_spawn_async (NULL, - (char **) bwrap->argv->pdata, - bwrap->envp, -@@ -3185,6 +3184,13 @@ flatpak_run_app (const char *app_ref - - /* Ensure we unset O_CLOEXEC */ - flatpak_bwrap_child_setup_cb (bwrap->fds); -+ -+ /* flatpak_bwrap_envp_to_args() moved the environment variables to -+ * be set into --setenv instructions in argv, so the environment -+ * in which the bwrap command runs must be empty. */ -+ g_assert (bwrap->envp != NULL); -+ g_assert (bwrap->envp[0] == NULL); -+ - if (execvpe (flatpak_get_bwrap (), (char **) bwrap->argv->pdata, bwrap->envp) == -1) - { - g_set_error_literal (error, G_IO_ERROR, g_io_error_from_errno (errno), diff --git a/CVE-2021-21261-2.patch b/CVE-2021-21261-2.patch index 8250a8418fbf8cf3be084deff0519c6afdd47ba5..3d1da63580468ed5c30bb1f50a3594a5bca3ace7 100644 --- a/CVE-2021-21261-2.patch +++ b/CVE-2021-21261-2.patch @@ -18,20 +18,25 @@ Signed-off-by: Simon McVittie create mode 100644 common/flatpak-utils-memfd-private.h create mode 100644 common/flatpak-utils-memfd.c ---- flatpak.orig/common/Makefile.am.inc -+++ flatpak/common/Makefile.am.inc -@@ -96,6 +96,8 @@ libflatpak_common_la_SOURCES = \ - common/flatpak-utils.c \ - common/flatpak-utils-http.c \ +diff --git a/common/Makefile.am.inc b/common/Makefile.am.inc +index 4844ab5..b681294 100644 +--- a/common/Makefile.am.inc ++++ b/common/Makefile.am.inc +@@ -164,6 +164,8 @@ libflatpak_common_la_SOURCES = \ + common/flatpak-transaction.c \ + common/flatpak-transaction.h \ common/flatpak-utils-http-private.h \ + common/flatpak-utils-memfd.c \ -+ common/flatpak-utils-memfd-private.h \ ++ common/flatpak-utils-memfd-private.h \ + common/flatpak-utils-http.c \ common/flatpak-utils-private.h \ - common/flatpak-chain-input-stream.c \ - common/flatpak-chain-input-stream-private.h \ + common/flatpak-utils.c \ +diff --git a/common/flatpak-utils-memfd-private.h b/common/flatpak-utils-memfd-private.h +new file mode 100644 +index 0000000..65b550d --- /dev/null -+++ flatpak/common/flatpak-utils-memfd-private.h -@@ -0,0 +1,32 @@ ++++ b/common/flatpak-utils-memfd-private.h +@@ -0,0 +1,33 @@ +/* + * Copyright © 2014 Red Hat, Inc + * @@ -42,7 +47,7 @@ Signed-off-by: Simon McVittie + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of -+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public @@ -64,8 +69,12 @@ Signed-off-by: Simon McVittie + GError **error); + +#endif /* __FLATPAK_UTILS_MEMFD_H__ */ ++ +diff --git a/common/flatpak-utils-memfd.c b/common/flatpak-utils-memfd.c +new file mode 100644 +index 0000000..9a0730f --- /dev/null -+++ flatpak/common/flatpak-utils-memfd.c ++++ b/common/flatpak-utils-memfd.c @@ -0,0 +1,90 @@ +/* + * Copyright © 2014 Red Hat, Inc @@ -157,19 +166,23 @@ Signed-off-by: Simon McVittie + } + return TRUE; +} ---- flatpak.orig/common/flatpak-utils-private.h -+++ flatpak/common/flatpak-utils-private.h +diff --git a/common/flatpak-utils-private.h b/common/flatpak-utils-private.h +index 1a92154..4c1ac61 100644 +--- a/common/flatpak-utils-private.h ++++ b/common/flatpak-utils-private.h @@ -32,6 +32,7 @@ #include "flatpak-context-private.h" #include "flatpak-error.h" #include "flatpak-utils-http-private.h" +#include "flatpak-utils-memfd-private.h" + #include "flatpak-variant-private.h" + #include "flatpak-dir-private.h" #include - #include - ---- flatpak.orig/common/flatpak-utils.c -+++ flatpak/common/flatpak-utils.c -@@ -2280,56 +2280,6 @@ flatpak_file_rename (GFile *from, +diff --git a/common/flatpak-utils.c b/common/flatpak-utils.c +index 56cbb06..6901a62 100644 +--- a/common/flatpak-utils.c ++++ b/common/flatpak-utils.c +@@ -1851,56 +1851,6 @@ flatpak_file_rename (GFile *from, return TRUE; } diff --git a/CVE-2021-21261-3.patch b/CVE-2021-21261-3.patch deleted file mode 100644 index 8a1d5d1472772dc43a4f57b3671fdac2d0d6714f..0000000000000000000000000000000000000000 --- a/CVE-2021-21261-3.patch +++ /dev/null @@ -1,204 +0,0 @@ -From 7a93013153a425d4cb8466cd9b665b98e713451d Mon Sep 17 00:00:00 2001 -From: Simon McVittie -Date: Sun, 10 Jan 2021 16:18:58 +0000 -Subject: [PATCH] context: Add --env-fd option - -This allows environment variables to be added to the context without -making their values visible to processes running under a different uid, -which might be significant if the variable's value is a token or some -other secret value. - -Signed-off-by: Simon McVittie -Part-of: https://github.com/flatpak/flatpak/security/advisories/GHSA-4ppf-fxf6-vxg2 ---- - common/flatpak-context.c | 60 ++++++++++++++++++++++++++++++++++++ - doc/flatpak-build-finish.xml | 18 +++++++++++ - doc/flatpak-build.xml | 18 +++++++++++ - doc/flatpak-override.xml | 18 +++++++++++ - doc/flatpak-run.xml | 18 +++++++++++ - 5 files changed, 132 insertions(+) - ---- flatpak.orig/common/flatpak-context.c -+++ flatpak/common/flatpak-context.c -@@ -1040,6 +1040,65 @@ option_env_cb (const gchar *option_name, - } - - static gboolean -+option_env_fd_cb (const gchar *option_name, -+ const gchar *value, -+ gpointer data, -+ GError **error) -+{ -+ FlatpakContext *context = data; -+ g_autoptr(GBytes) env_block = NULL; -+ gsize remaining; -+ const char *p; -+ guint64 fd; -+ gchar *endptr; -+ -+ fd = g_ascii_strtoull (value, &endptr, 10); -+ -+ if (endptr == NULL || *endptr != '\0' || fd > G_MAXINT) -+ return glnx_throw (error, "Not a valid file descriptor: %s", value); -+ -+ env_block = glnx_fd_readall_bytes ((int) fd, NULL, error); -+ -+ if (env_block == NULL) -+ return FALSE; -+ -+ p = g_bytes_get_data (env_block, &remaining); -+ -+ /* env_block might not be \0-terminated */ -+ while (remaining > 0) -+ { -+ size_t len = strnlen (p, remaining); -+ const char *equals; -+ -+ g_assert (len <= remaining); -+ -+ equals = memchr (p, '=', len); -+ -+ if (equals == NULL || equals == p) -+ return glnx_throw (error, -+ "Environment variable must be given in the form VARIABLE=VALUE, not %.*s", (int) len, p); -+ -+ flatpak_context_set_env_var (context, -+ g_strndup (p, equals - p), -+ g_strndup (equals + 1, len - (equals - p) - 1)); -+ p += len; -+ remaining -= len; -+ -+ if (remaining > 0) -+ { -+ g_assert (*p == '\0'); -+ p += 1; -+ remaining -= 1; -+ } -+ } -+ -+ if (fd >= 3) -+ close (fd); -+ -+ return TRUE; -+} -+ -+static gboolean - option_own_name_cb (const gchar *option_name, - const gchar *value, - gpointer data, -@@ -1206,6 +1265,7 @@ static GOptionEntry context_options[] = - { "filesystem", 0, G_OPTION_FLAG_IN_MAIN, G_OPTION_ARG_CALLBACK, &option_filesystem_cb, N_("Expose filesystem to app (:ro for read-only)"), N_("FILESYSTEM[:ro]") }, - { "nofilesystem", 0, G_OPTION_FLAG_IN_MAIN, G_OPTION_ARG_CALLBACK, &option_nofilesystem_cb, N_("Don't expose filesystem to app"), N_("FILESYSTEM") }, - { "env", 0, G_OPTION_FLAG_IN_MAIN, G_OPTION_ARG_CALLBACK, &option_env_cb, N_("Set environment variable"), N_("VAR=VALUE") }, -+ { "env-fd", 0, G_OPTION_FLAG_IN_MAIN, G_OPTION_ARG_CALLBACK, &option_env_fd_cb, N_("Read environment variables in env -0 format from FD"), N_("FD") }, - { "own-name", 0, G_OPTION_FLAG_IN_MAIN, G_OPTION_ARG_CALLBACK, &option_own_name_cb, N_("Allow app to own name on the session bus"), N_("DBUS_NAME") }, - { "talk-name", 0, G_OPTION_FLAG_IN_MAIN, G_OPTION_ARG_CALLBACK, &option_talk_name_cb, N_("Allow app to talk to name on the session bus"), N_("DBUS_NAME") }, - { "system-own-name", 0, G_OPTION_FLAG_IN_MAIN, G_OPTION_ARG_CALLBACK, &option_system_own_name_cb, N_("Allow app to own name on the system bus"), N_("DBUS_NAME") }, ---- flatpak.orig/doc/flatpak-build-finish.xml -+++ flatpak/doc/flatpak-build-finish.xml -@@ -277,6 +277,24 @@ key=v1;v2; - - - -+ -+ -+ -+ Read environment variables from the file descriptor -+ FD, and set them as if -+ via . This can be used to avoid -+ environment variables and their values becoming visible -+ to other users. -+ -+ Each environment variable is in the form -+ VAR=VALUE -+ followed by a zero byte. This is the same format used by -+ env -0 and -+ /proc/*/environ. -+ -+ -+ -+ - - - ---- flatpak.orig/doc/flatpak-build.xml -+++ flatpak/doc/flatpak-build.xml -@@ -284,6 +284,24 @@ key=v1;v2; - - - -+ -+ -+ -+ Read environment variables from the file descriptor -+ FD, and set them as if -+ via . This can be used to avoid -+ environment variables and their values becoming visible -+ to other users. -+ -+ Each environment variable is in the form -+ VAR=VALUE -+ followed by a zero byte. This is the same format used by -+ env -0 and -+ /proc/*/environ. -+ -+ -+ -+ - - - ---- flatpak.orig/doc/flatpak-override.xml -+++ flatpak/doc/flatpak-override.xml -@@ -258,6 +258,24 @@ key=v1;v2; - - - -+ -+ -+ -+ Read environment variables from the file descriptor -+ FD, and set them as if -+ via . This can be used to avoid -+ environment variables and their values becoming visible -+ to other users. -+ -+ Each environment variable is in the form -+ VAR=VALUE -+ followed by a zero byte. This is the same format used by -+ env -0 and -+ /proc/*/environ. -+ -+ -+ -+ - - - ---- flatpak.orig/doc/flatpak-run.xml -+++ flatpak/doc/flatpak-run.xml -@@ -361,6 +361,24 @@ key=v1;v2; - - - -+ -+ -+ -+ Read environment variables from the file descriptor -+ FD, and set them as if -+ via . This can be used to avoid -+ environment variables and their values becoming visible -+ to other users. -+ -+ Each environment variable is in the form -+ VAR=VALUE -+ followed by a zero byte. This is the same format used by -+ env -0 and -+ /proc/*/environ. -+ -+ -+ -+ - - - diff --git a/CVE-2021-21261-4.patch b/CVE-2021-21261-4.patch index 2f644ae618809235da56539328c54c5ea532157d..a25884a700eb1c5895b25be2d8f59fe76a992804 100644 --- a/CVE-2021-21261-4.patch +++ b/CVE-2021-21261-4.patch @@ -14,10 +14,12 @@ Part-of: https://github.com/flatpak/flatpak/security/advisories/GHSA-4ppf-fxf6-v portal/flatpak-portal.c | 65 ++++++++++++++++++++++++++++++++++++++++- 2 files changed, 67 insertions(+), 2 deletions(-) ---- flatpak.orig/portal/Makefile.am.inc -+++ flatpak/portal/Makefile.am.inc -@@ -29,11 +29,13 @@ flatpak_portal_SOURCES = \ - portal/flatpak-portal-app-info.h \ +diff --git a/portal/Makefile.am.inc b/portal/Makefile.am.inc +index dc45969..e5e57ba 100644 +--- a/portal/Makefile.am.inc ++++ b/portal/Makefile.am.inc +@@ -46,6 +46,8 @@ flatpak_portal_SOURCES = \ + portal/portal-impl.h \ common/flatpak-portal-error.c \ common/flatpak-portal-error.h \ + common/flatpak-utils-memfd.c \ @@ -25,16 +27,12 @@ Part-of: https://github.com/flatpak/flatpak/security/advisories/GHSA-4ppf-fxf6-v $(NULL) BUILT_SOURCES += $(nodist_flatpak_portal_SOURCES) - CLEANFILES += $(nodist_flatpak_portal_SOURCES) - --flatpak_portal_LDADD = $(AM_LDADD) $(BASE_LIBS) -+flatpak_portal_LDADD = $(AM_LDADD) $(BASE_LIBS) libglnx.la - flatpak_portal_CFLAGS = $(AM_CFLAGS) $(BASE_CFLAGS) -DFLATPAK_COMPILATION - flatpak_portal_CPPFLAGS = $(AM_CPPFLAGS) -I$(builddir)/portal ---- flatpak.orig/portal/flatpak-portal.c -+++ flatpak/portal/flatpak-portal.c -@@ -32,6 +32,14 @@ - #include "flatpak-portal.h" +diff --git a/portal/flatpak-portal.c b/portal/flatpak-portal.c +index 7887c57..40a8ce7 100644 +--- a/portal/flatpak-portal.c ++++ b/portal/flatpak-portal.c +@@ -46,6 +46,14 @@ + #include "flatpak-instance-private.h" #include "flatpak-portal-app-info.h" #include "flatpak-portal-error.h" +#include "flatpak-utils-memfd-private.h" @@ -45,94 +43,6 @@ Part-of: https://github.com/flatpak/flatpak/security/advisories/GHSA-4ppf-fxf6-v +# define G_DBUS_METHOD_INVOCATION_HANDLED TRUE +# define G_DBUS_METHOD_INVOCATION_UNHANDLED FALSE +#endif - - #define IDLE_TIMEOUT_SECS 10 * 60 - -@@ -166,9 +174,16 @@ typedef struct - int fd_map_len; - gboolean set_tty; - int tty; -+ int env_fd; - } ChildSetupData; - - static void -+drop_cloexec (int fd) -+{ -+ fcntl (fd, F_SETFD, 0); -+} -+ -+static void - child_setup_func (gpointer user_data) - { - ChildSetupData *data = (ChildSetupData *) user_data; -@@ -176,6 +191,9 @@ child_setup_func (gpointer user_data) - sigset_t set; - int i; - -+ if (data->env_fd != -1) -+ drop_cloexec (data->env_fd); -+ - /* Unblock all signals */ - sigemptyset (&set); - if (pthread_sigmask (SIG_SETMASK, &set, NULL) == -1) -@@ -321,6 +339,9 @@ handle_spawn (PortalFlatpak *obj - g_auto(GStrv) sandbox_expose = NULL; - g_auto(GStrv) sandbox_expose_ro = NULL; - gboolean sandboxed; -+ g_autoptr(GString) env_string = g_string_new (""); -+ -+ child_setup_data.env_fd = -1; - - app_info = g_object_get_data (G_OBJECT (invocation), "app-info"); - g_assert (app_info != NULL); -@@ -505,7 +526,49 @@ handle_spawn (PortalFlatpak *obj - else - { - for (i = 0; extra_args != NULL && extra_args[i] != NULL; i++) -- g_ptr_array_add (flatpak_argv, g_strdup (extra_args[i])); -+ { -+ if (g_str_has_prefix (extra_args[i], "--env=")) -+ { -+ const char *var_val = extra_args[i] + strlen ("--env="); -+ -+ if (var_val[0] == '\0' || var_val[0] == '=') -+ { -+ g_warning ("Environment variable in extra-args has empty name"); -+ continue; -+ } -+ -+ if (strchr (var_val, '=') == NULL) -+ { -+ g_warning ("Environment variable in extra-args has no value"); -+ continue; -+ } -+ -+ g_string_append (env_string, var_val); -+ g_string_append_c (env_string, '\0'); -+ } -+ else -+ { -+ g_ptr_array_add (flatpak_argv, g_strdup (extra_args[i])); -+ } -+ } -+ } -+ -+ if (env_string->len > 0) -+ { -+ g_auto(GLnxTmpfile) env_tmpf = { 0, }; -+ -+ if (!flatpak_buffer_to_sealed_memfd_or_tmpfile (&env_tmpf, "environ", -+ env_string->str, -+ env_string->len, &error)) -+ { -+ g_dbus_method_invocation_return_gerror (invocation, error); -+ return G_DBUS_METHOD_INVOCATION_HANDLED; -+ } -+ -+ child_setup_data.env_fd = glnx_steal_fd (&env_tmpf.fd); -+ g_ptr_array_add (flatpak_argv, -+ g_strdup_printf ("--env-fd=%d", -+ child_setup_data.env_fd)); - } - - /* Inherit launcher network access from launcher, unless + #include "flatpak-utils-base-private.h" + #include "portal-impl.h" + #include "flatpak-permission-dbus.h" diff --git a/CVE-2021-21261-5.patch b/CVE-2021-21261-5.patch deleted file mode 100644 index 9f49a3b79b69d1581a81019be6e4b9d533350a61..0000000000000000000000000000000000000000 --- a/CVE-2021-21261-5.patch +++ /dev/null @@ -1,67 +0,0 @@ -From f527eaeb132dcd5bb06115b987d6a6f8bfafac9b Mon Sep 17 00:00:00 2001 -From: Simon McVittie -Date: Sun, 10 Jan 2021 16:25:29 +0000 -Subject: [PATCH] portal: Do not use caller-supplied variables in - environment - -If the caller specifies a variable that can be used to inject arbitrary -code into processes, we must not allow it to enter the environment -block used to run `flatpak run`, which runs unsandboxed. - -This change requires the previous commit "context: Add --env-fd option", -which adds infrastructure used here. - -To be secure, this change also requires the previous commit -"run: Convert all environment variables into bwrap arguments", which -protects a non-setuid bwrap(1) from the same attack. - -Signed-off-by: Simon McVittie -Part-of: https://github.com/flatpak/flatpak/security/advisories/GHSA-4ppf-fxf6-vxg2 ---- - portal/flatpak-portal.c | 28 +++++++++++++++++++++++++++- - 1 file changed, 27 insertions(+), 1 deletion(-) - ---- flatpak.orig/portal/flatpak-portal.c -+++ flatpak/portal/flatpak-portal.c -@@ -506,6 +506,13 @@ handle_spawn (PortalFlatpak *obj - else - env = g_get_environ (); - -+ /* Let the environment variables given by the caller override the ones -+ * from extra_args. Don't add them to @env, because they are controlled -+ * by our caller, which might be trying to use them to inject code into -+ * flatpak(1); add them to the environment block instead. -+ * -+ * We don't use --env= here, so that if the values are something that -+ * should not be exposed to other uids, they can remain confidential. */ - n_envs = g_variant_n_children (arg_envs); - for (i = 0; i < n_envs; i++) - { -@@ -513,7 +520,26 @@ handle_spawn (PortalFlatpak *obj - const char *val = NULL; - g_variant_get_child (arg_envs, i, "{&s&s}", &var, &val); - -- env = g_environ_setenv (env, var, val, TRUE); -+ if (var[0] == '\0') -+ { -+ g_dbus_method_invocation_return_error (invocation, G_DBUS_ERROR, -+ G_DBUS_ERROR_INVALID_ARGS, -+ "Environment variable cannot have empty name"); -+ return G_DBUS_METHOD_INVOCATION_HANDLED; -+ } -+ -+ if (strchr (var, '=') != NULL) -+ { -+ g_dbus_method_invocation_return_error (invocation, G_DBUS_ERROR, -+ G_DBUS_ERROR_INVALID_ARGS, -+ "Environment variable name cannot contain '='"); -+ return G_DBUS_METHOD_INVOCATION_HANDLED; -+ } -+ -+ g_string_append (env_string, var); -+ g_string_append_c (env_string, '='); -+ g_string_append (env_string, val); -+ g_string_append_c (env_string, '\0'); - } - - g_ptr_array_add (flatpak_argv, g_strdup ("flatpak")); diff --git a/CVE-2021-21381-1.patch b/CVE-2021-21381-1.patch deleted file mode 100644 index 1aaa4563742f6f019b32a91b1f7b74f02b5dc29a..0000000000000000000000000000000000000000 --- a/CVE-2021-21381-1.patch +++ /dev/null @@ -1,23 +0,0 @@ -From 652a28ffab67cb6cd7d12dc3a93979bcd3731c7f Mon Sep 17 00:00:00 2001 -From: Ryan Gonzalez -Date: Tue, 2 Mar 2021 13:20:07 -0600 -Subject: [PATCH] Disallow @@ and @@u usage in desktop files - -Fixes #4146. ---- - common/flatpak-dir.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/common/flatpak-dir.c b/common/flatpak-dir.c -index e6e4d6fb3..7d3374dad 100644 ---- a/common/flatpak-dir.c -+++ b/common/flatpak-dir.c -@@ -5828,6 +5828,8 @@ export_desktop_file (const char *app, - g_string_append_printf (new_exec, " @@ %s @@", arg); - else if (strcasecmp (arg, "%u") == 0) - g_string_append_printf (new_exec, " @@u %s @@", arg); -+ else if (strcmp (arg, "@@") == 0 || strcmp (arg, "@@u") == 0) -+ g_print (_("Skipping invalid Exec argument %s\n"), arg); - else - g_string_append_printf (new_exec, " %s", arg); - } diff --git a/CVE-2021-21381-2.patch b/CVE-2021-21381-2.patch deleted file mode 100644 index 2a4a3d662bce1da74087b1d80faa621a7c5cca94..0000000000000000000000000000000000000000 --- a/CVE-2021-21381-2.patch +++ /dev/null @@ -1,27 +0,0 @@ -From 1e7e8fdb24b51078f4c48e0711e24a14930ba1f0 Mon Sep 17 00:00:00 2001 -From: Simon McVittie -Date: Fri, 5 Mar 2021 13:49:36 +0000 -Subject: [PATCH] dir: Reserve the whole @@ prefix - -If we add new features analogous to file forwarding later, we might -find that we need a different magic token. Let's reserve the whole -@@* namespace so we can call it @@something-else. - -Signed-off-by: Simon McVittie ---- - common/flatpak-dir.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/common/flatpak-dir.c b/common/flatpak-dir.c -index 7d3374dad..facfab37a 100644 ---- a/common/flatpak-dir.c -+++ b/common/flatpak-dir.c -@@ -5828,7 +5828,7 @@ export_desktop_file (const char *app, - g_string_append_printf (new_exec, " @@ %s @@", arg); - else if (strcasecmp (arg, "%u") == 0) - g_string_append_printf (new_exec, " @@u %s @@", arg); -- else if (strcmp (arg, "@@") == 0 || strcmp (arg, "@@u") == 0) -+ else if (g_str_has_prefix (arg, "@@")) - g_print (_("Skipping invalid Exec argument %s\n"), arg); - else - g_string_append_printf (new_exec, " %s", arg); diff --git a/CVE-2021-21381-3.patch b/CVE-2021-21381-3.patch deleted file mode 100644 index ceb4fcc8d92aa8340b67768ae7b1ad46fa63c0d9..0000000000000000000000000000000000000000 --- a/CVE-2021-21381-3.patch +++ /dev/null @@ -1,34 +0,0 @@ -From 46b3ede5241561c7d588951048c687c5075a3eac Mon Sep 17 00:00:00 2001 -From: Simon McVittie -Date: Fri, 5 Mar 2021 13:51:33 +0000 -Subject: [PATCH] dir: Refuse to export .desktop files with suspicious uses of - @@ tokens - -This is either a malicious/compromised app trying to do an attack, or -a mistake that will break handling of %f, %u and so on. Either way, -if we refuse to export the .desktop file, resulting in installation -failing, then it makes the rejection more obvious than quietly -removing the magic tokens. - -Signed-off-by: Simon McVittie ---- - common/flatpak-dir.c | 6 +++++- - 1 file changed, 5 insertions(+), 1 deletion(-) - -diff --git a/common/flatpak-dir.c b/common/flatpak-dir.c -index facfab37a..c5edf346f 100644 ---- a/common/flatpak-dir.c -+++ b/common/flatpak-dir.c -@@ -5829,7 +5829,11 @@ export_desktop_file (const char *app, - else if (strcasecmp (arg, "%u") == 0) - g_string_append_printf (new_exec, " @@u %s @@", arg); - else if (g_str_has_prefix (arg, "@@")) -- g_print (_("Skipping invalid Exec argument %s\n"), arg); -+ { -+ flatpak_fail_error (error, FLATPAK_ERROR_EXPORT_FAILED, -+ _("Invalid Exec argument %s"), arg); -+ goto out; -+ } - else - g_string_append_printf (new_exec, " %s", arg); - } diff --git a/flatpak-1.0.3.tar.xz b/flatpak-1.0.3.tar.xz deleted file mode 100644 index 4a7735cd45624dc7ced8a7154705e639887261d4..0000000000000000000000000000000000000000 Binary files a/flatpak-1.0.3.tar.xz and /dev/null differ diff --git a/flatpak-1.10.2.tar.xz b/flatpak-1.10.2.tar.xz new file mode 100644 index 0000000000000000000000000000000000000000..f7e58fb3248bf39f2fbc145f7b7ecfb782464c97 Binary files /dev/null and b/flatpak-1.10.2.tar.xz differ diff --git a/flatpak.spec b/flatpak.spec index 2fb47c49535f3c1a1a845a0022d49a901a2027e2..2c2b75b3e5d4ceb7ab6ac7161a707f599b6617bf 100644 --- a/flatpak.spec +++ b/flatpak.spec @@ -1,26 +1,24 @@ Name: flatpak -Version: 1.0.3 -Release: 5 +Version: 1.10.2 +Release: 1 Summary: Application deployment framework for desktop apps License: LGPLv2+ URL: http://flatpak.org/ Source0: https://github.com/flatpak/flatpak/releases/download/%{version}/%{name}-%{version}.tar.xz Patch0000: modify-automake-version.patch -Patch0001: CVE-2021-21261-1.patch Patch0002: CVE-2021-21261-2.patch -Patch0003: CVE-2021-21261-3.patch Patch0004: CVE-2021-21261-4.patch -Patch0005: CVE-2021-21261-5.patch -Patch0006: CVE-2021-21381-1.patch -Patch0007: CVE-2021-21381-2.patch -Patch0008: CVE-2021-21381-3.patch -Patch0009: CVE-2019-8308.patch +Patch0005: 0001-OCI-Switch-to-pax-format-for-tar-archives.patch BuildRequires: pkgconfig(appstream-glib) pkgconfig(gio-unix-2.0) pkgconfig(gobject-introspection-1.0) >= 1.40.0 pkgconfig(json-glib-1.0) pkgconfig(libarchive) >= 2.8.0 -BuildRequires: pkgconfig(libsoup-2.4) pkgconfig(libxml-2.0) >= 2.4 pkgconfig(ostree-1) >= 2018.7 pkgconfig(polkit-gobject-1) pkgconfig(libseccomp) pkgconfig(xau) -BuildRequires: bison bubblewrap >= 0.2.1 docbook-dtds docbook-style-xsl gettext gpgme-devel libcap-devel systemd /usr/bin/xmlto /usr/bin/xsltproc -Requires: ostree%{?_isa} >= 2018.7 bubblewrap >= 0.2.1 ostree-libs%{?_isa} >= 2018.7 -Recommends: /usr/bin/p11-kit xdg-desktop-portal > 0.10 +BuildRequires: pkgconfig(libsoup-2.4) pkgconfig(libxml-2.0) >= 2.4 pkgconfig(ostree-1) >= 2020.8 pkgconfig(polkit-gobject-1) pkgconfig(libseccomp) pkgconfig(xau) +BuildRequires: bison bubblewrap >= 0.4.0 docbook-dtds docbook-style-xsl gettext gpgme-devel libcap-devel systemd xmlto libxslt +BuildRequires: pkgconfig(libsystemd) pkgconfig(dconf) pkgconfig(fuse) pkgconfig(gdk-pixbuf-2.0) pkgconfig(libzstd) >= 0.8.1 python3-pyparsing xdg-dbus-proxy + +%{?systemd_requires} +Requires: ostree%{?_isa} >= 2020.8 bubblewrap >= 0.4.0 ostree-libs%{?_isa} >= 2020.8 +Requires: librsvg2 xdg-dbus-proxy systemd +Recommends: p11-kit xdg-desktop-portal > 0.10 Provides: %{name}-libs = %{version}-%{release} Obsoletes: %{name}-libs @@ -44,10 +42,9 @@ This package contains the pkg-config file and development headers for %{name}. %build (if ! test -x configure; then NOCONFIGURE=1 ./autogen.sh; CONFIGFLAGS=--enable-gtk-doc; fi; - %configure --with-priv-mode=none \ + %configure --with-priv-mode=none --with-system-dbus-proxy \ --with-system-bubblewrap --enable-docbook-docs $CONFIGFLAGS) %make_build V=1 -sed -i 's/idm[0-9]\{5,32\}\"/idm123456789123456\"/g' %{_builddir}/flatpak-1.0.3/doc/flatpak-docs.html %install %make_install @@ -55,6 +52,8 @@ install -pm 644 NEWS README.md %{buildroot}/%{_pkgdocdir} install -d %{buildroot}%{_localstatedir}/lib/flatpak install -d %{buildroot}%{_sysconfdir}/flatpak/remotes.d rm -f %{buildroot}%{_libdir}/libflatpak.la +rm %{buildroot}%{_systemd_system_env_generator_dir}/60-flatpak-system-only + %find_lang %{name} %post @@ -70,15 +69,19 @@ flatpak remote-list --system &> /dev/null || : %{_datadir}/bash-completion %{_datadir}/dbus-1/interfaces/org.freedesktop.Flatpak.xml %{_datadir}/dbus-1/interfaces/org.freedesktop.portal.Flatpak.xml +%{_datadir}/dbus-1/interfaces/org.freedesktop.Flatpak.Authenticator.xml %{_datadir}/dbus-1/services/org.freedesktop.Flatpak.service +%{_datadir}/dbus-1/services/org.flatpak.Authenticator.Oci.service %{_datadir}/dbus-1/services/org.freedesktop.portal.Flatpak.service %{_datadir}/dbus-1/system-services/org.freedesktop.Flatpak.SystemHelper.service -%{_datadir}/gdm/env.d +%{_datadir}/fish/ %{_datadir}/%{name} %{_datadir}/polkit-1/actions/org.freedesktop.Flatpak.policy %{_datadir}/polkit-1/rules.d/org.freedesktop.Flatpak.rules %{_datadir}/zsh/site-functions -%{_libexecdir}/flatpak-dbus-proxy +%{_libexecdir}/flatpak-oci-authenticator +%{_libexecdir}/flatpak-validate-icon +%{_libexecdir}/revokefs-fuse %{_libexecdir}/flatpak-portal %{_libexecdir}/flatpak-session-helper %{_libexecdir}/flatpak-system-helper @@ -87,9 +90,11 @@ flatpak remote-list --system &> /dev/null || : %{_sysconfdir}/flatpak/remotes.d %{_sysconfdir}/profile.d/flatpak.sh %{_unitdir}/flatpak-system-helper.service -%{_userunitdir}/flatpak-portal.service +%{_sysusersdir}/flatpak.conf %{_userunitdir}/flatpak-session-helper.service -%{_userunitdir}/dbus.service.d +%{_userunitdir}/flatpak-oci-authenticator.service +%{_userunitdir}/flatpak-portal.service +%{_systemd_user_env_generator_dir}/60-flatpak %{_libdir}/girepository-1.0/Flatpak-1.0.typelib %{_libdir}/libflatpak.so.* @@ -109,6 +114,13 @@ flatpak remote-list --system &> /dev/null || : %{_mandir}/man5/flatpak-remote.5* %changelog +* Tue Jun 29 2021 weijin deng - 1.10.2-1 +- Upgrade to 1.10.2 +- Delete patches that existed in this version 1.10.2, delete sed option + cause no file flatpak-docs.html +- Reserve three patches that still effictive +- Add patch 0001-OCI-Switch-to-pax-format-for-tar-archives.patch + * Mon Apr 12 2021 wangyue - 1.0.3-5 - Fix CVE-2019-8308 diff --git a/modify-automake-version.patch b/modify-automake-version.patch index 2020df11c20ee1760760c1119898627c4e100b02..bbdee72f87338fe4b4b83879fb9298d7915dd72a 100644 --- a/modify-automake-version.patch +++ b/modify-automake-version.patch @@ -7,25 +7,11 @@ if the version of automake in the compile enviroment is inconsistent with the version specified in configure, the compile will fail. --- - configure | 2 +- configure.ac | 2 +- - 2 files changed, 2 insertions(+), 2 deletions(-) + 1 files changed, 1 insertions(+), 1 deletions(-) -diff --git a/configure b/configure -index 13abc0a..da4fa78 100755 ---- a/configure -+++ b/configure -@@ -12762,7 +12762,7 @@ CC=$lt_save_CC - ac_config_headers="$ac_config_headers config.h" - - --am__api_version='1.15' -+am__api_version='1.16' - - # Find a good install program. We prefer a C program (faster), - # so one script is as good as another. But avoid the broken or diff --git a/configure.ac b/configure.ac -index 202ffc8..4ca143e 100644 +index c879e47..8bf37b0 100644 --- a/configure.ac +++ b/configure.ac @@ -48,7 +48,7 @@ LT_INIT([disable-static]) @@ -37,6 +23,3 @@ index 202ffc8..4ca143e 100644 AC_PROG_SED AC_PROG_YACC --- -2.23.0 -