From c6b2d376925d00403618c63c386105775e956e00 Mon Sep 17 00:00:00 2001
From: houyingchao <1348375921@qq.com>
Date: Mon, 27 Sep 2021 15:24:52 +0800
Subject: [PATCH] Fix CVE-2019-10063

(cherry picked from commit dcad592b6f46f3763bedd82eb27eed02f4e6ac26)
---
 CVE-2019-10063.patch | 26 ++++++++++++++++++++++++++
 flatpak.spec         |  6 +++++-
 2 files changed, 31 insertions(+), 1 deletion(-)
 create mode 100644 CVE-2019-10063.patch

diff --git a/CVE-2019-10063.patch b/CVE-2019-10063.patch
new file mode 100644
index 0000000..95629c6
--- /dev/null
+++ b/CVE-2019-10063.patch
@@ -0,0 +1,26 @@
+From a9107feeb4b8275b78965b36bf21b92d5724699e Mon Sep 17 00:00:00 2001
+From: Ryan Gonzalez <rymg19@gmail.com>
+Date: Mon, 25 Mar 2019 13:00:15 -0500
+Subject: [PATCH] run: Only compare the lowest 32 ioctl arg bits for TIOCSTI
+
+Closes #2782.
+
+Closes: #2783
+Approved by: alexlarsson
+---
+ common/flatpak-run.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/common/flatpak-run.c b/common/flatpak-run.c
+index 42e8bc05c6..b03c215bf2 100644
+--- a/common/flatpak-run.c
++++ b/common/flatpak-run.c
+@@ -2475,7 +2475,7 @@ setup_seccomp (FlatpakBwrap   *bwrap,
+     {SCMP_SYS (clone), &SCMP_A0 (SCMP_CMP_MASKED_EQ, CLONE_NEWUSER, CLONE_NEWUSER)},
+ 
+     /* Don't allow faking input to the controlling tty (CVE-2017-5226) */
+-    {SCMP_SYS (ioctl), &SCMP_A1 (SCMP_CMP_EQ, (int) TIOCSTI)},
++    {SCMP_SYS (ioctl), &SCMP_A1 (SCMP_CMP_MASKED_EQ, 0xFFFFFFFFu, (int) TIOCSTI)},
+   };
+ 
+   struct
diff --git a/flatpak.spec b/flatpak.spec
index 2fb47c4..eb843f2 100644
--- a/flatpak.spec
+++ b/flatpak.spec
@@ -1,6 +1,6 @@
 Name:           flatpak
 Version:        1.0.3
-Release:        5
+Release:        6
 Summary:        Application deployment framework for desktop apps
 License:        LGPLv2+
 URL:            http://flatpak.org/
@@ -15,6 +15,7 @@ Patch0006:      CVE-2021-21381-1.patch
 Patch0007:      CVE-2021-21381-2.patch
 Patch0008:      CVE-2021-21381-3.patch
 Patch0009:      CVE-2019-8308.patch
+Patch0010:	CVE-2019-10063.patch
 
 BuildRequires:  pkgconfig(appstream-glib) pkgconfig(gio-unix-2.0) pkgconfig(gobject-introspection-1.0) >= 1.40.0 pkgconfig(json-glib-1.0) pkgconfig(libarchive) >= 2.8.0
 BuildRequires:  pkgconfig(libsoup-2.4) pkgconfig(libxml-2.0) >= 2.4 pkgconfig(ostree-1) >= 2018.7 pkgconfig(polkit-gobject-1) pkgconfig(libseccomp) pkgconfig(xau)
@@ -109,6 +110,9 @@ flatpak remote-list --system &> /dev/null || :
 %{_mandir}/man5/flatpak-remote.5*
 
 %changelog
+* Mon Sep 27 2021 houyingchao <houyingchao@huawei.com> - 1.0.3-6
+- Fix CVE-2019-10063
+
 * Mon Apr 12 2021 wangyue <wangyue92@huawei.com> - 1.0.3-5
 - Fix CVE-2019-8308
 
-- 
Gitee