diff --git a/0001-OCI-Switch-to-pax-format-for-tar-archives.patch b/0001-OCI-Switch-to-pax-format-for-tar-archives.patch deleted file mode 100644 index a95238a7c41e0e0d68c7d68292be3f585245a315..0000000000000000000000000000000000000000 --- a/0001-OCI-Switch-to-pax-format-for-tar-archives.patch +++ /dev/null @@ -1,34 +0,0 @@ -From adbd286cef9a4c4bed76eb95337d5d6f5e42dd45 Mon Sep 17 00:00:00 2001 -From: Kalev Lember -Date: Mon, 5 Apr 2021 10:40:26 +0200 -Subject: [PATCH] OCI: Switch to pax format for tar archives - -For reasons unknown, libarchive appears to generate broken gnutar format -tar archives when the archive contains files that are larger than 2 GB. -This commit switches to the pax format to work this around. - -This should be a better default as it also removes 256 char filename -length limitation and matches what other libraries are doing, e.g. -Python 3.8 switched to the pax format by default as well. - -See https://pagure.io/fedora-infrastructure/issue/9840 ---- - common/flatpak-oci-registry.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/common/flatpak-oci-registry.c b/common/flatpak-oci-registry.c -index 6aa68c27..2a7f3ba1 100644 ---- a/common/flatpak-oci-registry.c -+++ b/common/flatpak-oci-registry.c -@@ -1476,7 +1476,7 @@ flatpak_oci_registry_write_layer (FlatpakOciRegistry *self, - } - - a = archive_write_new (); -- if (archive_write_set_format_gnutar (a) != ARCHIVE_OK || -+ if (archive_write_set_format_pax (a) != ARCHIVE_OK || - archive_write_add_filter_none (a) != ARCHIVE_OK) - { - propagate_libarchive_error (error, a); --- -2.30.2 - diff --git a/CVE-2021-21261-2.patch b/CVE-2021-21261-2.patch deleted file mode 100644 index 3d1da63580468ed5c30bb1f50a3594a5bca3ace7..0000000000000000000000000000000000000000 --- a/CVE-2021-21261-2.patch +++ /dev/null @@ -1,241 +0,0 @@ -From 1b82bf2f9df06ee60d222b4fb45fe3490d05ef94 Mon Sep 17 00:00:00 2001 -From: Simon McVittie -Date: Mon, 11 Jan 2021 14:51:36 +0000 -Subject: [PATCH] common: Move flatpak_buffer_to_sealed_memfd_or_tmpfile - to its own file - -We'll need this to use it in flatpak-portal without pulling the rest of -the common/ directory. - -Signed-off-by: Simon McVittie ---- - common/Makefile.am.inc | 2 + - common/flatpak-utils-memfd-private.h | 32 ++++++++++ - common/flatpak-utils-memfd.c | 90 ++++++++++++++++++++++++++++ - common/flatpak-utils-private.h | 1 + - common/flatpak-utils.c | 50 ---------------- - 5 files changed, 125 insertions(+), 50 deletions(-) - create mode 100644 common/flatpak-utils-memfd-private.h - create mode 100644 common/flatpak-utils-memfd.c - -diff --git a/common/Makefile.am.inc b/common/Makefile.am.inc -index 4844ab5..b681294 100644 ---- a/common/Makefile.am.inc -+++ b/common/Makefile.am.inc -@@ -164,6 +164,8 @@ libflatpak_common_la_SOURCES = \ - common/flatpak-transaction.c \ - common/flatpak-transaction.h \ - common/flatpak-utils-http-private.h \ -+ common/flatpak-utils-memfd.c \ -+ common/flatpak-utils-memfd-private.h \ - common/flatpak-utils-http.c \ - common/flatpak-utils-private.h \ - common/flatpak-utils.c \ -diff --git a/common/flatpak-utils-memfd-private.h b/common/flatpak-utils-memfd-private.h -new file mode 100644 -index 0000000..65b550d ---- /dev/null -+++ b/common/flatpak-utils-memfd-private.h -@@ -0,0 +1,33 @@ -+/* -+ * Copyright © 2014 Red Hat, Inc -+ * -+ * This program is free software; you can redistribute it and/or -+ * modify it under the terms of the GNU Lesser General Public -+ * License as published by the Free Software Foundation; either -+ * version 2.1 of the License, or (at your option) any later version. -+ * -+ * This library is distributed in the hope that it will be useful, -+ * but WITHOUT ANY WARRANTY; without even the implied warranty of -+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -+ * Lesser General Public License for more details. -+ * -+ * You should have received a copy of the GNU Lesser General Public -+ * License along with this library. If not, see . -+ * -+ * Authors: -+ * Alexander Larsson -+ */ -+ -+#ifndef __FLATPAK_UTILS_MEMFD_H__ -+#define __FLATPAK_UTILS_MEMFD_H__ -+ -+#include "libglnx/libglnx.h" -+ -+gboolean flatpak_buffer_to_sealed_memfd_or_tmpfile (GLnxTmpfile *tmpf, -+ const char *name, -+ const char *str, -+ size_t len, -+ GError **error); -+ -+#endif /* __FLATPAK_UTILS_MEMFD_H__ */ -+ -diff --git a/common/flatpak-utils-memfd.c b/common/flatpak-utils-memfd.c -new file mode 100644 -index 0000000..9a0730f ---- /dev/null -+++ b/common/flatpak-utils-memfd.c -@@ -0,0 +1,90 @@ -+/* -+ * Copyright © 2014 Red Hat, Inc -+ * -+ * This program is free software; you can redistribute it and/or -+ * modify it under the terms of the GNU Lesser General Public -+ * License as published by the Free Software Foundation; either -+ * version 2.1 of the License, or (at your option) any later version. -+ * -+ * This library is distributed in the hope that it will be useful, -+ * but WITHOUT ANY WARRANTY; without even the implied warranty of -+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -+ * Lesser General Public License for more details. -+ * -+ * You should have received a copy of the GNU Lesser General Public -+ * License along with this library. If not, see . -+ * -+ * Authors: -+ * Alexander Larsson -+ */ -+ -+#include "config.h" -+ -+#include "flatpak-utils-memfd-private.h" -+ -+#include "valgrind-private.h" -+ -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+ -+/* If memfd_create() is available, generate a sealed memfd with contents of -+ * @str. Otherwise use an O_TMPFILE @tmpf in anonymous mode, write @str to -+ * @tmpf, and lseek() back to the start. See also similar uses in e.g. -+ * rpm-ostree for running dracut. -+ */ -+gboolean -+flatpak_buffer_to_sealed_memfd_or_tmpfile (GLnxTmpfile *tmpf, -+ const char *name, -+ const char *str, -+ size_t len, -+ GError **error) -+{ -+ if (len == -1) -+ len = strlen (str); -+ glnx_autofd int memfd = memfd_create (name, MFD_CLOEXEC | MFD_ALLOW_SEALING); -+ int fd; /* Unowned */ -+ if (memfd != -1) -+ { -+ fd = memfd; -+ } -+ else -+ { -+ /* We use an anonymous fd (i.e. O_EXCL) since we don't want -+ * the target container to potentially be able to re-link it. -+ */ -+ if (!G_IN_SET (errno, ENOSYS, EOPNOTSUPP)) -+ return glnx_throw_errno_prefix (error, "memfd_create"); -+ if (!glnx_open_anonymous_tmpfile (O_RDWR | O_CLOEXEC, tmpf, error)) -+ return FALSE; -+ fd = tmpf->fd; -+ } -+ if (ftruncate (fd, len) < 0) -+ return glnx_throw_errno_prefix (error, "ftruncate"); -+ if (glnx_loop_write (fd, str, len) < 0) -+ return glnx_throw_errno_prefix (error, "write"); -+ if (lseek (fd, 0, SEEK_SET) < 0) -+ return glnx_throw_errno_prefix (error, "lseek"); -+ if (memfd != -1) -+ { -+ /* Valgrind doesn't currently handle G_ADD_SEALS, so lets not seal when debugging... */ -+ if ((!RUNNING_ON_VALGRIND) && -+ fcntl (memfd, F_ADD_SEALS, F_SEAL_SHRINK | F_SEAL_GROW | F_SEAL_WRITE | F_SEAL_SEAL) < 0) -+ return glnx_throw_errno_prefix (error, "fcntl(F_ADD_SEALS)"); -+ /* The other values can stay default */ -+ tmpf->fd = glnx_steal_fd (&memfd); -+ tmpf->initialized = TRUE; -+ } -+ return TRUE; -+} -diff --git a/common/flatpak-utils-private.h b/common/flatpak-utils-private.h -index 1a92154..4c1ac61 100644 ---- a/common/flatpak-utils-private.h -+++ b/common/flatpak-utils-private.h -@@ -32,6 +32,7 @@ - #include "flatpak-context-private.h" - #include "flatpak-error.h" - #include "flatpak-utils-http-private.h" -+#include "flatpak-utils-memfd-private.h" - #include "flatpak-variant-private.h" - #include "flatpak-dir-private.h" - #include -diff --git a/common/flatpak-utils.c b/common/flatpak-utils.c -index 56cbb06..6901a62 100644 ---- a/common/flatpak-utils.c -+++ b/common/flatpak-utils.c -@@ -1851,56 +1851,6 @@ flatpak_file_rename (GFile *from, - return TRUE; - } - --/* If memfd_create() is available, generate a sealed memfd with contents of -- * @str. Otherwise use an O_TMPFILE @tmpf in anonymous mode, write @str to -- * @tmpf, and lseek() back to the start. See also similar uses in e.g. -- * rpm-ostree for running dracut. -- */ --gboolean --flatpak_buffer_to_sealed_memfd_or_tmpfile (GLnxTmpfile *tmpf, -- const char *name, -- const char *str, -- size_t len, -- GError **error) --{ -- if (len == -1) -- len = strlen (str); -- glnx_autofd int memfd = memfd_create (name, MFD_CLOEXEC | MFD_ALLOW_SEALING); -- int fd; /* Unowned */ -- if (memfd != -1) -- { -- fd = memfd; -- } -- else -- { -- /* We use an anonymous fd (i.e. O_EXCL) since we don't want -- * the target container to potentially be able to re-link it. -- */ -- if (!G_IN_SET (errno, ENOSYS, EOPNOTSUPP)) -- return glnx_throw_errno_prefix (error, "memfd_create"); -- if (!glnx_open_anonymous_tmpfile (O_RDWR | O_CLOEXEC, tmpf, error)) -- return FALSE; -- fd = tmpf->fd; -- } -- if (ftruncate (fd, len) < 0) -- return glnx_throw_errno_prefix (error, "ftruncate"); -- if (glnx_loop_write (fd, str, len) < 0) -- return glnx_throw_errno_prefix (error, "write"); -- if (lseek (fd, 0, SEEK_SET) < 0) -- return glnx_throw_errno_prefix (error, "lseek"); -- if (memfd != -1) -- { -- /* Valgrind doesn't currently handle G_ADD_SEALS, so lets not seal when debugging... */ -- if ((!RUNNING_ON_VALGRIND) && -- fcntl (memfd, F_ADD_SEALS, F_SEAL_SHRINK | F_SEAL_GROW | F_SEAL_WRITE | F_SEAL_SEAL) < 0) -- return glnx_throw_errno_prefix (error, "fcntl(F_ADD_SEALS)"); -- /* The other values can stay default */ -- tmpf->fd = glnx_steal_fd (&memfd); -- tmpf->initialized = TRUE; -- } -- return TRUE; --} -- - gboolean - flatpak_open_in_tmpdir_at (int tmpdir_fd, - int mode, diff --git a/CVE-2021-21261-4.patch b/CVE-2021-21261-4.patch deleted file mode 100644 index a25884a700eb1c5895b25be2d8f59fe76a992804..0000000000000000000000000000000000000000 --- a/CVE-2021-21261-4.patch +++ /dev/null @@ -1,48 +0,0 @@ -From ce6a6e593310d42f7aecddb88d98e759f22ab6db Mon Sep 17 00:00:00 2001 -From: Simon McVittie -Date: Tue, 12 Jan 2021 12:25:59 +0000 -Subject: [PATCH] portal: Convert --env in extra-args into --env-fd - -This hides overridden variables from the command-line, which means -processes running under other uids can't see them in /proc/*/cmdline, -which might be important if they contain secrets. - -Signed-off-by: Simon McVittie -Part-of: https://github.com/flatpak/flatpak/security/advisories/GHSA-4ppf-fxf6-vxg2 ---- - portal/Makefile.am.inc | 4 ++- - portal/flatpak-portal.c | 65 ++++++++++++++++++++++++++++++++++++++++- - 2 files changed, 67 insertions(+), 2 deletions(-) - -diff --git a/portal/Makefile.am.inc b/portal/Makefile.am.inc -index dc45969..e5e57ba 100644 ---- a/portal/Makefile.am.inc -+++ b/portal/Makefile.am.inc -@@ -46,6 +46,8 @@ flatpak_portal_SOURCES = \ - portal/portal-impl.h \ - common/flatpak-portal-error.c \ - common/flatpak-portal-error.h \ -+ common/flatpak-utils-memfd.c \ -+ common/flatpak-utils-memfd-private.h \ - $(NULL) - - BUILT_SOURCES += $(nodist_flatpak_portal_SOURCES) -diff --git a/portal/flatpak-portal.c b/portal/flatpak-portal.c -index 7887c57..40a8ce7 100644 ---- a/portal/flatpak-portal.c -+++ b/portal/flatpak-portal.c -@@ -46,6 +46,14 @@ - #include "flatpak-instance-private.h" - #include "flatpak-portal-app-info.h" - #include "flatpak-portal-error.h" -+#include "flatpak-utils-memfd-private.h" -+ -+/* Syntactic sugar added in newer GLib, which makes the error paths more -+ * clearly correct */ -+#ifndef G_DBUS_METHOD_INVOCATION_HANDLED -+# define G_DBUS_METHOD_INVOCATION_HANDLED TRUE -+# define G_DBUS_METHOD_INVOCATION_UNHANDLED FALSE -+#endif - #include "flatpak-utils-base-private.h" - #include "portal-impl.h" - #include "flatpak-permission-dbus.h" diff --git a/backport-0001-CVE-2021-41133.patch b/backport-0001-CVE-2021-41133.patch deleted file mode 100644 index 9737a01a7114b92dfc7dcabaed3537b4c4a24626..0000000000000000000000000000000000000000 --- a/backport-0001-CVE-2021-41133.patch +++ /dev/null @@ -1,154 +0,0 @@ -From e26ac7586c392b5eb35ff4609fe232c52523b2cf Mon Sep 17 00:00:00 2001 -From: Simon McVittie -Date: Wed, 1 Sep 2021 11:53:23 +0100 -Subject: [PATCH] run: Add an errno value to seccomp filters - -At the moment, if we block a syscall we always make it fail with EPERM, -but this is risky: user-space libraries can start to use new replacements -for old syscalls at any time, and will often treat EPERM as a fatal error. -For new syscalls, we should make the syscall fail with ENOSYS, which is -indistinguishable from running on an older kernel and will cause fallback -to an older implementation, for example clone3() to clone(). - -In future we should probably move from EPERM to ENOSYS for some of the -syscalls we already block, but for now keep the status quo. - -This is a prerequisite for fixing the vulnerability tracked as -GHSA-67h7-w3jq-vh4q. - -Signed-off-by: Simon McVittie - -Conflict:NA -Reference:https://github.com/flatpak/flatpak/commit/e26ac7586c392b5eb35ff4609fe232c52523b2cf - ---- - common/flatpak-run.c | 62 +++++++++++++++++++++++++------------------- - 1 file changed, 36 insertions(+), 26 deletions(-) - -diff --git a/common/flatpak-run.c b/common/flatpak-run.c -index f48f402..3931820 100644 ---- a/common/flatpak-run.c -+++ b/common/flatpak-run.c -@@ -2784,61 +2784,63 @@ setup_seccomp (FlatpakBwrap *bwrap, - struct - { - int scall; -+ int errnum; - struct scmp_arg_cmp *arg; - } syscall_blocklist[] = { - /* Block dmesg */ -- {SCMP_SYS (syslog)}, -+ {SCMP_SYS (syslog), EPERM}, - /* Useless old syscall */ -- {SCMP_SYS (uselib)}, -+ {SCMP_SYS (uselib), EPERM}, - /* Don't allow disabling accounting */ -- {SCMP_SYS (acct)}, -+ {SCMP_SYS (acct), EPERM}, - /* 16-bit code is unnecessary in the sandbox, and modify_ldt is a - historic source of interesting information leaks. */ -- {SCMP_SYS (modify_ldt)}, -+ {SCMP_SYS (modify_ldt), EPERM}, - /* Don't allow reading current quota use */ -- {SCMP_SYS (quotactl)}, -+ {SCMP_SYS (quotactl), EPERM}, - - /* Don't allow access to the kernel keyring */ -- {SCMP_SYS (add_key)}, -- {SCMP_SYS (keyctl)}, -- {SCMP_SYS (request_key)}, -+ {SCMP_SYS (add_key), EPERM}, -+ {SCMP_SYS (keyctl), EPERM}, -+ {SCMP_SYS (request_key), EPERM}, - - /* Scary VM/NUMA ops */ -- {SCMP_SYS (move_pages)}, -- {SCMP_SYS (mbind)}, -- {SCMP_SYS (get_mempolicy)}, -- {SCMP_SYS (set_mempolicy)}, -- {SCMP_SYS (migrate_pages)}, -+ {SCMP_SYS (move_pages), EPERM}, -+ {SCMP_SYS (mbind), EPERM}, -+ {SCMP_SYS (get_mempolicy), EPERM}, -+ {SCMP_SYS (set_mempolicy), EPERM}, -+ {SCMP_SYS (migrate_pages), EPERM}, - - /* Don't allow subnamespace setups: */ -- {SCMP_SYS (unshare)}, -- {SCMP_SYS (mount)}, -- {SCMP_SYS (pivot_root)}, -+ {SCMP_SYS (unshare), EPERM}, -+ {SCMP_SYS (mount), EPERM}, -+ {SCMP_SYS (pivot_root), EPERM}, - #if defined(__s390__) || defined(__s390x__) || defined(__CRIS__) - /* Architectures with CONFIG_CLONE_BACKWARDS2: the child stack - * and flags arguments are reversed so the flags come second */ -- {SCMP_SYS (clone), &SCMP_A1 (SCMP_CMP_MASKED_EQ, CLONE_NEWUSER, CLONE_NEWUSER)}, -+ {SCMP_SYS (clone), EPERM, &SCMP_A1 (SCMP_CMP_MASKED_EQ, CLONE_NEWUSER, CLONE_NEWUSER)}, - #else - /* Normally the flags come first */ -- {SCMP_SYS (clone), &SCMP_A0 (SCMP_CMP_MASKED_EQ, CLONE_NEWUSER, CLONE_NEWUSER)}, -+ {SCMP_SYS (clone), EPERM, &SCMP_A0 (SCMP_CMP_MASKED_EQ, CLONE_NEWUSER, CLONE_NEWUSER)}, - #endif - - /* Don't allow faking input to the controlling tty (CVE-2017-5226) */ -- {SCMP_SYS (ioctl), &SCMP_A1 (SCMP_CMP_MASKED_EQ, 0xFFFFFFFFu, (int) TIOCSTI)}, -+ {SCMP_SYS (ioctl), EPERM, &SCMP_A1 (SCMP_CMP_MASKED_EQ, 0xFFFFFFFFu, (int) TIOCSTI)}, - }; - - struct - { - int scall; -+ int errnum; - struct scmp_arg_cmp *arg; - } syscall_nondevel_blocklist[] = { - /* Profiling operations; we expect these to be done by tools from outside - * the sandbox. In particular perf has been the source of many CVEs. - */ -- {SCMP_SYS (perf_event_open)}, -+ {SCMP_SYS (perf_event_open), EPERM}, - /* Don't allow you to switch to bsd emulation or whatnot */ -- {SCMP_SYS (personality), &SCMP_A0 (SCMP_CMP_NE, allowed_personality)}, -- {SCMP_SYS (ptrace)} -+ {SCMP_SYS (personality), EPERM, &SCMP_A0 (SCMP_CMP_NE, allowed_personality)}, -+ {SCMP_SYS (ptrace), EPERM} - }; - /* Blocklist all but unix, inet, inet6 and netlink */ - struct -@@ -2922,10 +2924,14 @@ setup_seccomp (FlatpakBwrap *bwrap, - for (i = 0; i < G_N_ELEMENTS (syscall_blocklist); i++) - { - int scall = syscall_blocklist[i].scall; -+ int errnum = syscall_blocklist[i].errnum; -+ -+ g_return_val_if_fail (errnum == EPERM || errnum == ENOSYS, FALSE); -+ - if (syscall_blocklist[i].arg) -- r = seccomp_rule_add (seccomp, SCMP_ACT_ERRNO (EPERM), scall, 1, *syscall_blocklist[i].arg); -+ r = seccomp_rule_add (seccomp, SCMP_ACT_ERRNO (errnum), scall, 1, *syscall_blocklist[i].arg); - else -- r = seccomp_rule_add (seccomp, SCMP_ACT_ERRNO (EPERM), scall, 0); -+ r = seccomp_rule_add (seccomp, SCMP_ACT_ERRNO (errnum), scall, 0); - if (r < 0 && r == -EFAULT /* unknown syscall */) - return flatpak_fail_error (error, FLATPAK_ERROR_SETUP_FAILED, _("Failed to block syscall %d"), scall); - } -@@ -2935,10 +2941,14 @@ setup_seccomp (FlatpakBwrap *bwrap, - for (i = 0; i < G_N_ELEMENTS (syscall_nondevel_blocklist); i++) - { - int scall = syscall_nondevel_blocklist[i].scall; -+ int errnum = syscall_nondevel_blocklist[i].errnum; -+ -+ g_return_val_if_fail (errnum == EPERM || errnum == ENOSYS, FALSE); -+ - if (syscall_nondevel_blocklist[i].arg) -- r = seccomp_rule_add (seccomp, SCMP_ACT_ERRNO (EPERM), scall, 1, *syscall_nondevel_blocklist[i].arg); -+ r = seccomp_rule_add (seccomp, SCMP_ACT_ERRNO (errnum), scall, 1, *syscall_nondevel_blocklist[i].arg); - else -- r = seccomp_rule_add (seccomp, SCMP_ACT_ERRNO (EPERM), scall, 0); -+ r = seccomp_rule_add (seccomp, SCMP_ACT_ERRNO (errnum), scall, 0); - - if (r < 0 && r == -EFAULT /* unknown syscall */) - return flatpak_fail_error (error, FLATPAK_ERROR_SETUP_FAILED, _("Failed to block syscall %d"), scall); --- -2.27.0 - diff --git a/backport-0001-CVE-2021-43860.patch b/backport-0001-CVE-2021-43860.patch deleted file mode 100644 index da1537b7818cd89c5a7ea14460db4fa29224e62f..0000000000000000000000000000000000000000 --- a/backport-0001-CVE-2021-43860.patch +++ /dev/null @@ -1,210 +0,0 @@ -From 54ec1a482dfc668127eaae57f135e6a8e0bc52da Mon Sep 17 00:00:00 2001 -From: Phaedrus Leeds -Date: Tue, 28 Dec 2021 11:48:16 -0800 -Subject: [PATCH] Add test for metadata validation - -This tests for invalid metadata, missing xa.metadata and mismatched -values in xa.metadata and the real metadata, including the embedded -null leading to the hidden permissions of CVE-2021-43860. - -Conflict:NA -Reference:https://github.com/flatpak/flatpak/commit/54ec1a482dfc668127eaae57f135e6a8e0bc52da - ---- - tests/Makefile-test-matrix.am.inc | 1 + - tests/Makefile.am.inc | 1 + - tests/test-metadata-validation.sh | 158 ++++++++++++++++++++++++++++++ - 3 files changed, 160 insertions(+) - create mode 100644 tests/test-metadata-validation.sh - -diff --git a/tests/Makefile-test-matrix.am.inc b/tests/Makefile-test-matrix.am.inc -index 30b402d..eef5a7e 100644 ---- a/tests/Makefile-test-matrix.am.inc -+++ b/tests/Makefile-test-matrix.am.inc -@@ -36,6 +36,7 @@ TEST_MATRIX_DIST= \ - tests/test-build-update-repo.sh \ - tests/test-http-utils.sh \ - tests/test-default-remotes.sh \ -+ tests/test-metadata-validation.sh \ - tests/test-extensions.sh \ - tests/test-oci.sh \ - tests/test-override.sh \ -diff --git a/tests/Makefile.am.inc b/tests/Makefile.am.inc -index 2458445..53d6403 100644 ---- a/tests/Makefile.am.inc -+++ b/tests/Makefile.am.inc -@@ -216,6 +216,7 @@ TEST_MATRIX_SOURCE = \ - tests/test-repo.sh{{user+system+system-norevokefs}+{{user+system},oldsummary}} \ - tests/test-sideload.sh{user+system} \ - tests/test-default-remotes.sh \ -+ tests/test-metadata-validation.sh \ - tests/test-extensions.sh \ - tests/test-bundle.sh{user+system+system-norevokefs} \ - tests/test-oci.sh \ -diff --git a/tests/test-metadata-validation.sh b/tests/test-metadata-validation.sh -new file mode 100644 -index 0000000..7e3efcc ---- /dev/null -+++ b/tests/test-metadata-validation.sh -@@ -0,0 +1,158 @@ -+#!/bin/bash -+# -+# Copyright (C) 2021 Matthew Leeds -+# -+# SPDX-License-Identifier: LGPL-2.0-or-later -+ -+set -euo pipefail -+ -+. $(dirname $0)/libtest.sh -+ -+echo "1..7" -+ -+setup_repo -+ -+COUNTER=1 -+ -+create_app () { -+ local OPTIONS="$1" -+ local DIR=`mktemp -d` -+ -+ mkdir ${DIR}/files -+ echo $COUNTER > ${DIR}/files/counter -+ let COUNTER=COUNTER+1 -+ -+ local INVALID="" -+ if [[ $OPTIONS =~ "invalid" ]]; then -+ INVALID=invalidkeyfileline -+ fi -+ cat > ${DIR}/metadata <> ${DIR}/metadata -+ fi -+ if [[ $OPTIONS =~ "hidden" ]]; then -+ echo -ne "\0" >> ${DIR}/metadata -+ echo -e "\nfilesystems=home;" >> ${DIR}/metadata -+ fi -+ local XA_METADATA=--add-metadata-string=xa.metadata="$(head -n6 ${DIR}/metadata)"$'\n' -+ if [[ $OPTIONS =~ "no-xametadata" ]]; then -+ XA_METADATA="--add-metadata-string=xa.nometadata=1" -+ fi -+ ostree commit --repo=repos/test --branch=app/org.test.Malicious/${ARCH}/master ${FL_GPGARGS} "$XA_METADATA" ${DIR}/ -+ if [[ $OPTIONS =~ "no-cache-in-summary" ]]; then -+ ostree --repo=repos/test ${FL_GPGARGS} summary -u -+ # force use of legacy summary format -+ rm -rf repos/test/summary.idx repos/test/summaries -+ else -+ update_repo -+ fi -+ rm -rf ${DIR} -+} -+ -+cleanup_repo () { -+ ostree refs --repo=repos/test --delete app/org.test.Malicious/${ARCH}/master -+ update_repo -+} -+ -+create_app "hidden" -+ -+if ${FLATPAK} ${U} install -y test-repo org.test.Malicious 2>install-error-log; then -+ assert_not_reached "Should not be able to install app with hidden permissions" -+fi -+ -+assert_file_has_content install-error-log "not matching expected metadata" -+ -+assert_not_has_dir $FL_DIR/app/org.test.Malicious/current/active -+ -+cleanup_repo -+ -+ok "app with hidden permissions can't be installed (CVE-2021-43860)" -+ -+create_app no-xametadata -+ -+# The install will fail because the metadata in the summary doesn't match the metadata on the commit -+# The missing xa.metadata in the commit got turned into "" in the xa.cache -+if ${FLATPAK} ${U} install -y test-repo org.test.Malicious 2>install-error-log; then -+ assert_not_reached "Should not be able to install app with missing xa.metadata" -+fi -+ -+assert_file_has_content install-error-log "not matching expected metadata" -+ -+assert_not_has_dir $FL_DIR/app/org.test.Malicious/current/active -+ -+cleanup_repo -+ -+ok "app with no xa.metadata can't be installed" -+ -+create_app "no-xametadata no-cache-in-summary" -+ -+# The install will fail because there's no metadata in the summary or on the commit -+if ${FLATPAK} ${U} install -y test-repo org.test.Malicious 2>install-error-log; then -+ assert_not_reached "Should not be able to install app with missing metadata" -+fi -+assert_file_has_content install-error-log "No xa.metadata in local commit" -+ -+assert_not_has_dir $FL_DIR/app/org.test.Malicious/current/active -+ -+cleanup_repo -+ -+ok "app with no xa.metadata and no metadata in summary can't be installed" -+ -+create_app "invalid" -+ -+if ${FLATPAK} ${U} install -y test-repo org.test.Malicious 2>install-error-log; then -+ assert_not_reached "Should not be able to install app with invalid metadata" -+fi -+assert_file_has_content install-error-log "Metadata for .* is invalid" -+ -+assert_not_has_dir $FL_DIR/app/org.test.Malicious/current/active -+ -+cleanup_repo -+ -+ok "app with invalid metadata (in summary) can't be installed" -+ -+create_app "invalid no-cache-in-summary" -+ -+if ${FLATPAK} ${U} install -y test-repo org.test.Malicious 2>install-error-log; then -+ assert_not_reached "Should not be able to install app with invalid metadata" -+fi -+assert_file_has_content install-error-log "Metadata for .* is invalid" -+ -+assert_not_has_dir $FL_DIR/app/org.test.Malicious/current/active -+ -+cleanup_repo -+ -+ok "app with invalid metadata (in commit) can't be installed" -+ -+create_app "mismatch no-cache-in-summary" -+ -+if ${FLATPAK} ${U} install -y test-repo org.test.Malicious 2>install-error-log; then -+ assert_not_reached "Should not be able to install app with non-matching metadata" -+fi -+assert_file_has_content install-error-log "Commit metadata for .* not matching expected metadata" -+ -+assert_not_has_dir $FL_DIR/app/org.test.Malicious/current/active -+ -+cleanup_repo -+ -+ok "app with mismatched metadata (in commit) can't be installed" -+ -+create_app "mismatch" -+ -+if ${FLATPAK} ${U} install -y test-repo org.test.Malicious 2>install-error-log; then -+ assert_not_reached "Should not be able to install app with non-matching metadata" -+fi -+assert_file_has_content install-error-log "Commit metadata for .* not matching expected metadata" -+ -+assert_not_has_dir $FL_DIR/app/org.test.Malicious/current/active -+ -+cleanup_repo -+ -+ok "app with mismatched metadata (in summary) can't be installed" --- -2.27.0 - diff --git a/backport-0002-CVE-2021-41133.patch b/backport-0002-CVE-2021-41133.patch deleted file mode 100644 index 29b024088a3676bef522f1ce620d98f2a53200b6..0000000000000000000000000000000000000000 --- a/backport-0002-CVE-2021-41133.patch +++ /dev/null @@ -1,33 +0,0 @@ -From 89ae9fe74c6d445bb1b3a40e568d77cf5de47e48 Mon Sep 17 00:00:00 2001 -From: Simon McVittie -Date: Wed, 1 Sep 2021 12:44:04 +0100 -Subject: [PATCH] run: Add cross-references for some other seccomp syscall - filters - -Signed-off-by: Simon McVittie - -Conflict:NA -Reference:https://github.com/flatpak/flatpak/commit/89ae9fe74c6d445bb1b3a40e568d77cf5de47e48 - ---- - common/flatpak-run.c | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/common/flatpak-run.c b/common/flatpak-run.c -index 3931820..38ba16f 100644 ---- a/common/flatpak-run.c -+++ b/common/flatpak-run.c -@@ -2779,6 +2779,10 @@ setup_seccomp (FlatpakBwrap *bwrap, - * https://git.gnome.org/browse/linux-user-chroot - * in src/setup-seccomp.c - * -+ * Other useful resources: -+ * https://github.com/systemd/systemd/blob/HEAD/src/shared/seccomp-util.c -+ * https://github.com/moby/moby/blob/HEAD/profiles/seccomp/default.json -+ * - **** END NOTE ON CODE SHARING - */ - struct --- -2.27.0 - diff --git a/backport-0002-CVE-2021-43860.patch b/backport-0002-CVE-2021-43860.patch deleted file mode 100644 index b90c9d5c4a9ff07629b4fe17f102f3622c3c52f4..0000000000000000000000000000000000000000 --- a/backport-0002-CVE-2021-43860.patch +++ /dev/null @@ -1,36 +0,0 @@ -From 65cbfac982cb1c83993a9e19aa424daee8e9f042 Mon Sep 17 00:00:00 2001 -From: Alexander Larsson -Date: Wed, 12 Jan 2022 11:00:56 +0100 -Subject: [PATCH] Ensure that bundles have metadata on install - -If we have a bundle without metadata we wouldn't properly present -the permissions in the transaction. - -Conflict:NA -Reference:https://github.com/flatpak/flatpak/commit/65cbfac982cb1c83993a9e19aa424daee8e9f042 - ---- - common/flatpak-dir.c | 7 +++++++ - 1 file changed, 7 insertions(+) - -diff --git a/common/flatpak-dir.c b/common/flatpak-dir.c -index 94a86f4..ddc5ee9 100644 ---- a/common/flatpak-dir.c -+++ b/common/flatpak-dir.c -@@ -9295,6 +9295,13 @@ flatpak_dir_ensure_bundle_remote (FlatpakDir *self, - if (metadata == NULL) - return NULL; - -+ /* If we rely on metadata (to e.g. print permissions), check it exists before creating the remote */ -+ if (out_metadata && fp_metadata == NULL) -+ { -+ flatpak_fail_error (error, FLATPAK_ERROR_INVALID_DATA, "No metadata in bundler header"); -+ return NULL; -+ } -+ - gpg_data = extra_gpg_data ? extra_gpg_data : included_gpg_data; - - deploy_data = flatpak_dir_get_deploy_data (self, ref, FLATPAK_DEPLOY_VERSION_ANY, cancellable, NULL); --- -2.27.0 - diff --git a/backport-0003-CVE-2021-41133.patch b/backport-0003-CVE-2021-41133.patch deleted file mode 100644 index 36a335d039dfbef9e93d8ba8f909ac8e97ca84be..0000000000000000000000000000000000000000 --- a/backport-0003-CVE-2021-41133.patch +++ /dev/null @@ -1,252 +0,0 @@ -From 26b12484eb8a6219b9e7aa287b298a894b2f34ca Mon Sep 17 00:00:00 2001 -From: Simon McVittie -Date: Wed, 1 Sep 2021 14:17:04 +0100 -Subject: [PATCH] common: Add a list of recently-added Linux syscalls - -Historically, syscalls could take arbitrarily-different values on -different architectures, but new syscalls are added with syscall numbers -that align on each architecture. - -Signed-off-by: Simon McVittie - -Conflict:NA -Reference:https://github.com/flatpak/flatpak/commit/26b12484eb8a6219b9e7aa287b298a894b2f34ca - ---- - common/Makefile.am.inc | 1 + - common/flatpak-run.c | 2 + - common/flatpak-syscalls-private.h | 197 ++++++++++++++++++++++++++++++ - 3 files changed, 200 insertions(+) - create mode 100644 common/flatpak-syscalls-private.h - -diff --git a/common/Makefile.am.inc b/common/Makefile.am.inc -index b681294..919b015 100644 ---- a/common/Makefile.am.inc -+++ b/common/Makefile.am.inc -@@ -160,6 +160,7 @@ libflatpak_common_la_SOURCES = \ - common/flatpak-remote.c \ - common/flatpak-run-private.h \ - common/flatpak-run.c \ -+ common/flatpak-syscalls-private.h \ - common/flatpak-transaction-private.h \ - common/flatpak-transaction.c \ - common/flatpak-transaction.h \ -diff --git a/common/flatpak-run.c b/common/flatpak-run.c -index 38ba16f..5cf6d2e 100644 ---- a/common/flatpak-run.c -+++ b/common/flatpak-run.c -@@ -41,6 +41,8 @@ - #include - #endif - -+#include "flatpak-syscalls-private.h" -+ - #ifdef ENABLE_SECCOMP - #include - #endif -diff --git a/common/flatpak-syscalls-private.h b/common/flatpak-syscalls-private.h -new file mode 100644 -index 0000000..04eb38c ---- /dev/null -+++ b/common/flatpak-syscalls-private.h -@@ -0,0 +1,197 @@ -+/* -+ * Copyright 2021 Collabora Ltd. -+ * SPDX-License-Identifier: LGPL-2.1-or-later -+ * -+ * This program is free software; you can redistribute it and/or -+ * modify it under the terms of the GNU Lesser General Public -+ * License as published by the Free Software Foundation; either -+ * version 2.1 of the License, or (at your option) any later version. -+ * -+ * This library is distributed in the hope that it will be useful, -+ * but WITHOUT ANY WARRANTY; without even the implied warranty of -+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -+ * Lesser General Public License for more details. -+ * -+ * You should have received a copy of the GNU Lesser General Public -+ * License along with this library. If not, see . -+ */ -+ -+#pragma once -+ -+#include -+ -+#if defined(_MIPS_SIM) -+# if _MIPS_SIM == _MIPS_SIM_ABI32 -+# define FLATPAK_MISSING_SYSCALL_BASE 4000 -+# elif _MIPS_SIM == _MIPS_SIM_ABI64 -+# define FLATPAK_MISSING_SYSCALL_BASE 5000 -+# elif _MIPS_SIM == _MIPS_SIM_NABI32 -+# define FLATPAK_MISSING_SYSCALL_BASE 6000 -+# else -+# error "Unknown MIPS ABI" -+# endif -+#endif -+ -+#if defined(__ia64__) -+# define FLATPAK_MISSING_SYSCALL_BASE 1024 -+#endif -+ -+#if defined(__alpha__) -+# define FLATPAK_MISSING_SYSCALL_BASE 110 -+#endif -+ -+#if defined(__x86_64__) && defined(__ILP32__) -+# define FLATPAK_MISSING_SYSCALL_BASE 0x40000000 -+#endif -+ -+/* -+ * FLATPAK_MISSING_SYSCALL_BASE: -+ * -+ * Number to add to the syscall numbers of recently-added syscalls -+ * to get the appropriate syscall for the current ABI. -+ */ -+#ifndef FLATPAK_MISSING_SYSCALL_BASE -+# define FLATPAK_MISSING_SYSCALL_BASE 0 -+#endif -+ -+#ifndef __NR_open_tree -+# define __NR_open_tree (FLATPAK_MISSING_SYSCALL_BASE + 428) -+#endif -+#ifndef __SNR_open_tree -+# define __SNR_open_tree __NR_open_tree -+#endif -+ -+#ifndef __NR_move_mount -+# define __NR_move_mount (FLATPAK_MISSING_SYSCALL_BASE + 429) -+#endif -+#ifndef __SNR_move_mount -+# define __SNR_move_mount __NR_move_mount -+#endif -+ -+#ifndef __NR_fsopen -+# define __NR_fsopen (FLATPAK_MISSING_SYSCALL_BASE + 430) -+#endif -+#ifndef __SNR_fsopen -+# define __SNR_fsopen __NR_fsopen -+#endif -+ -+#ifndef __NR_fsconfig -+# define __NR_fsconfig (FLATPAK_MISSING_SYSCALL_BASE + 431) -+#endif -+#ifndef __SNR_fsconfig -+# define __SNR_fsconfig __NR_fsconfig -+#endif -+ -+#ifndef __NR_fsmount -+# define __NR_fsmount (FLATPAK_MISSING_SYSCALL_BASE + 432) -+#endif -+#ifndef __SNR_fsmount -+# define __SNR_fsmount __NR_fsmount -+#endif -+ -+#ifndef __NR_fspick -+# define __NR_fspick (FLATPAK_MISSING_SYSCALL_BASE + 433) -+#endif -+#ifndef __SNR_fspick -+# define __SNR_fspick __NR_fspick -+#endif -+ -+#ifndef __NR_pidfd_open -+# define __NR_pidfd_open (FLATPAK_MISSING_SYSCALL_BASE + 434) -+#endif -+#ifndef __SNR_pidfd_open -+# define __SNR_pidfd_open __NR_pidfd_open -+#endif -+ -+#ifndef __NR_clone3 -+# define __NR_clone3 (FLATPAK_MISSING_SYSCALL_BASE + 435) -+#endif -+#ifndef __SNR_clone3 -+# define __SNR_clone3 __NR_clone3 -+#endif -+ -+#ifndef __NR_close_range -+# define __NR_close_range (FLATPAK_MISSING_SYSCALL_BASE + 436) -+#endif -+#ifndef __SNR_close_range -+# define __SNR_close_range __NR_close_range -+#endif -+ -+#ifndef __NR_openat2 -+# define __NR_openat2 (FLATPAK_MISSING_SYSCALL_BASE + 437) -+#endif -+#ifndef __SNR_openat2 -+# define __SNR_openat2 __NR_openat2 -+#endif -+ -+#ifndef __NR_pidfd_getfd -+# define __NR_pidfd_getfd (FLATPAK_MISSING_SYSCALL_BASE + 438) -+#endif -+#ifndef __SNR_pidfd_getfd -+# define __SNR_pidfd_getfd __NR_pidfd_getfd -+#endif -+ -+#ifndef __NR_faccessat2 -+# define __NR_faccessat2 (FLATPAK_MISSING_SYSCALL_BASE + 439) -+#endif -+#ifndef __SNR_faccessat2 -+# define __SNR_faccessat2 __NR_faccessat2 -+#endif -+ -+#ifndef __NR_process_madvise -+# define __NR_process_madvise (FLATPAK_MISSING_SYSCALL_BASE + 440) -+#endif -+#ifndef __SNR_process_madvise -+# define __SNR_process_madvise __NR_process_madvise -+#endif -+ -+#ifndef __NR_epoll_pwait2 -+# define __NR_epoll_pwait2 (FLATPAK_MISSING_SYSCALL_BASE + 441) -+#endif -+#ifndef __SNR_epoll_pwait2 -+# define __SNR_epoll_pwait2 __NR_epoll_pwait2 -+#endif -+ -+#ifndef __NR_mount_setattr -+# define __NR_mount_setattr (FLATPAK_MISSING_SYSCALL_BASE + 442) -+#endif -+#ifndef __SNR_mount_setattr -+# define __SNR_mount_setattr __NR_mount_setattr -+#endif -+ -+#ifndef __NR_quotactl_fd -+# define __NR_quotactl_fd (FLATPAK_MISSING_SYSCALL_BASE + 443) -+#endif -+#ifndef __SNR_quotactl_fd -+# define __SNR_quotactl_fd __NR_quotactl_fd -+#endif -+ -+#ifndef __NR_landlock_create_ruleset -+# define __NR_landlock_create_ruleset (FLATPAK_MISSING_SYSCALL_BASE + 444) -+#endif -+#ifndef __SNR_landlock_create_ruleset -+# define __SNR_landlock_create_ruleset __NR_landlock_create_ruleset -+#endif -+ -+#ifndef __NR_landlock_add_rule -+# define __NR_landlock_add_rule (FLATPAK_MISSING_SYSCALL_BASE + 445) -+#endif -+#ifndef __SNR_landlock_add_rule -+# define __SNR_landlock_add_rule __NR_landlock_add_rule -+#endif -+ -+#ifndef __NR_landlock_restrict_self -+# define __NR_landlock_restrict_self (FLATPAK_MISSING_SYSCALL_BASE + 446) -+#endif -+#ifndef __SNR_landlock_restrict_self -+# define __SNR_landlock_restrict_self __NR_landlock_restrict_self -+#endif -+ -+#ifndef __NR_memfd_secret -+# define __NR_memfd_secret (FLATPAK_MISSING_SYSCALL_BASE + 447) -+#endif -+#ifndef __SNR_memfd_secret -+# define __SNR_memfd_secret __NR_memfd_secret -+#endif -+ -+/* Last updated: Linux 5.14, syscall numbers < 448 */ --- -2.27.0 - diff --git a/backport-0003-CVE-2021-43860.patch b/backport-0003-CVE-2021-43860.patch deleted file mode 100644 index f6ee0a6560bc85f81659924c9905d1721d8e1430..0000000000000000000000000000000000000000 --- a/backport-0003-CVE-2021-43860.patch +++ /dev/null @@ -1,210 +0,0 @@ -From ba818f504c926baaf6e362be8159cfacf994310e Mon Sep 17 00:00:00 2001 -From: Ryan Gonzalez -Date: Thu, 23 Dec 2021 18:30:17 -0600 -Subject: [PATCH] Fix metadata file contents after null terminators being - ignored - -In particular, if a null terminator is placed inside the metadata file, -Flatpak will only compare the text *before* it to the value of -xa.metadata, but the full file will be parsed when permissions are set -at runtime. This means that any app can include a null terminator in its -permissions metadata, and Flatpak will only show the user the -permissions *preceding* the terminator during install, but the -permissions *after* the terminator are applied at runtime. - -Fixes GHSA-qpjc-vq3c-572j / CVE-2021-43860 - -Signed-off-by: Ryan Gonzalez - -Conflict:NA -Reference:https://github.com/flatpak/flatpak/commit/ba818f504c926baaf6e362be8159cfacf994310e - ---- - common/flatpak-dir.c | 36 +++++++++++++++++++++++++++--------- - common/flatpak-transaction.c | 8 ++++---- - common/flatpak-utils.c | 9 +++++---- - 3 files changed, 36 insertions(+), 17 deletions(-) - -diff --git a/common/flatpak-dir.c b/common/flatpak-dir.c -index ddc5ee9..e6c8046 100644 ---- a/common/flatpak-dir.c -+++ b/common/flatpak-dir.c -@@ -1762,19 +1762,29 @@ static gboolean - validate_commit_metadata (GVariant *commit_data, - const char *ref, - const char *required_metadata, -+ gsize required_metadata_size, - gboolean require_xa_metadata, - GError **error) - { - g_autoptr(GVariant) commit_metadata = NULL; -+ g_autoptr(GVariant) xa_metadata_v = NULL; - const char *xa_metadata = NULL; -+ gsize xa_metadata_size = 0; - - commit_metadata = g_variant_get_child_value (commit_data, 0); - - if (commit_metadata != NULL) -- g_variant_lookup (commit_metadata, "xa.metadata", "&s", &xa_metadata); -+ { -+ xa_metadata_v = g_variant_lookup_value (commit_metadata, -+ "xa.metadata", -+ G_VARIANT_TYPE_STRING); -+ if (xa_metadata_v) -+ xa_metadata = g_variant_get_string (xa_metadata_v, &xa_metadata_size); -+ } - - if ((xa_metadata == NULL && require_xa_metadata) || -- (xa_metadata != NULL && g_strcmp0 (required_metadata, xa_metadata) != 0)) -+ (xa_metadata != NULL && (xa_metadata_size != required_metadata_size || -+ memcmp (xa_metadata, required_metadata, xa_metadata_size) != 0))) - { - g_set_error (error, G_IO_ERROR, G_IO_ERROR_PERMISSION_DENIED, - _("Commit metadata for %s not matching expected metadata"), ref); -@@ -3478,6 +3488,7 @@ upgrade_deploy_data (GBytes *deploy_data, - g_autoptr(GKeyFile) keyfile = NULL; - g_autoptr(GFile) metadata_file = NULL; - g_autofree char *metadata_contents = NULL; -+ gsize metadata_size = 0; - g_autofree char *id = flatpak_decomposed_dup_id (ref); - - /* Add fields from commit metadata to deploy */ -@@ -3491,9 +3502,9 @@ upgrade_deploy_data (GBytes *deploy_data, - keyfile = g_key_file_new (); - metadata_file = g_file_resolve_relative_path (deploy_dir, "metadata"); - if (!g_file_load_contents (metadata_file, cancellable, -- &metadata_contents, NULL, NULL, error)) -+ &metadata_contents, &metadata_size, NULL, error)) - return NULL; -- if (!g_key_file_load_from_data (keyfile, metadata_contents, -1, 0, error)) -+ if (!g_key_file_load_from_data (keyfile, metadata_contents, metadata_size, 0, error)) - return NULL; - add_metadata_to_deploy_data (&metadata_dict, keyfile); - -@@ -5799,8 +5810,13 @@ flatpak_dir_pull (FlatpakDir *self, - { - g_autoptr(GVariant) commit_data = NULL; - if (!ostree_repo_load_commit (repo, rev, &commit_data, NULL, error) || -- !validate_commit_metadata (commit_data, ref, (const char *)g_bytes_get_data (require_metadata, NULL), TRUE, error)) -- return FALSE; -+ !validate_commit_metadata (commit_data, -+ ref, -+ (const char *)g_bytes_get_data (require_metadata, NULL), -+ g_bytes_get_size (require_metadata), -+ TRUE, -+ error)) -+ goto out; - } - - if (!flatpak_dir_pull_extra_data (self, repo, -@@ -8111,6 +8127,7 @@ flatpak_dir_deploy (FlatpakDir *self, - g_auto(GLnxLockFile) lock = { 0, }; - g_autoptr(GFile) metadata_file = NULL; - g_autofree char *metadata_contents = NULL; -+ gsize metadata_size = 0; - gboolean is_oci; - - if (!flatpak_dir_ensure_repo (self, cancellable, error)) -@@ -8320,11 +8337,12 @@ flatpak_dir_deploy (FlatpakDir *self, - keyfile = g_key_file_new (); - metadata_file = g_file_resolve_relative_path (checkoutdir, "metadata"); - if (g_file_load_contents (metadata_file, NULL, -- &metadata_contents, NULL, NULL, NULL)) -+ &metadata_contents, -+ &metadata_size, NULL, NULL)) - { - if (!g_key_file_load_from_data (keyfile, - metadata_contents, -- -1, -+ metadata_size, - 0, error)) - return FALSE; - -@@ -8340,7 +8358,7 @@ flatpak_dir_deploy (FlatpakDir *self, - */ - is_oci = flatpak_dir_get_remote_oci (self, origin); - if (!validate_commit_metadata (commit_data, flatpak_decomposed_get_ref (ref), -- metadata_contents, !is_oci, error)) -+ metadata_contents, metadata_size, !is_oci, error)) - return FALSE; - - dotref = g_file_resolve_relative_path (checkoutdir, "files/.ref"); -diff --git a/common/flatpak-transaction.c b/common/flatpak-transaction.c -index 1927498..721da14 100644 ---- a/common/flatpak-transaction.c -+++ b/common/flatpak-transaction.c -@@ -2520,7 +2520,7 @@ flatpak_transaction_add_ref (FlatpakTransaction *self, - return FALSE; - - if (external_metadata) -- op->external_metadata = g_bytes_new (external_metadata, strlen (external_metadata) + 1); -+ op->external_metadata = g_bytes_new (external_metadata, strlen (external_metadata)); - - return TRUE; - } -@@ -2937,7 +2937,7 @@ load_deployed_metadata (FlatpakTransaction *self, FlatpakDecomposed *ref, char * - return NULL; - } - -- return g_bytes_new_take (g_steal_pointer (&metadata_contents), metadata_contents_length + 1); -+ return g_bytes_new_take (g_steal_pointer (&metadata_contents), metadata_contents_length); - } - - static void -@@ -3034,7 +3034,7 @@ resolve_op_from_commit (FlatpakTransaction *self, - if (xa_metadata == NULL) - g_message ("Warning: No xa.metadata in local commit %s ref %s", checksum, flatpak_decomposed_get_ref (op->ref)); - else -- metadata_bytes = g_bytes_new (xa_metadata, strlen (xa_metadata) + 1); -+ metadata_bytes = g_bytes_new (xa_metadata, strlen (xa_metadata)); - - if (g_variant_lookup (commit_metadata, "xa.download-size", "t", &download_size)) - op->download_size = GUINT64_FROM_BE (download_size); -@@ -3074,7 +3074,7 @@ try_resolve_op_from_metadata (FlatpakTransaction *self, - &download_size, &installed_size, &metadata, NULL)) - return FALSE; - -- metadata_bytes = g_bytes_new (metadata, strlen (metadata) + 1); -+ metadata_bytes = g_bytes_new (metadata, strlen (metadata)); - - if (flatpak_remote_state_lookup_ref (state, flatpak_decomposed_get_ref (op->ref), - NULL, NULL, &info, NULL, NULL)) -diff --git a/common/flatpak-utils.c b/common/flatpak-utils.c -index 6901a62..9eedbfa 100644 ---- a/common/flatpak-utils.c -+++ b/common/flatpak-utils.c -@@ -6604,6 +6604,7 @@ flatpak_pull_from_bundle (OstreeRepo *repo, - GCancellable *cancellable, - GError **error) - { -+ gsize metadata_size = 0; - g_autofree char *metadata_contents = NULL; - g_autofree char *to_checksum = NULL; - g_autoptr(GFile) root = NULL; -@@ -6620,6 +6621,8 @@ flatpak_pull_from_bundle (OstreeRepo *repo, - if (metadata == NULL) - return FALSE; - -+ metadata_size = strlen (metadata_contents); -+ - if (!ostree_repo_get_remote_option (repo, remote, "collection-id", NULL, - &remote_collection_id, NULL)) - remote_collection_id = NULL; -@@ -6689,12 +6692,10 @@ flatpak_pull_from_bundle (OstreeRepo *repo, - cancellable, error) < 0) - return FALSE; - -- /* Null terminate */ -- g_output_stream_write (G_OUTPUT_STREAM (data_stream), "\0", 1, NULL, NULL); -- - metadata_valid = - metadata_contents != NULL && -- strcmp (metadata_contents, g_memory_output_stream_get_data (data_stream)) == 0; -+ metadata_size == g_memory_output_stream_get_data_size (data_stream) && -+ memcmp (metadata_contents, g_memory_output_stream_get_data (data_stream), metadata_size) == 0; - } - else - { --- -2.27.0 - diff --git a/backport-0004-CVE-2021-41133.patch b/backport-0004-CVE-2021-41133.patch deleted file mode 100644 index 9f618796a7fee562a6b3d537319e848cbc225b6d..0000000000000000000000000000000000000000 --- a/backport-0004-CVE-2021-41133.patch +++ /dev/null @@ -1,43 +0,0 @@ -From a10f52a7565c549612c92b8e736a6698a53db330 Mon Sep 17 00:00:00 2001 -From: Simon McVittie -Date: Wed, 1 Sep 2021 11:59:00 +0100 -Subject: [PATCH] run: Block clone3() in sandbox - -clone3() can be used to implement clone() with CLONE_NEWUSER, allowing -a sandboxed process to get CAP_SYS_ADMIN in a new namespace and -manipulate its root directory. We need to block this so that AF_UNIX-based -socket servers (X11, Wayland, etc.) can rely on -/proc/PID/root/.flatpak-info existing for all Flatpak-sandboxed apps. - -Partially fixes GHSA-67h7-w3jq-vh4q. - -Thanks: an anonymous reporter -Signed-off-by: Simon McVittie - -Conflict:NA -Reference:https://github.com/flatpak/flatpak/commit/a10f52a7565c549612c92b8e736a6698a53db330 - ---- - common/flatpak-run.c | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git a/common/flatpak-run.c b/common/flatpak-run.c -index 5cf6d2e..dad0cfe 100644 ---- a/common/flatpak-run.c -+++ b/common/flatpak-run.c -@@ -2832,6 +2832,12 @@ setup_seccomp (FlatpakBwrap *bwrap, - - /* Don't allow faking input to the controlling tty (CVE-2017-5226) */ - {SCMP_SYS (ioctl), EPERM, &SCMP_A1 (SCMP_CMP_MASKED_EQ, 0xFFFFFFFFu, (int) TIOCSTI)}, -+ -+ /* seccomp can't look into clone3()'s struct clone_args to check whether -+ * the flags are OK, so we have no choice but to block clone3(). -+ * Return ENOSYS so user-space will fall back to clone(). -+ * (GHSA-67h7-w3jq-vh4q; see also https://github.com/moby/moby/commit/9f6b562d) */ -+ {SCMP_SYS (clone3), ENOSYS}, - }; - - struct --- -2.27.0 - diff --git a/backport-0004-CVE-2021-43860.patch b/backport-0004-CVE-2021-43860.patch deleted file mode 100644 index 67aab694c86d072341ce34bab70ba3e6c267bd3b..0000000000000000000000000000000000000000 --- a/backport-0004-CVE-2021-43860.patch +++ /dev/null @@ -1,76 +0,0 @@ -From 93357d357119093804df05acc32ff335839c6451 Mon Sep 17 00:00:00 2001 -From: Alexander Larsson -Date: Tue, 11 Jan 2022 10:27:46 +0100 -Subject: [PATCH] Require metadata in commit also for OCI remotes - -This was disables a long time ago because the fedora remotes didn't -contain metadata, but that has been added since then. Requiring fixes -a security concern where an app claims to require no permissions (by -having no metadata in commit) but then actually requires permissions -in the installed app. - -Conflict:NA -Reference:https://github.com/flatpak/flatpak/commit/93357d357119093804df05acc32ff335839c6451 - ---- - common/flatpak-dir.c | 14 ++++---------- - 1 file changed, 4 insertions(+), 10 deletions(-) - -diff --git a/common/flatpak-dir.c b/common/flatpak-dir.c -index e6c8046..e6a83cf 100644 ---- a/common/flatpak-dir.c -+++ b/common/flatpak-dir.c -@@ -1763,7 +1763,6 @@ validate_commit_metadata (GVariant *commit_data, - const char *ref, - const char *required_metadata, - gsize required_metadata_size, -- gboolean require_xa_metadata, - GError **error) - { - g_autoptr(GVariant) commit_metadata = NULL; -@@ -1782,9 +1781,9 @@ validate_commit_metadata (GVariant *commit_data, - xa_metadata = g_variant_get_string (xa_metadata_v, &xa_metadata_size); - } - -- if ((xa_metadata == NULL && require_xa_metadata) || -- (xa_metadata != NULL && (xa_metadata_size != required_metadata_size || -- memcmp (xa_metadata, required_metadata, xa_metadata_size) != 0))) -+ if (xa_metadata == NULL || -+ xa_metadata_size != required_metadata_size || -+ memcmp (xa_metadata, required_metadata, xa_metadata_size) != 0) - { - g_set_error (error, G_IO_ERROR, G_IO_ERROR_PERMISSION_DENIED, - _("Commit metadata for %s not matching expected metadata"), ref); -@@ -5814,7 +5813,6 @@ flatpak_dir_pull (FlatpakDir *self, - ref, - (const char *)g_bytes_get_data (require_metadata, NULL), - g_bytes_get_size (require_metadata), -- TRUE, - error)) - goto out; - } -@@ -8128,7 +8126,6 @@ flatpak_dir_deploy (FlatpakDir *self, - g_autoptr(GFile) metadata_file = NULL; - g_autofree char *metadata_contents = NULL; - gsize metadata_size = 0; -- gboolean is_oci; - - if (!flatpak_dir_ensure_repo (self, cancellable, error)) - return FALSE; -@@ -8353,12 +8350,9 @@ flatpak_dir_deploy (FlatpakDir *self, - /* Check the metadata in the commit to make sure it matches the actual - * deployed metadata, in case we relied on the one in the commit for - * a decision -- * Note: For historical reason we don't enforce commits to contain xa.metadata -- * since this was lacking in fedora builds. - */ -- is_oci = flatpak_dir_get_remote_oci (self, origin); - if (!validate_commit_metadata (commit_data, flatpak_decomposed_get_ref (ref), -- metadata_contents, metadata_size, !is_oci, error)) -+ metadata_contents, metadata_size, error)) - return FALSE; - - dotref = g_file_resolve_relative_path (checkoutdir, "files/.ref"); --- -2.27.0 - diff --git a/backport-0005-CVE-2021-41133.patch b/backport-0005-CVE-2021-41133.patch deleted file mode 100644 index 7515f08a2b62ffa55e14c5e2f8d3c68985321123..0000000000000000000000000000000000000000 --- a/backport-0005-CVE-2021-41133.patch +++ /dev/null @@ -1,45 +0,0 @@ -From 9766ee05b1425db397d2cf23afd24c7f6146a69f Mon Sep 17 00:00:00 2001 -From: Simon McVittie -Date: Wed, 1 Sep 2021 12:45:54 +0100 -Subject: [PATCH] run: Disallow recently-added mount-manipulation syscalls - -If we don't allow mount() then we shouldn't allow these either. - -Partially fixes GHSA-67h7-w3jq-vh4q. - -Thanks: an anonymous reporter -Signed-off-by: Simon McVittie - -Conflict:NA -Reference:https://github.com/flatpak/flatpak/commit/9766ee05b1425db397d2cf23afd24c7f6146a69f - ---- - common/flatpak-run.c | 12 ++++++++++++ - 1 file changed, 12 insertions(+) - -diff --git a/common/flatpak-run.c b/common/flatpak-run.c -index dad0cfe..2781694 100644 ---- a/common/flatpak-run.c -+++ b/common/flatpak-run.c -@@ -2838,6 +2838,18 @@ setup_seccomp (FlatpakBwrap *bwrap, - * Return ENOSYS so user-space will fall back to clone(). - * (GHSA-67h7-w3jq-vh4q; see also https://github.com/moby/moby/commit/9f6b562d) */ - {SCMP_SYS (clone3), ENOSYS}, -+ -+ /* New mount manipulation APIs can also change our VFS. There's no -+ * legitimate reason to do these in the sandbox, so block all of them -+ * rather than thinking about which ones might be dangerous. -+ * (GHSA-67h7-w3jq-vh4q) */ -+ {SCMP_SYS (open_tree), ENOSYS}, -+ {SCMP_SYS (move_mount), ENOSYS}, -+ {SCMP_SYS (fsopen), ENOSYS}, -+ {SCMP_SYS (fsconfig), ENOSYS}, -+ {SCMP_SYS (fsmount), ENOSYS}, -+ {SCMP_SYS (fspick), ENOSYS}, -+ {SCMP_SYS (mount_setattr), ENOSYS}, - }; - - struct --- -2.27.0 - diff --git a/backport-0005-CVE-2021-43860.patch b/backport-0005-CVE-2021-43860.patch deleted file mode 100644 index 9212b914b021e18225fee37635941d83a5aacf73..0000000000000000000000000000000000000000 --- a/backport-0005-CVE-2021-43860.patch +++ /dev/null @@ -1,239 +0,0 @@ -From d9a8f9d8ccc0b7c1135d0ecde006a75d25f66aee Mon Sep 17 00:00:00 2001 -From: Alexander Larsson -Date: Mon, 10 Jan 2022 16:43:08 +0100 -Subject: [PATCH] Transaction: Fail the resolve if xa.metadata invalid or - missing - -If we fail to parse xa.metadata from the summary cache or the commit -xa.metadata we fail the resolve. - -If xa.metadata is missing in the commit we fail the resolve (it is -always set in the summary cache, because summary update converts -missing xa.metadata to "", so we either get that, or cache miss which -leads to resolving from the commit. - -This means that op->resolved_metadata is always set during install and -updates, which means we will show the app permissions. The transaction -will also always make sure that this data actually matches what gets -deployed. - -Before this change an invalid metadata in the summary cache could lead -to a NULL resolved_metadata, which means we wouldn't print the app -permissions, yet we would still deploy some metadata file that could -have permissions. (NOTE: It would fail to deploy unless the -xa.metadata in the commit matched the metadata file, but in this -corner case we would't compare the summary and commit metadata, so -they may differ.) - -Conflict:NA -Reference:https://github.com/flatpak/flatpak/commit/d9a8f9d8ccc0b7c1135d0ecde006a75d25f66aee - ---- - common/flatpak-transaction.c | 84 +++++++++++++++++++++++------------- - 1 file changed, 55 insertions(+), 29 deletions(-) - -diff --git a/common/flatpak-transaction.c b/common/flatpak-transaction.c -index 721da14..b0908c3 100644 ---- a/common/flatpak-transaction.c -+++ b/common/flatpak-transaction.c -@@ -2957,12 +2957,13 @@ emit_eol_and_maybe_skip (FlatpakTransaction *self, - g_signal_emit (self, signals[END_OF_LIFED_WITH_REBASE], 0, op->remote, flatpak_decomposed_get_ref (op->ref), op->eol, op->eol_rebase, previous_ids, &op->skip); - } - --static void -+static gboolean - mark_op_resolved (FlatpakTransactionOperation *op, - const char *commit, - GFile *sideload_path, - GBytes *metadata, -- GBytes *old_metadata) -+ GBytes *old_metadata, -+ GError **error) - { - g_debug ("marking op %s:%s resolved to %s", kind_to_str (op->kind), flatpak_decomposed_get_ref (op->ref), commit ? commit : "-"); - -@@ -2980,13 +2981,12 @@ mark_op_resolved (FlatpakTransactionOperation *op, - if (metadata) - { - g_autoptr(GKeyFile) metakey = g_key_file_new (); -- if (g_key_file_load_from_bytes (metakey, metadata, G_KEY_FILE_NONE, NULL)) -- { -- op->resolved_metadata = g_bytes_ref (metadata); -- op->resolved_metakey = g_steal_pointer (&metakey); -- } -- else -- g_message ("Warning: Failed to parse metadata for %s\n", flatpak_decomposed_get_ref (op->ref)); -+ if (!g_key_file_load_from_bytes (metakey, metadata, G_KEY_FILE_NONE, NULL)) -+ return flatpak_fail_error (error, FLATPAK_ERROR_INVALID_DATA, -+ "Metadata for %s is invalid", flatpak_decomposed_get_ref (op->ref)); -+ -+ op->resolved_metadata = g_bytes_ref (metadata); -+ op->resolved_metakey = g_steal_pointer (&metakey); - } - if (old_metadata) - { -@@ -2997,31 +2997,40 @@ mark_op_resolved (FlatpakTransactionOperation *op, - op->resolved_old_metakey = g_steal_pointer (&metakey); - } - else -- g_message ("Warning: Failed to parse old metadata for %s\n", flatpak_decomposed_get_ref (op->ref)); -+ { -+ /* This shouldn't happen, but a NULL old metadata is safe (all permisssions are considered new) */ -+ g_message ("Warning: Failed to parse old metadata for %s\n", flatpak_decomposed_get_ref (op->ref)); -+ } - } -+ -+ return TRUE; - } - --static void -+static gboolean - resolve_op_end (FlatpakTransaction *self, - FlatpakTransactionOperation *op, - const char *checksum, - GFile *sideload_path, -- GBytes *metadata_bytes) -+ GBytes *metadata_bytes, -+ GError **error) - { - g_autoptr(GBytes) old_metadata_bytes = NULL; - - old_metadata_bytes = load_deployed_metadata (self, op->ref, NULL, NULL); -- mark_op_resolved (op, checksum, sideload_path, metadata_bytes, old_metadata_bytes); -+ if (!mark_op_resolved (op, checksum, sideload_path, metadata_bytes, old_metadata_bytes, error)) -+ return FALSE; - emit_eol_and_maybe_skip (self, op); -+ return TRUE; - } - - --static void -+static gboolean - resolve_op_from_commit (FlatpakTransaction *self, - FlatpakTransactionOperation *op, - const char *checksum, - GFile *sideload_path, -- GVariant *commit_data) -+ GVariant *commit_data, -+ GError **error) - { - g_autoptr(GBytes) metadata_bytes = NULL; - g_autoptr(GVariant) commit_metadata = NULL; -@@ -3032,9 +3041,11 @@ resolve_op_from_commit (FlatpakTransaction *self, - commit_metadata = g_variant_get_child_value (commit_data, 0); - g_variant_lookup (commit_metadata, "xa.metadata", "&s", &xa_metadata); - if (xa_metadata == NULL) -- g_message ("Warning: No xa.metadata in local commit %s ref %s", checksum, flatpak_decomposed_get_ref (op->ref)); -- else -- metadata_bytes = g_bytes_new (xa_metadata, strlen (xa_metadata)); -+ return flatpak_fail_error (error, FLATPAK_ERROR_INVALID_DATA, -+ "No xa.metadata in local commit %s ref %s", -+ checksum, flatpak_decomposed_get_ref (op->ref)); -+ -+ metadata_bytes = g_bytes_new (xa_metadata, strlen (xa_metadata)); - - if (g_variant_lookup (commit_metadata, "xa.download-size", "t", &download_size)) - op->download_size = GUINT64_FROM_BE (download_size); -@@ -3044,15 +3055,19 @@ resolve_op_from_commit (FlatpakTransaction *self, - g_variant_lookup (commit_metadata, OSTREE_COMMIT_META_KEY_ENDOFLIFE, "s", &op->eol); - g_variant_lookup (commit_metadata, OSTREE_COMMIT_META_KEY_ENDOFLIFE_REBASE, "s", &op->eol_rebase); - -- resolve_op_end (self, op, checksum, sideload_path, metadata_bytes); -+ return resolve_op_end (self, op, checksum, sideload_path, metadata_bytes, error); - } - -+/* NOTE: In case of non-available summary this returns FALSE with a -+ * NULL error, but for other error cases it will be set. -+ */ - static gboolean - try_resolve_op_from_metadata (FlatpakTransaction *self, - FlatpakTransactionOperation *op, - const char *checksum, - GFile *sideload_path, -- FlatpakRemoteState *state) -+ FlatpakRemoteState *state, -+ GError **error) - { - g_autoptr(GBytes) metadata_bytes = NULL; - guint64 download_size = 0; -@@ -3092,8 +3107,7 @@ try_resolve_op_from_metadata (FlatpakTransaction *self, - op->token_type = GINT32_FROM_LE (var_metadata_lookup_int32 (sparse_cache, FLATPAK_SPARSE_CACHE_KEY_TOKEN_TYPE, op->token_type)); - } - -- resolve_op_end (self, op, checksum, sideload_path, metadata_bytes); -- return TRUE; -+ return resolve_op_end (self, op, checksum, sideload_path, metadata_bytes, error); - } - - static gboolean -@@ -3136,7 +3150,8 @@ resolve_ops (FlatpakTransaction *self, - * checksum we got was the version already installed. - */ - g_assert (op->resolved_commit != NULL); -- mark_op_resolved (op, op->resolved_commit, NULL, NULL, NULL); -+ if (!mark_op_resolved (op, op->resolved_commit, NULL, NULL, NULL, error)) -+ return FALSE; - continue; - } - -@@ -3145,14 +3160,16 @@ resolve_ops (FlatpakTransaction *self, - /* We resolve to the deployed metadata, because we need it to uninstall related ops */ - - metadata_bytes = load_deployed_metadata (self, op->ref, &checksum, NULL); -- mark_op_resolved (op, checksum, NULL, metadata_bytes, NULL); -+ if (!mark_op_resolved (op, checksum, NULL, metadata_bytes, NULL, error)) -+ return FALSE; - continue; - } - - if (op->kind == FLATPAK_TRANSACTION_OPERATION_INSTALL_BUNDLE) - { - g_assert (op->commit != NULL); -- mark_op_resolved (op, op->commit, NULL, op->external_metadata, NULL); -+ if (!mark_op_resolved (op, op->commit, NULL, op->external_metadata, NULL, error)) -+ return FALSE; - continue; - } - -@@ -3183,7 +3200,8 @@ resolve_ops (FlatpakTransaction *self, - if (commit_data == NULL) - return FALSE; - -- resolve_op_from_commit (self, op, checksum, NULL, commit_data); -+ if (!resolve_op_from_commit (self, op, checksum, NULL, commit_data, error)) -+ return FALSE; - } - else - { -@@ -3242,9 +3260,16 @@ resolve_ops (FlatpakTransaction *self, - } - - /* First try to resolve via metadata (if remote is available and its metadata matches the commit version) */ -- if (!try_resolve_op_from_metadata (self, op, checksum, sideload_path, state)) -+ if (!try_resolve_op_from_metadata (self, op, checksum, sideload_path, state, &local_error)) - { -- /* Else try to load the commit object. -+ if (local_error) -+ { -+ /* Actual error, not just missing from summary */ -+ g_propagate_error (error, g_steal_pointer (&local_error)); -+ return FALSE; -+ } -+ -+ /* Missing from summary, try to load the commit object. - * Note, we don't have a token here, so this will not work for authenticated apps. - * We handle this by catching the 401 http status and retrying. */ - g_autoptr(GVariant) commit_data = NULL; -@@ -3280,7 +3305,8 @@ resolve_ops (FlatpakTransaction *self, - return FALSE; - } - -- resolve_op_from_commit (self, op, checksum, sideload_path, commit_data); -+ if (!resolve_op_from_commit (self, op, checksum, sideload_path, commit_data, error)) -+ return FALSE; - } - } - } --- -2.27.0 - diff --git a/backport-0006-CVE-2021-41133.patch b/backport-0006-CVE-2021-41133.patch deleted file mode 100644 index ea1d94d42e06b7fa6db9b6007335f9e8ed4902d4..0000000000000000000000000000000000000000 --- a/backport-0006-CVE-2021-41133.patch +++ /dev/null @@ -1,34 +0,0 @@ -From 4c34815784e9ffda5733225c7d95824f96375e36 Mon Sep 17 00:00:00 2001 -From: Simon McVittie -Date: Wed, 1 Sep 2021 14:19:31 +0100 -Subject: [PATCH] run: Block setns() - -If we don't allow unshare() or clone() with CLONE_NEWUSER, we also -shouldn't allow joining an existing (but different) namespace. - -Partially fixes GHSA-67h7-w3jq-vh4q. - -Signed-off-by: Simon McVittie - -Conflict:NA -Reference:https://github.com/flatpak/flatpak/commit/4c34815784e9ffda5733225c7d95824f96375e36 - ---- - common/flatpak-run.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/common/flatpak-run.c b/common/flatpak-run.c -index 2781694..c266dbe 100644 ---- a/common/flatpak-run.c -+++ b/common/flatpak-run.c -@@ -2819,6 +2819,7 @@ setup_seccomp (FlatpakBwrap *bwrap, - - /* Don't allow subnamespace setups: */ - {SCMP_SYS (unshare), EPERM}, -+ {SCMP_SYS (setns), EPERM}, - {SCMP_SYS (mount), EPERM}, - {SCMP_SYS (pivot_root), EPERM}, - #if defined(__s390__) || defined(__s390x__) || defined(__CRIS__) --- -2.27.0 - diff --git a/backport-0007-CVE-2021-41133.patch b/backport-0007-CVE-2021-41133.patch deleted file mode 100644 index 9f08651fe10c63ac8dda011c1f08eeb1a19237e8..0000000000000000000000000000000000000000 --- a/backport-0007-CVE-2021-41133.patch +++ /dev/null @@ -1,35 +0,0 @@ -From 1330662f33a55e88bfe18e76de28b7922d91a999 Mon Sep 17 00:00:00 2001 -From: Simon McVittie -Date: Wed, 1 Sep 2021 14:20:29 +0100 -Subject: [PATCH] run: Don't allow unmounting filesystems - -If we don't allow mounting filesystems, we shouldn't allow unmounting -either. - -Partially fixes GHSA-67h7-w3jq-vh4q. - -Signed-off-by: Simon McVittie - -Conflict:NA -Reference:https://github.com/flatpak/flatpak/commit/1330662f33a55e88bfe18e76de28b7922d91a999 - ---- - common/flatpak-run.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/common/flatpak-run.c b/common/flatpak-run.c -index c266dbe..b1a8db5 100644 ---- a/common/flatpak-run.c -+++ b/common/flatpak-run.c -@@ -2821,6 +2821,8 @@ setup_seccomp (FlatpakBwrap *bwrap, - {SCMP_SYS (unshare), EPERM}, - {SCMP_SYS (setns), EPERM}, - {SCMP_SYS (mount), EPERM}, -+ {SCMP_SYS (umount), EPERM}, -+ {SCMP_SYS (umount2), EPERM}, - {SCMP_SYS (pivot_root), EPERM}, - #if defined(__s390__) || defined(__s390x__) || defined(__CRIS__) - /* Architectures with CONFIG_CLONE_BACKWARDS2: the child stack --- -2.27.0 - diff --git a/backport-0008-CVE-2021-41133.patch b/backport-0008-CVE-2021-41133.patch deleted file mode 100644 index 4ad199e06c56215d40fd68834ec97a0eaf0acbc0..0000000000000000000000000000000000000000 --- a/backport-0008-CVE-2021-41133.patch +++ /dev/null @@ -1,34 +0,0 @@ -From 462fca2c666e0cd2b60d6d2593a7216a83047aaf Mon Sep 17 00:00:00 2001 -From: Simon McVittie -Date: Wed, 1 Sep 2021 14:21:04 +0100 -Subject: [PATCH] run: Don't allow chroot() - -If we don't allow pivot_root() then there seems no reason why we should -allow chroot(). - -Partially fixes GHSA-67h7-w3jq-vh4q. - -Signed-off-by: Simon McVittie - -Conflict:NA -Reference:https://github.com/flatpak/flatpak/commit/462fca2c666e0cd2b60d6d2593a7216a83047aaf - ---- - common/flatpak-run.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/common/flatpak-run.c b/common/flatpak-run.c -index b1a8db5..da96465 100644 ---- a/common/flatpak-run.c -+++ b/common/flatpak-run.c -@@ -2824,6 +2824,7 @@ setup_seccomp (FlatpakBwrap *bwrap, - {SCMP_SYS (umount), EPERM}, - {SCMP_SYS (umount2), EPERM}, - {SCMP_SYS (pivot_root), EPERM}, -+ {SCMP_SYS (chroot), EPERM}, - #if defined(__s390__) || defined(__s390x__) || defined(__CRIS__) - /* Architectures with CONFIG_CLONE_BACKWARDS2: the child stack - * and flags arguments are reversed so the flags come second */ --- -2.27.0 - diff --git a/backport-CVE-2022-21682.patch b/backport-CVE-2022-21682.patch deleted file mode 100644 index 0b3adb53dddea2a82ddfdaafa415a32ad842f0df..0000000000000000000000000000000000000000 --- a/backport-CVE-2022-21682.patch +++ /dev/null @@ -1,340 +0,0 @@ -From 5709f1aaed6579f0136976e14e7f3cae399134ca Mon Sep 17 00:00:00 2001 -From: Simon McVittie -Date: Sun, 16 Jan 2022 12:42:30 +0000 -Subject: [PATCH] context: Introduce new --nofilesystem=host:reset - -This reintroduces the special case that existed in Flatpak 1.12.3, but -under a different name, so that it will be backwards-compatible. With -this change, flatpak-builder will be able to resolve CVE-2022-21682 by -using --filesystem=host:reset. - -We want to implement this as a suffix rather than as a new keyword, -because unknown suffixes are ignored with a warning, rather than causing -a fatal error. This means that the new version of flatpak-builder will -be able to run against older versions of flatpak: it will still be -vulnerable to CVE-2022-21682 in that situation, but at least it will run. - -Co-authored-by: Alexander Larsson - -Conflict:NA -Reference:https://github.com/flatpak/flatpak/commit/5709f1aaed6579f0136976e14e7f3cae399134ca ---- - common/flatpak-context-private.h | 1 + - common/flatpak-context.c | 166 ++++++++++++++++++++++++++++--- - 2 files changed, 153 insertions(+), 14 deletions(-) - -diff --git a/common/flatpak-context-private.h b/common/flatpak-context-private.h -index 45879ac..b6b9e56 100644 ---- a/common/flatpak-context-private.h -+++ b/common/flatpak-context-private.h -@@ -83,6 +83,7 @@ extern const char *flatpak_context_features[]; - extern const char *flatpak_context_shares[]; - - gboolean flatpak_context_parse_filesystem (const char *filesystem_and_mode, -+ gboolean negated, - char **filesystem_out, - FlatpakFilesystemMode *mode_out, - GError **error); -diff --git a/common/flatpak-context.c b/common/flatpak-context.c -index abeda35..a7cd891 100644 ---- a/common/flatpak-context.c -+++ b/common/flatpak-context.c -@@ -86,6 +86,7 @@ const char *flatpak_context_special_filesystems[] = { - "host", - "host-etc", - "host-os", -+ "host-reset", - NULL - }; - -@@ -703,6 +704,12 @@ unparse_filesystem_flags (const char *path, - - case FLATPAK_FILESYSTEM_MODE_NONE: - g_string_insert_c (s, 0, '!'); -+ -+ if (g_str_has_suffix (s->str, "-reset")) -+ { -+ g_string_truncate (s, s->len - 6); -+ g_string_append (s, ":reset"); -+ } - break; - - default: -@@ -715,11 +722,14 @@ unparse_filesystem_flags (const char *path, - - static char * - parse_filesystem_flags (const char *filesystem, -- FlatpakFilesystemMode *mode_out) -+ gboolean negated, -+ FlatpakFilesystemMode *mode_out, -+ GError **error) - { - g_autoptr(GString) s = g_string_new (""); - const char *p, *suffix; - FlatpakFilesystemMode mode; -+ gboolean reset = FALSE; - - p = filesystem; - while (*p != 0 && *p != ':') -@@ -734,7 +744,31 @@ parse_filesystem_flags (const char *filesystem, - g_string_append_c (s, *p++); - } - -- mode = FLATPAK_FILESYSTEM_MODE_READ_WRITE; -+ if (negated) -+ mode = FLATPAK_FILESYSTEM_MODE_NONE; -+ else -+ mode = FLATPAK_FILESYSTEM_MODE_READ_WRITE; -+ -+ if (g_str_equal (s->str, "host-reset")) -+ { -+ reset = TRUE; -+ -+ if (!negated) -+ { -+ g_set_error (error, G_OPTION_ERROR, G_OPTION_ERROR_FAILED, -+ "Filesystem token \"%s\" is only applicable for --nofilesystem", -+ s->str); -+ return NULL; -+ } -+ -+ if (*p != '\0') -+ { -+ g_set_error (error, G_OPTION_ERROR, G_OPTION_ERROR_FAILED, -+ "Filesystem token \"%s\" cannot be used with a suffix", -+ s->str); -+ return NULL; -+ } -+ } - - if (*p == ':') - { -@@ -746,10 +780,63 @@ parse_filesystem_flags (const char *filesystem, - mode = FLATPAK_FILESYSTEM_MODE_READ_WRITE; - else if (strcmp (suffix, "create") == 0) - mode = FLATPAK_FILESYSTEM_MODE_CREATE; -+ else if (strcmp (suffix, "reset") == 0) -+ reset = TRUE; - else if (*suffix != 0) - g_warning ("Unexpected filesystem suffix %s, ignoring", suffix); -+ -+ if (negated && mode != FLATPAK_FILESYSTEM_MODE_NONE) -+ { -+ g_warning ("Filesystem suffix \"%s\" is not applicable for --nofilesystem", -+ suffix); -+ mode = FLATPAK_FILESYSTEM_MODE_NONE; -+ } -+ -+ if (reset) -+ { -+ if (!negated) -+ { -+ g_set_error (error, G_OPTION_ERROR, G_OPTION_ERROR_FAILED, -+ "Filesystem suffix \"%s\" only applies to --nofilesystem", -+ suffix); -+ return NULL; -+ } -+ -+ if (!g_str_equal (s->str, "host")) -+ { -+ g_set_error (error, G_OPTION_ERROR, G_OPTION_ERROR_FAILED, -+ "Filesystem suffix \"%s\" can only be applied to " -+ "--nofilesystem=host", -+ suffix); -+ return NULL; -+ } -+ -+ /* We internally handle host:reset (etc) as host-reset, only exposing it as a flag in the public -+ part to allow it to be ignored (with a warning) for old flatpak versions */ -+ g_string_append (s, "-reset"); -+ } -+ } -+ -+ /* Postcondition check: the code above should make some results -+ * impossible */ -+ if (negated) -+ { -+ g_assert (mode == FLATPAK_FILESYSTEM_MODE_NONE); -+ } -+ else -+ { -+ g_assert (mode > FLATPAK_FILESYSTEM_MODE_NONE); -+ /* This flag is only applicable to --nofilesystem */ -+ g_assert (!reset); - } - -+ /* Postcondition check: filesystem token is host-reset iff reset flag -+ * was found */ -+ if (reset) -+ g_assert (g_str_equal (s->str, "host-reset")); -+ else -+ g_assert (!g_str_equal (s->str, "host-reset")); -+ - if (mode_out) - *mode_out = mode; - -@@ -758,13 +845,18 @@ parse_filesystem_flags (const char *filesystem, - - gboolean - flatpak_context_parse_filesystem (const char *filesystem_and_mode, -+ gboolean negated, - char **filesystem_out, - FlatpakFilesystemMode *mode_out, - GError **error) - { -- g_autofree char *filesystem = parse_filesystem_flags (filesystem_and_mode, mode_out); -+ g_autofree char *filesystem = NULL; - char *slash; - -+ filesystem = parse_filesystem_flags (filesystem_and_mode, negated, mode_out, error); -+ if (filesystem == NULL) -+ return FALSE; -+ - slash = strchr (filesystem, '/'); - - /* Forbid /../ in paths */ -@@ -856,6 +948,14 @@ flatpak_context_take_filesystem (FlatpakContext *context, - char *fs, - FlatpakFilesystemMode mode) - { -+ /* Special case: --nofilesystem=host-reset implies --nofilesystem=host. -+ * --filesystem=host-reset (or host:reset) is not allowed. */ -+ if (g_str_equal (fs, "host-reset")) -+ { -+ g_return_if_fail (mode == FLATPAK_FILESYSTEM_MODE_NONE); -+ g_hash_table_insert (context->filesystems, g_strdup ("host"), GINT_TO_POINTER (mode)); -+ } -+ - g_hash_table_insert (context->filesystems, fs, GINT_TO_POINTER (mode)); - } - -@@ -887,6 +987,14 @@ flatpak_context_merge (FlatpakContext *context, - while (g_hash_table_iter_next (&iter, &key, &value)) - g_hash_table_insert (context->persistent, g_strdup (key), value); - -+ /* We first handle host:reset, as it overrides all other keys from the parent */ -+ if (g_hash_table_lookup_extended (other->filesystems, "host-reset", NULL, &value)) -+ { -+ g_warn_if_fail (GPOINTER_TO_INT (value) == FLATPAK_FILESYSTEM_MODE_NONE); -+ g_hash_table_remove_all (context->filesystems); -+ } -+ -+ /* Then set the new ones, which includes propagating host:reset. */ - g_hash_table_iter_init (&iter, other->filesystems); - while (g_hash_table_iter_next (&iter, &key, &value)) - g_hash_table_insert (context->filesystems, g_strdup (key), value); -@@ -1074,7 +1182,7 @@ option_filesystem_cb (const gchar *option_name, - g_autofree char *fs = NULL; - FlatpakFilesystemMode mode; - -- if (!flatpak_context_parse_filesystem (value, &fs, &mode, error)) -+ if (!flatpak_context_parse_filesystem (value, FALSE, &fs, &mode, error)) - return FALSE; - - flatpak_context_take_filesystem (context, g_steal_pointer (&fs), mode); -@@ -1091,7 +1199,7 @@ option_nofilesystem_cb (const gchar *option_name, - g_autofree char *fs = NULL; - FlatpakFilesystemMode mode; - -- if (!flatpak_context_parse_filesystem (value, &fs, &mode, error)) -+ if (!flatpak_context_parse_filesystem (value, TRUE, &fs, &mode, error)) - return FALSE; - - flatpak_context_take_filesystem (context, g_steal_pointer (&fs), -@@ -1571,15 +1679,13 @@ flatpak_context_load_metadata (FlatpakContext *context, - g_autofree char *filesystem = NULL; - FlatpakFilesystemMode mode; - -- if (!flatpak_context_parse_filesystem (fs, &filesystem, &mode, NULL)) -+ if (!flatpak_context_parse_filesystem (fs, remove, -+ &filesystem, &mode, NULL)) - g_debug ("Unknown filesystem type %s", filesystems[i]); - else - { -- if (remove) -- flatpak_context_take_filesystem (context, g_steal_pointer (&filesystem), -- FLATPAK_FILESYSTEM_MODE_NONE); -- else -- flatpak_context_take_filesystem (context, g_steal_pointer (&filesystem), mode); -+ g_assert (mode == FLATPAK_FILESYSTEM_MODE_NONE || !remove); -+ flatpak_context_take_filesystem (context, g_steal_pointer (&filesystem), mode); - } - } - } -@@ -1825,11 +1931,24 @@ flatpak_context_save_metadata (FlatpakContext *context, - { - g_autoptr(GPtrArray) array = g_ptr_array_new_with_free_func (g_free); - -+ /* Serialize host-reset first, because order can matter in -+ * corner cases. */ -+ if (g_hash_table_lookup_extended (context->filesystems, "host-reset", -+ NULL, &value)) -+ { -+ g_warn_if_fail (GPOINTER_TO_INT (value) == FLATPAK_FILESYSTEM_MODE_NONE); -+ g_ptr_array_add (array, g_strdup ("!host:reset")); -+ } -+ - g_hash_table_iter_init (&iter, context->filesystems); - while (g_hash_table_iter_next (&iter, &key, &value)) - { - FlatpakFilesystemMode mode = GPOINTER_TO_INT (value); - -+ /* We already did this */ -+ if (g_str_equal (key, "host-reset")) -+ continue; -+ - g_ptr_array_add (array, unparse_filesystem_flags (key, mode)); - } - -@@ -1968,7 +2087,8 @@ flatpak_context_save_metadata (FlatpakContext *context, - void - flatpak_context_allow_host_fs (FlatpakContext *context) - { -- flatpak_context_take_filesystem (context, g_strdup ("host"), FLATPAK_FILESYSTEM_MODE_READ_WRITE); -+ flatpak_context_take_filesystem (context, g_strdup ("host"), -+ FLATPAK_FILESYSTEM_MODE_READ_WRITE); - } - - gboolean -@@ -2155,18 +2275,36 @@ flatpak_context_to_args (FlatpakContext *context, - g_ptr_array_add (args, g_strdup_printf ("--system-%s-name=%s", flatpak_policy_to_string (policy), name)); - } - -+ /* Serialize host-reset first, because order can matter in -+ * corner cases. */ -+ if (g_hash_table_lookup_extended (context->filesystems, "host-reset", -+ NULL, &value)) -+ { -+ g_warn_if_fail (GPOINTER_TO_INT (value) == FLATPAK_FILESYSTEM_MODE_NONE); -+ g_ptr_array_add (args, g_strdup ("--nofilesystem=host:reset")); -+ } -+ - g_hash_table_iter_init (&iter, context->filesystems); - while (g_hash_table_iter_next (&iter, &key, &value)) - { -+ g_autofree char *fs = NULL; - FlatpakFilesystemMode mode = GPOINTER_TO_INT (value); - -+ /* We already did this */ -+ if (g_str_equal (key, "host-reset")) -+ continue; -+ -+ fs = unparse_filesystem_flags (key, mode); -+ - if (mode != FLATPAK_FILESYSTEM_MODE_NONE) - { -- g_autofree char *fs = unparse_filesystem_flags (key, mode); - g_ptr_array_add (args, g_strdup_printf ("--filesystem=%s", fs)); - } - else -- g_ptr_array_add (args, g_strdup_printf ("--nofilesystem=%s", (char *) key)); -+ { -+ g_assert (fs[0] == '!'); -+ g_ptr_array_add (args, g_strdup_printf ("--nofilesystem=%s", &fs[1])); -+ } - } - } - --- -2.27.0 - diff --git a/backport-Fix-handling-of-syscalls-only-allowed-by-de.patch b/backport-Fix-handling-of-syscalls-only-allowed-by-de.patch deleted file mode 100644 index f837a04b1d806273851df28b8619f0058da7d34d..0000000000000000000000000000000000000000 --- a/backport-Fix-handling-of-syscalls-only-allowed-by-de.patch +++ /dev/null @@ -1,33 +0,0 @@ -From 3fc8c672676ae016f8e7cc90481b2feecbad9861 Mon Sep 17 00:00:00 2001 -From: Simon McVittie -Date: Fri, 8 Oct 2021 19:00:13 +0100 -Subject: [PATCH] Fix handling of syscalls only allowed by --devel - -This was incorrectly looking at errno instead of -r. - -Fixes: 0b38b0f0 "run: Handle unknown syscalls as intended" -Signed-off-by: Simon McVittie - -Conflict:NA -Reference:https://github.com/flatpak/flatpak/commit/3fc8c672676ae016f8e7cc90481b2feecbad9861 - ---- - common/flatpak-run.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/common/flatpak-run.c b/common/flatpak-run.c -index a416f1b..69eabc0 100644 ---- a/common/flatpak-run.c -+++ b/common/flatpak-run.c -@@ -2988,7 +2988,7 @@ setup_seccomp (FlatpakBwrap *bwrap, - r = seccomp_rule_add (seccomp, SCMP_ACT_ERRNO (errnum), scall, 0); - - /* See above for the meaning of EFAULT. */ -- if (errno == EFAULT) -+ if (r == -EFAULT) - flatpak_debug2 ("Unable to block syscall %d: syscall not known to libseccomp?", - scall); - else if (r < 0) --- -2.27.0 - diff --git a/backport-run-Handle-unknown-syscalls-as-intended.patch b/backport-run-Handle-unknown-syscalls-as-intended.patch deleted file mode 100644 index ce16cd2f9eeafe255a248467b191d519f8aa216b..0000000000000000000000000000000000000000 --- a/backport-run-Handle-unknown-syscalls-as-intended.patch +++ /dev/null @@ -1,73 +0,0 @@ -From d419fa67038370e4f4c3ce8c3b5f672d4876cfc8 Mon Sep 17 00:00:00 2001 -From: Simon McVittie -Date: Fri, 8 Oct 2021 17:05:07 +0100 -Subject: [PATCH] run: Handle unknown syscalls as intended - -The error-handling here was - - if (r < 0 && r == -EFAULT) - -but Alex says it was almost certainly intended to be - - if (r < 0 && r != -EFAULT) - -so that syscalls not known to libseccomp are not a fatal error. - -Instead of literally making that change, emit a debug message on -EFAULT -so we can see what is going on. - -This temporarily weakens our defence against CVE-2021-41133 -(GHSA-67h7-w3jq-vh4q) in order to avoid regressions: if the installed -version of libseccomp does not know about the recently-added syscalls, -but the kernel does, then we will not prevent non-native executables -from using those syscalls. - -Resolves: https://github.com/flatpak/flatpak/issues/4458 -Signed-off-by: Simon McVittie - -Conflict:NA -Reference:https://github.com/flatpak/flatpak/commit/d419fa67038370e4f4c3ce8c3b5f672d4876cfc8 - - ---- - common/flatpak-run.c | 17 +++++++++++++++-- - 1 file changed, 15 insertions(+), 2 deletions(-) - -diff --git a/common/flatpak-run.c b/common/flatpak-run.c -index da96465..a416f1b 100644 ---- a/common/flatpak-run.c -+++ b/common/flatpak-run.c -@@ -2960,7 +2960,16 @@ setup_seccomp (FlatpakBwrap *bwrap, - r = seccomp_rule_add (seccomp, SCMP_ACT_ERRNO (errnum), scall, 1, *syscall_blocklist[i].arg); - else - r = seccomp_rule_add (seccomp, SCMP_ACT_ERRNO (errnum), scall, 0); -- if (r < 0 && r == -EFAULT /* unknown syscall */) -+ -+ /* EFAULT means "internal libseccomp error", but in practice we get -+ * this for syscall numbers added via flatpak-syscalls-private.h -+ * when trying to filter them on a non-native architecture, because -+ * libseccomp cannot map the syscall number to a name and back to a -+ * number for the non-native architecture. */ -+ if (r == -EFAULT) -+ flatpak_debug2 ("Unable to block syscall %d: syscall not known to libseccomp?", -+ scall); -+ else if (r < 0) - return flatpak_fail_error (error, FLATPAK_ERROR_SETUP_FAILED, _("Failed to block syscall %d"), scall); - } - -@@ -2978,7 +2987,11 @@ setup_seccomp (FlatpakBwrap *bwrap, - else - r = seccomp_rule_add (seccomp, SCMP_ACT_ERRNO (errnum), scall, 0); - -- if (r < 0 && r == -EFAULT /* unknown syscall */) -+ /* See above for the meaning of EFAULT. */ -+ if (errno == EFAULT) -+ flatpak_debug2 ("Unable to block syscall %d: syscall not known to libseccomp?", -+ scall); -+ else if (r < 0) - return flatpak_fail_error (error, FLATPAK_ERROR_SETUP_FAILED, _("Failed to block syscall %d"), scall); - } - } --- -2.27.0 - diff --git a/backport-support-new-pyparsing.patch b/backport-support-new-pyparsing.patch deleted file mode 100644 index ed1f8c9a34b42b03721625fc8ed601d21457d3da..0000000000000000000000000000000000000000 --- a/backport-support-new-pyparsing.patch +++ /dev/null @@ -1,48 +0,0 @@ -From 8850e4d0da76a85c5f9926cd40e148e0b29bddac Mon Sep 17 00:00:00 2001 -From: Phaedrus Leeds -Date: Thu, 16 Dec 2021 10:50:10 -0800 -Subject: [PATCH] Fix runtime error when using pyparsing >= 3.0.2 - -Ever since this commit -(https://github.com/pyparsing/pyparsing/commit/4ab17bb55) -variant-schema-compiler has failed to execute when used by Flatpak like -this: -$ variant-schema-compiler/variant-schema-compiler --outfile-header -common/flatpak-variant-private.h --outfile -common/flatpak-variant-impl-private.h --prefix var -./data/flatpak-variants.gv - -For some reason our use of leaveWhitespace() to ensure that a named type -has a ' right before its name no longer works. But fortunately pyparsing -has a Combine() which does exactly what we want. - -See https://github.com/flatpak/flatpak/issues/4534 - -Fixes https://gitlab.gnome.org/alexl/variant-schema-compiler/-/issues/4 - -Reference:https://gitlab.gnome.org/alexl/variant-schema-compiler/-/commit/8850e4d0da76a85c5f9926cd40e148e0b29bddac - -diff --git a/variant-schema-compiler/variant-schema-compiler b/variant-schema-compiler/variant-schema-compiler -index 8b54232..7807f7c 100755 ---- a/variant-schema-compiler/variant-schema-compiler -+++ b/variant-schema-compiler/variant-schema-compiler -@@ -4,6 +4,7 @@ import argparse - import sys - import os - from pyparsing import * -+pyparsing_version = tuple(int(x) for x in __version__.split('.')) - - typename_prefix = "" - funcname_prefix = "" -@@ -1741,6 +1742,8 @@ def handleNameableType(toks): - return type - - nameableType = (Optional((Suppress("'") + ident).leaveWhitespace()) + (arrayType ^ maybeType ^ dictType ^ structType)).setParseAction(handleNameableType) -+if pyparsing_version >= (3, 0, 4): -+ nameableType = (Optional((Suppress("'") + ident)) + (arrayType ^ maybeType ^ dictType ^ structType)).setParseAction(handleNameableType) - - typeSpec <<= basicType ^ variantType ^ namedType ^ nameableType - --- -2.30.0 - diff --git a/flatpak-1.10.2.tar.xz b/flatpak-1.10.2.tar.xz deleted file mode 100644 index f7e58fb3248bf39f2fbc145f7b7ecfb782464c97..0000000000000000000000000000000000000000 Binary files a/flatpak-1.10.2.tar.xz and /dev/null differ diff --git a/flatpak-1.15.6.tar.xz b/flatpak-1.15.6.tar.xz new file mode 100644 index 0000000000000000000000000000000000000000..7a99935105394e04697c46b0f05257f08d81dcb8 Binary files /dev/null and b/flatpak-1.15.6.tar.xz differ diff --git a/flatpak.spec b/flatpak.spec index f84255fa6f24f74587530c7d7c8d170be78563f0..2c4ce0e51ee295a2f47d82639c5bdbfcfd674d04 100644 --- a/flatpak.spec +++ b/flatpak.spec @@ -1,36 +1,17 @@ Name: flatpak -Version: 1.10.2 -Release: 5 +Version: 1.15.6 +Release: 1 Summary: Application deployment framework for desktop apps License: LGPLv2+ URL: http://flatpak.org/ Source0: https://github.com/flatpak/flatpak/releases/download/%{version}/%{name}-%{version}.tar.xz -Patch0000: modify-automake-version.patch -Patch0002: CVE-2021-21261-2.patch -Patch0004: CVE-2021-21261-4.patch -Patch0005: 0001-OCI-Switch-to-pax-format-for-tar-archives.patch -Patch6000: backport-0001-CVE-2021-41133.patch -Patch6001: backport-0002-CVE-2021-41133.patch -Patch6002: backport-0003-CVE-2021-41133.patch -Patch6003: backport-0004-CVE-2021-41133.patch -Patch6004: backport-0005-CVE-2021-41133.patch -Patch6005: backport-0006-CVE-2021-41133.patch -Patch6006: backport-0007-CVE-2021-41133.patch -Patch6007: backport-0008-CVE-2021-41133.patch -Patch6008: backport-run-Handle-unknown-syscalls-as-intended.patch -Patch6009: backport-Fix-handling-of-syscalls-only-allowed-by-de.patch -Patch6010: backport-support-new-pyparsing.patch -Patch6011: backport-CVE-2022-21682.patch -Patch6012: backport-0001-CVE-2021-43860.patch -Patch6013: backport-0002-CVE-2021-43860.patch -Patch6014: backport-0003-CVE-2021-43860.patch -Patch6015: backport-0004-CVE-2021-43860.patch -Patch6016: backport-0005-CVE-2021-43860.patch BuildRequires: pkgconfig(appstream-glib) pkgconfig(gio-unix-2.0) pkgconfig(gobject-introspection-1.0) >= 1.40.0 pkgconfig(json-glib-1.0) pkgconfig(libarchive) >= 2.8.0 BuildRequires: pkgconfig(libsoup-2.4) pkgconfig(libxml-2.0) >= 2.4 pkgconfig(ostree-1) >= 2020.8 pkgconfig(polkit-gobject-1) pkgconfig(libseccomp) pkgconfig(xau) BuildRequires: bison bubblewrap >= 0.4.0 docbook-dtds docbook-style-xsl gettext gpgme-devel libcap-devel systemd xmlto libxslt BuildRequires: pkgconfig(libsystemd) pkgconfig(dconf) pkgconfig(fuse) pkgconfig(gdk-pixbuf-2.0) pkgconfig(libzstd) >= 0.8.1 python3-pyparsing xdg-dbus-proxy +BuildRequires: meson cmake pkgconfig(libcurl) pkgconfig(appstream) gtk-doc pkgconfig(wayland-protocols) +BuildRequires: polkit socat xdg-dbus-proxy xdg-dbus-proxy %{?systemd_requires} Requires: ostree%{?_isa} >= 2020.8 bubblewrap >= 0.4.0 ostree-libs%{?_isa} >= 2020.8 @@ -52,19 +33,37 @@ Requires: %{name}%{?_isa} = %{version}-%{release} %description devel This package contains the pkg-config file and development headers for %{name}. + +%package selinux +Summary: SELinux policy module for %{name} +BuildRequires: selinux-policy +BuildRequires: selinux-policy-devel +BuildRequires: make +BuildArch: noarch +%{?selinux_requires} + +%description selinux +This package contains the SELinux policy module for %{name}. + + %package_help %prep %autosetup -n %{name}-%{version} -p1 %build -(if ! test -x configure; then NOCONFIGURE=1 ./autogen.sh; CONFIGFLAGS=--enable-gtk-doc; fi; - %configure --with-priv-mode=none --with-system-dbus-proxy \ - --with-system-bubblewrap --enable-docbook-docs $CONFIGFLAGS) -%make_build V=1 - +%meson \ + -Dinstalled_tests=true \ + -Dsystem_bubblewrap=/usr/bin/bwrap \ + -Dsystem_dbus_proxy=/usr/bin/xdg-dbus-proxy \ + -Dtmpfilesdir=%{_tmpfilesdir} \ + -Dmalcontent=disabled \ + -Dwayland_security_context=enabled \ + %{nil} +%meson_build + %install -%make_install +%meson_install install -pm 644 NEWS README.md %{buildroot}/%{_pkgdocdir} install -d %{buildroot}%{_localstatedir}/lib/flatpak install -d %{buildroot}%{_sysconfdir}/flatpak/remotes.d @@ -77,6 +76,14 @@ rm %{buildroot}%{_systemd_system_env_generator_dir}/60-flatpak-system-only flatpak remote-list --system &> /dev/null || : %ldconfig_scriptlets libs +%post selinux +%selinux_modules_install %{_datadir}/selinux/packages/flatpak.pp.bz2 + +%postun selinux +if [ $1 -eq 0 ]; then + %selinux_modules_uninstall %{_datadir}/selinux/packages/flatpak.pp.bz2 +fi + %files -f %{name}.lang %license COPYING %doc %{_pkgdocdir} @@ -104,6 +111,7 @@ flatpak remote-list --system &> /dev/null || : %{_libexecdir}/flatpak-system-helper %dir %{_localstatedir}/lib/flatpak %{_sysconfdir}/dbus-1/system.d/org.freedesktop.Flatpak.SystemHelper.conf +%dir %{_sysconfdir}/flatpak %{_sysconfdir}/flatpak/remotes.d %{_sysconfdir}/profile.d/flatpak.sh %{_unitdir}/flatpak-system-helper.service @@ -114,6 +122,9 @@ flatpak remote-list --system &> /dev/null || : %{_systemd_user_env_generator_dir}/60-flatpak %{_libdir}/girepository-1.0/Flatpak-1.0.typelib %{_libdir}/libflatpak.so.* +%{_tmpfilesdir}/%{name}.conf +%{_datadir}/installed-tests +%{_libexecdir}/installed-tests %files devel %{_datadir}/gir-1.0/Flatpak-1.0.gir @@ -122,6 +133,10 @@ flatpak remote-list --system &> /dev/null || : %{_libdir}/libflatpak.so %{_libdir}/pkgconfig/%{name}.pc +%files selinux +%{_datadir}/selinux/packages/flatpak.pp.bz2 +%{_datadir}/selinux/devel/include/contrib/flatpak.if + %files help %{_mandir}/man1/%{name}*.1* %{_mandir}/man5/%{name}-metadata.5* @@ -131,6 +146,9 @@ flatpak remote-list --system &> /dev/null || : %{_mandir}/man5/flatpak-remote.5* %changelog +* Thu Mar 21 2024 xu_ping <707078654@qq.com> - 1.15.6-1 +- Upgrade version to 1.15.6 + * Sat Jan 29 2022 dongyuzhen - 1.10.2-5 - Fix CVE-2021-43860 diff --git a/modify-automake-version.patch b/modify-automake-version.patch deleted file mode 100644 index bbdee72f87338fe4b4b83879fb9298d7915dd72a..0000000000000000000000000000000000000000 --- a/modify-automake-version.patch +++ /dev/null @@ -1,25 +0,0 @@ -From b3dc7f6af7f2812d5b4a42592976c5b9d7febaad Mon Sep 17 00:00:00 2001 -From: wangxiao65 -Date: Sun, 7 Feb 2021 12:02:08 +0800 -Subject: [PATCH] modify automake version -When Makefile.am is modified, automake needs to be executed. -if the version of automake in the compile enviroment is inconsistent -with the version specified in configure, the compile will fail. - ---- - configure.ac | 2 +- - 1 files changed, 1 insertions(+), 1 deletions(-) - -diff --git a/configure.ac b/configure.ac -index c879e47..8bf37b0 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -48,7 +48,7 @@ LT_INIT([disable-static]) - AC_CONFIG_SRCDIR([common/flatpak-dir.c]) - AC_CONFIG_HEADERS([config.h]) - AC_CONFIG_MACRO_DIR([m4]) --AM_INIT_AUTOMAKE([1.13.4 no-define no-dist-gzip dist-xz tar-ustar foreign subdir-objects]) -+AM_INIT_AUTOMAKE([1.16.2 no-define no-dist-gzip dist-xz tar-ustar foreign subdir-objects]) - AC_PROG_SED - AC_PROG_YACC -