diff --git a/0001-OCI-Switch-to-pax-format-for-tar-archives.patch b/0001-OCI-Switch-to-pax-format-for-tar-archives.patch deleted file mode 100644 index a95238a7c41e0e0d68c7d68292be3f585245a315..0000000000000000000000000000000000000000 --- a/0001-OCI-Switch-to-pax-format-for-tar-archives.patch +++ /dev/null @@ -1,34 +0,0 @@ -From adbd286cef9a4c4bed76eb95337d5d6f5e42dd45 Mon Sep 17 00:00:00 2001 -From: Kalev Lember -Date: Mon, 5 Apr 2021 10:40:26 +0200 -Subject: [PATCH] OCI: Switch to pax format for tar archives - -For reasons unknown, libarchive appears to generate broken gnutar format -tar archives when the archive contains files that are larger than 2 GB. -This commit switches to the pax format to work this around. - -This should be a better default as it also removes 256 char filename -length limitation and matches what other libraries are doing, e.g. -Python 3.8 switched to the pax format by default as well. - -See https://pagure.io/fedora-infrastructure/issue/9840 ---- - common/flatpak-oci-registry.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/common/flatpak-oci-registry.c b/common/flatpak-oci-registry.c -index 6aa68c27..2a7f3ba1 100644 ---- a/common/flatpak-oci-registry.c -+++ b/common/flatpak-oci-registry.c -@@ -1476,7 +1476,7 @@ flatpak_oci_registry_write_layer (FlatpakOciRegistry *self, - } - - a = archive_write_new (); -- if (archive_write_set_format_gnutar (a) != ARCHIVE_OK || -+ if (archive_write_set_format_pax (a) != ARCHIVE_OK || - archive_write_add_filter_none (a) != ARCHIVE_OK) - { - propagate_libarchive_error (error, a); --- -2.30.2 - diff --git a/CVE-2021-21261-2.patch b/CVE-2021-21261-2.patch deleted file mode 100644 index 3d1da63580468ed5c30bb1f50a3594a5bca3ace7..0000000000000000000000000000000000000000 --- a/CVE-2021-21261-2.patch +++ /dev/null @@ -1,241 +0,0 @@ -From 1b82bf2f9df06ee60d222b4fb45fe3490d05ef94 Mon Sep 17 00:00:00 2001 -From: Simon McVittie -Date: Mon, 11 Jan 2021 14:51:36 +0000 -Subject: [PATCH] common: Move flatpak_buffer_to_sealed_memfd_or_tmpfile - to its own file - -We'll need this to use it in flatpak-portal without pulling the rest of -the common/ directory. - -Signed-off-by: Simon McVittie ---- - common/Makefile.am.inc | 2 + - common/flatpak-utils-memfd-private.h | 32 ++++++++++ - common/flatpak-utils-memfd.c | 90 ++++++++++++++++++++++++++++ - common/flatpak-utils-private.h | 1 + - common/flatpak-utils.c | 50 ---------------- - 5 files changed, 125 insertions(+), 50 deletions(-) - create mode 100644 common/flatpak-utils-memfd-private.h - create mode 100644 common/flatpak-utils-memfd.c - -diff --git a/common/Makefile.am.inc b/common/Makefile.am.inc -index 4844ab5..b681294 100644 ---- a/common/Makefile.am.inc -+++ b/common/Makefile.am.inc -@@ -164,6 +164,8 @@ libflatpak_common_la_SOURCES = \ - common/flatpak-transaction.c \ - common/flatpak-transaction.h \ - common/flatpak-utils-http-private.h \ -+ common/flatpak-utils-memfd.c \ -+ common/flatpak-utils-memfd-private.h \ - common/flatpak-utils-http.c \ - common/flatpak-utils-private.h \ - common/flatpak-utils.c \ -diff --git a/common/flatpak-utils-memfd-private.h b/common/flatpak-utils-memfd-private.h -new file mode 100644 -index 0000000..65b550d ---- /dev/null -+++ b/common/flatpak-utils-memfd-private.h -@@ -0,0 +1,33 @@ -+/* -+ * Copyright © 2014 Red Hat, Inc -+ * -+ * This program is free software; you can redistribute it and/or -+ * modify it under the terms of the GNU Lesser General Public -+ * License as published by the Free Software Foundation; either -+ * version 2.1 of the License, or (at your option) any later version. -+ * -+ * This library is distributed in the hope that it will be useful, -+ * but WITHOUT ANY WARRANTY; without even the implied warranty of -+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -+ * Lesser General Public License for more details. -+ * -+ * You should have received a copy of the GNU Lesser General Public -+ * License along with this library. If not, see . -+ * -+ * Authors: -+ * Alexander Larsson -+ */ -+ -+#ifndef __FLATPAK_UTILS_MEMFD_H__ -+#define __FLATPAK_UTILS_MEMFD_H__ -+ -+#include "libglnx/libglnx.h" -+ -+gboolean flatpak_buffer_to_sealed_memfd_or_tmpfile (GLnxTmpfile *tmpf, -+ const char *name, -+ const char *str, -+ size_t len, -+ GError **error); -+ -+#endif /* __FLATPAK_UTILS_MEMFD_H__ */ -+ -diff --git a/common/flatpak-utils-memfd.c b/common/flatpak-utils-memfd.c -new file mode 100644 -index 0000000..9a0730f ---- /dev/null -+++ b/common/flatpak-utils-memfd.c -@@ -0,0 +1,90 @@ -+/* -+ * Copyright © 2014 Red Hat, Inc -+ * -+ * This program is free software; you can redistribute it and/or -+ * modify it under the terms of the GNU Lesser General Public -+ * License as published by the Free Software Foundation; either -+ * version 2.1 of the License, or (at your option) any later version. -+ * -+ * This library is distributed in the hope that it will be useful, -+ * but WITHOUT ANY WARRANTY; without even the implied warranty of -+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -+ * Lesser General Public License for more details. -+ * -+ * You should have received a copy of the GNU Lesser General Public -+ * License along with this library. If not, see . -+ * -+ * Authors: -+ * Alexander Larsson -+ */ -+ -+#include "config.h" -+ -+#include "flatpak-utils-memfd-private.h" -+ -+#include "valgrind-private.h" -+ -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+ -+/* If memfd_create() is available, generate a sealed memfd with contents of -+ * @str. Otherwise use an O_TMPFILE @tmpf in anonymous mode, write @str to -+ * @tmpf, and lseek() back to the start. See also similar uses in e.g. -+ * rpm-ostree for running dracut. -+ */ -+gboolean -+flatpak_buffer_to_sealed_memfd_or_tmpfile (GLnxTmpfile *tmpf, -+ const char *name, -+ const char *str, -+ size_t len, -+ GError **error) -+{ -+ if (len == -1) -+ len = strlen (str); -+ glnx_autofd int memfd = memfd_create (name, MFD_CLOEXEC | MFD_ALLOW_SEALING); -+ int fd; /* Unowned */ -+ if (memfd != -1) -+ { -+ fd = memfd; -+ } -+ else -+ { -+ /* We use an anonymous fd (i.e. O_EXCL) since we don't want -+ * the target container to potentially be able to re-link it. -+ */ -+ if (!G_IN_SET (errno, ENOSYS, EOPNOTSUPP)) -+ return glnx_throw_errno_prefix (error, "memfd_create"); -+ if (!glnx_open_anonymous_tmpfile (O_RDWR | O_CLOEXEC, tmpf, error)) -+ return FALSE; -+ fd = tmpf->fd; -+ } -+ if (ftruncate (fd, len) < 0) -+ return glnx_throw_errno_prefix (error, "ftruncate"); -+ if (glnx_loop_write (fd, str, len) < 0) -+ return glnx_throw_errno_prefix (error, "write"); -+ if (lseek (fd, 0, SEEK_SET) < 0) -+ return glnx_throw_errno_prefix (error, "lseek"); -+ if (memfd != -1) -+ { -+ /* Valgrind doesn't currently handle G_ADD_SEALS, so lets not seal when debugging... */ -+ if ((!RUNNING_ON_VALGRIND) && -+ fcntl (memfd, F_ADD_SEALS, F_SEAL_SHRINK | F_SEAL_GROW | F_SEAL_WRITE | F_SEAL_SEAL) < 0) -+ return glnx_throw_errno_prefix (error, "fcntl(F_ADD_SEALS)"); -+ /* The other values can stay default */ -+ tmpf->fd = glnx_steal_fd (&memfd); -+ tmpf->initialized = TRUE; -+ } -+ return TRUE; -+} -diff --git a/common/flatpak-utils-private.h b/common/flatpak-utils-private.h -index 1a92154..4c1ac61 100644 ---- a/common/flatpak-utils-private.h -+++ b/common/flatpak-utils-private.h -@@ -32,6 +32,7 @@ - #include "flatpak-context-private.h" - #include "flatpak-error.h" - #include "flatpak-utils-http-private.h" -+#include "flatpak-utils-memfd-private.h" - #include "flatpak-variant-private.h" - #include "flatpak-dir-private.h" - #include -diff --git a/common/flatpak-utils.c b/common/flatpak-utils.c -index 56cbb06..6901a62 100644 ---- a/common/flatpak-utils.c -+++ b/common/flatpak-utils.c -@@ -1851,56 +1851,6 @@ flatpak_file_rename (GFile *from, - return TRUE; - } - --/* If memfd_create() is available, generate a sealed memfd with contents of -- * @str. Otherwise use an O_TMPFILE @tmpf in anonymous mode, write @str to -- * @tmpf, and lseek() back to the start. See also similar uses in e.g. -- * rpm-ostree for running dracut. -- */ --gboolean --flatpak_buffer_to_sealed_memfd_or_tmpfile (GLnxTmpfile *tmpf, -- const char *name, -- const char *str, -- size_t len, -- GError **error) --{ -- if (len == -1) -- len = strlen (str); -- glnx_autofd int memfd = memfd_create (name, MFD_CLOEXEC | MFD_ALLOW_SEALING); -- int fd; /* Unowned */ -- if (memfd != -1) -- { -- fd = memfd; -- } -- else -- { -- /* We use an anonymous fd (i.e. O_EXCL) since we don't want -- * the target container to potentially be able to re-link it. -- */ -- if (!G_IN_SET (errno, ENOSYS, EOPNOTSUPP)) -- return glnx_throw_errno_prefix (error, "memfd_create"); -- if (!glnx_open_anonymous_tmpfile (O_RDWR | O_CLOEXEC, tmpf, error)) -- return FALSE; -- fd = tmpf->fd; -- } -- if (ftruncate (fd, len) < 0) -- return glnx_throw_errno_prefix (error, "ftruncate"); -- if (glnx_loop_write (fd, str, len) < 0) -- return glnx_throw_errno_prefix (error, "write"); -- if (lseek (fd, 0, SEEK_SET) < 0) -- return glnx_throw_errno_prefix (error, "lseek"); -- if (memfd != -1) -- { -- /* Valgrind doesn't currently handle G_ADD_SEALS, so lets not seal when debugging... */ -- if ((!RUNNING_ON_VALGRIND) && -- fcntl (memfd, F_ADD_SEALS, F_SEAL_SHRINK | F_SEAL_GROW | F_SEAL_WRITE | F_SEAL_SEAL) < 0) -- return glnx_throw_errno_prefix (error, "fcntl(F_ADD_SEALS)"); -- /* The other values can stay default */ -- tmpf->fd = glnx_steal_fd (&memfd); -- tmpf->initialized = TRUE; -- } -- return TRUE; --} -- - gboolean - flatpak_open_in_tmpdir_at (int tmpdir_fd, - int mode, diff --git a/CVE-2021-21261-4.patch b/CVE-2021-21261-4.patch deleted file mode 100644 index a25884a700eb1c5895b25be2d8f59fe76a992804..0000000000000000000000000000000000000000 --- a/CVE-2021-21261-4.patch +++ /dev/null @@ -1,48 +0,0 @@ -From ce6a6e593310d42f7aecddb88d98e759f22ab6db Mon Sep 17 00:00:00 2001 -From: Simon McVittie -Date: Tue, 12 Jan 2021 12:25:59 +0000 -Subject: [PATCH] portal: Convert --env in extra-args into --env-fd - -This hides overridden variables from the command-line, which means -processes running under other uids can't see them in /proc/*/cmdline, -which might be important if they contain secrets. - -Signed-off-by: Simon McVittie -Part-of: https://github.com/flatpak/flatpak/security/advisories/GHSA-4ppf-fxf6-vxg2 ---- - portal/Makefile.am.inc | 4 ++- - portal/flatpak-portal.c | 65 ++++++++++++++++++++++++++++++++++++++++- - 2 files changed, 67 insertions(+), 2 deletions(-) - -diff --git a/portal/Makefile.am.inc b/portal/Makefile.am.inc -index dc45969..e5e57ba 100644 ---- a/portal/Makefile.am.inc -+++ b/portal/Makefile.am.inc -@@ -46,6 +46,8 @@ flatpak_portal_SOURCES = \ - portal/portal-impl.h \ - common/flatpak-portal-error.c \ - common/flatpak-portal-error.h \ -+ common/flatpak-utils-memfd.c \ -+ common/flatpak-utils-memfd-private.h \ - $(NULL) - - BUILT_SOURCES += $(nodist_flatpak_portal_SOURCES) -diff --git a/portal/flatpak-portal.c b/portal/flatpak-portal.c -index 7887c57..40a8ce7 100644 ---- a/portal/flatpak-portal.c -+++ b/portal/flatpak-portal.c -@@ -46,6 +46,14 @@ - #include "flatpak-instance-private.h" - #include "flatpak-portal-app-info.h" - #include "flatpak-portal-error.h" -+#include "flatpak-utils-memfd-private.h" -+ -+/* Syntactic sugar added in newer GLib, which makes the error paths more -+ * clearly correct */ -+#ifndef G_DBUS_METHOD_INVOCATION_HANDLED -+# define G_DBUS_METHOD_INVOCATION_HANDLED TRUE -+# define G_DBUS_METHOD_INVOCATION_UNHANDLED FALSE -+#endif - #include "flatpak-utils-base-private.h" - #include "portal-impl.h" - #include "flatpak-permission-dbus.h" diff --git a/CVE-2023-28100-pre1.patch b/CVE-2023-28100-pre1.patch deleted file mode 100644 index 191e9895d21772786abdc2bdbaff8e548da76658..0000000000000000000000000000000000000000 --- a/CVE-2023-28100-pre1.patch +++ /dev/null @@ -1,394 +0,0 @@ -From 4206d681c5c52691dec0074e3f8c32dab1953a94 Mon Sep 17 00:00:00 2001 -From: Simon McVittie -Date: Fri, 21 May 2021 17:41:31 +0100 -Subject: [PATCH] test-context: Exercise some corner cases for merging - filesystems - -Signed-off-by: Simon McVittie -Co-authored-by: Alexander Larsson -(cherry picked from commit fab0f8ed7c52fc58e6c550d123ede9621c760ca7) -[smcv: Also backport the scaffolding to create this test-case] ---- - tests/Makefile.am.inc | 11 +- - tests/test-context.c | 343 ++++++++++++++++++++++++++++++++++++++++++ - 2 files changed, 353 insertions(+), 1 deletion(-) - create mode 100644 tests/test-context.c - -diff --git a/tests/Makefile.am.inc b/tests/Makefile.am.inc -index 53d6403e4c..0fb650cb38 100644 ---- a/tests/Makefile.am.inc -+++ b/tests/Makefile.am.inc -@@ -66,6 +66,10 @@ testcommon_LDADD = \ - $(NULL) - testcommon_SOURCES = tests/testcommon.c - -+test_context_CFLAGS = $(testcommon_CFLAGS) -+test_context_LDADD = $(testcommon_LDADD) -+test_context_SOURCES = tests/test-context.c -+ - test_exports_CFLAGS = $(testcommon_CFLAGS) - test_exports_LDADD = $(testcommon_LDADD) - test_exports_SOURCES = tests/test-exports.c -@@ -252,7 +256,12 @@ test_scripts = ${TEST_MATRIX} - dist_test_scripts = ${TEST_MATRIX_DIST} - dist_installed_test_extra_scripts += ${TEST_MATRIX_EXTRA_DIST} - --test_programs = testlibrary testcommon test-exports -+test_programs = \ -+ test-context \ -+ test-exports \ -+ testcommon \ -+ testlibrary \ -+ $(NULL) - test_extra_programs = tests/httpcache tests/test-update-portal tests/test-portal-impl tests/test-authenticator tests/list-unused - - @VALGRIND_CHECK_RULES@ -diff --git a/tests/test-context.c b/tests/test-context.c -new file mode 100644 -index 0000000000..c128a83fae ---- /dev/null -+++ b/tests/test-context.c -@@ -0,0 +1,343 @@ -+/* -+ * Copyright © 2021 Collabora Ltd. -+ * -+ * This program is free software; you can redistribute it and/or -+ * modify it under the terms of the GNU Lesser General Public -+ * License as published by the Free Software Foundation; either -+ * version 2.1 of the License, or (at your option) any later version. -+ * -+ * This library is distributed in the hope that it will be useful, -+ * but WITHOUT ANY WARRANTY; without even the implied warranty of -+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -+ * Lesser General Public License for more details. -+ * -+ * You should have received a copy of the GNU Lesser General Public -+ * License along with this library. If not, see . -+ */ -+ -+#include "config.h" -+ -+#include -+ -+#include -+#include "flatpak.h" -+#include "flatpak-context-private.h" -+#include "flatpak-run-private.h" -+#include "flatpak-utils-private.h" -+ -+/* g_str_has_prefix as a GEqualFunc */ -+static gboolean -+str_has_prefix (gconstpointer candidate, -+ gconstpointer pattern) -+{ -+ return g_str_has_prefix (candidate, pattern); -+} -+ -+static void context_parse_args (FlatpakContext *context, -+ ...) G_GNUC_NULL_TERMINATED; -+ -+static void -+context_parse_args (FlatpakContext *context, -+ ...) -+{ -+ g_autoptr(GError) local_error = NULL; -+ g_autoptr(GOptionContext) oc = NULL; -+ g_autoptr(GOptionGroup) group = NULL; -+ g_autoptr(GPtrArray) args = g_ptr_array_new_with_free_func (g_free); -+ g_auto(GStrv) argv = NULL; -+ const char *arg; -+ va_list ap; -+ -+ g_ptr_array_add (args, g_strdup ("argv[0]")); -+ -+ va_start (ap, context); -+ -+ while ((arg = va_arg (ap, const char *)) != NULL) -+ g_ptr_array_add (args, g_strdup (arg)); -+ -+ va_end (ap); -+ -+ g_ptr_array_add (args, NULL); -+ argv = (GStrv) g_ptr_array_free (g_steal_pointer (&args), FALSE); -+ -+ oc = g_option_context_new (""); -+ group = flatpak_context_get_options (context); -+ g_option_context_add_group (oc, group); -+ g_option_context_parse_strv (oc, &argv, &local_error); -+ g_assert_no_error (local_error); -+} -+ -+static void -+test_context_merge_fs (void) -+{ -+ /* -+ * We want to arrive at the same result regardless of whether we: -+ * - start from lowest precedence, and successively merge higher -+ * precedences into it, discarding them when done; -+ * - successively merge highest precedence into second-highest, and -+ * then discard highest -+ */ -+ enum { LOWEST_FIRST, HIGHEST_FIRST, INVALID } merge_order; -+ -+ for (merge_order = LOWEST_FIRST; merge_order < INVALID; merge_order++) -+ { -+ g_autoptr(FlatpakContext) lowest = flatpak_context_new (); -+ g_autoptr(FlatpakContext) middle = flatpak_context_new (); -+ g_autoptr(FlatpakContext) highest = flatpak_context_new (); -+ gpointer value; -+ -+ context_parse_args (lowest, -+ "--filesystem=/one", -+ NULL); -+ context_parse_args (middle, -+ "--nofilesystem=host:reset", -+ "--filesystem=/two", -+ NULL); -+ context_parse_args (highest, -+ "--nofilesystem=host", -+ "--filesystem=/three", -+ NULL); -+ -+ g_assert_false (g_hash_table_lookup_extended (lowest->filesystems, "host", NULL, NULL)); -+ g_assert_false (g_hash_table_lookup_extended (lowest->filesystems, "host-reset", NULL, NULL)); -+ g_assert_true (g_hash_table_lookup_extended (lowest->filesystems, "/one", NULL, &value)); -+ g_assert_cmpint (GPOINTER_TO_INT (value), ==, FLATPAK_FILESYSTEM_MODE_READ_WRITE); -+ g_assert_false (g_hash_table_lookup_extended (lowest->filesystems, "/two", NULL, NULL)); -+ g_assert_false (g_hash_table_lookup_extended (lowest->filesystems, "/three", NULL, NULL)); -+ -+ g_assert_true (g_hash_table_lookup_extended (middle->filesystems, "host", NULL, &value)); -+ g_assert_cmpint (GPOINTER_TO_INT (value), ==, FLATPAK_FILESYSTEM_MODE_NONE); -+ g_assert_true (g_hash_table_lookup_extended (middle->filesystems, "host-reset", NULL, &value)); -+ g_assert_cmpint (GPOINTER_TO_INT (value), ==, FLATPAK_FILESYSTEM_MODE_NONE); -+ g_assert_false (g_hash_table_lookup_extended (middle->filesystems, "/one", NULL, NULL)); -+ g_assert_true (g_hash_table_lookup_extended (middle->filesystems, "/two", NULL, &value)); -+ g_assert_cmpint (GPOINTER_TO_INT (value), ==, FLATPAK_FILESYSTEM_MODE_READ_WRITE); -+ g_assert_false (g_hash_table_lookup_extended (middle->filesystems, "/three", NULL, NULL)); -+ -+ g_assert_true (g_hash_table_lookup_extended (highest->filesystems, "host", NULL, &value)); -+ g_assert_cmpint (GPOINTER_TO_INT (value), ==, FLATPAK_FILESYSTEM_MODE_NONE); -+ g_assert_false (g_hash_table_lookup_extended (highest->filesystems, "host-reset", NULL, NULL)); -+ g_assert_false (g_hash_table_lookup_extended (highest->filesystems, "/one", NULL, NULL)); -+ g_assert_false (g_hash_table_lookup_extended (highest->filesystems, "/two", NULL, NULL)); -+ g_assert_true (g_hash_table_lookup_extended (highest->filesystems, "/three", NULL, &value)); -+ g_assert_cmpint (GPOINTER_TO_INT (value), ==, FLATPAK_FILESYSTEM_MODE_READ_WRITE); -+ -+ if (merge_order == LOWEST_FIRST) -+ { -+ flatpak_context_merge (lowest, middle); -+ -+ g_assert_true (g_hash_table_lookup_extended (lowest->filesystems, "host", NULL, &value)); -+ g_assert_cmpint (GPOINTER_TO_INT (value), ==, FLATPAK_FILESYSTEM_MODE_NONE); -+ g_assert_true (g_hash_table_lookup_extended (lowest->filesystems, "host-reset", NULL, &value)); -+ g_assert_cmpint (GPOINTER_TO_INT (value), ==, FLATPAK_FILESYSTEM_MODE_NONE); -+ g_assert_false (g_hash_table_lookup_extended (lowest->filesystems, "/one", NULL, NULL)); -+ g_assert_true (g_hash_table_lookup_extended (lowest->filesystems, "/two", NULL, &value)); -+ g_assert_cmpint (GPOINTER_TO_INT (value), ==, FLATPAK_FILESYSTEM_MODE_READ_WRITE); -+ g_assert_false (g_hash_table_lookup_extended (lowest->filesystems, "/three", NULL, NULL)); -+ -+ flatpak_context_merge (lowest, highest); -+ } -+ else -+ { -+ flatpak_context_merge (middle, highest); -+ -+ g_assert_true (g_hash_table_lookup_extended (middle->filesystems, "host", NULL, &value)); -+ g_assert_cmpint (GPOINTER_TO_INT (value), ==, FLATPAK_FILESYSTEM_MODE_NONE); -+ g_assert_true (g_hash_table_lookup_extended (middle->filesystems, "host-reset", NULL, &value)); -+ g_assert_cmpint (GPOINTER_TO_INT (value), ==, FLATPAK_FILESYSTEM_MODE_NONE); -+ g_assert_false (g_hash_table_lookup_extended (middle->filesystems, "/one", NULL, NULL)); -+ g_assert_true (g_hash_table_lookup_extended (middle->filesystems, "/two", NULL, &value)); -+ g_assert_cmpint (GPOINTER_TO_INT (value), ==, FLATPAK_FILESYSTEM_MODE_READ_WRITE); -+ g_assert_true (g_hash_table_lookup_extended (middle->filesystems, "/three", NULL, &value)); -+ g_assert_cmpint (GPOINTER_TO_INT (value), ==, FLATPAK_FILESYSTEM_MODE_READ_WRITE); -+ -+ flatpak_context_merge (lowest, middle); -+ } -+ -+ g_assert_true (g_hash_table_lookup_extended (lowest->filesystems, "host", NULL, &value)); -+ g_assert_cmpint (GPOINTER_TO_INT (value), ==, FLATPAK_FILESYSTEM_MODE_NONE); -+ g_assert_true (g_hash_table_lookup_extended (lowest->filesystems, "host-reset", NULL, &value)); -+ g_assert_cmpint (GPOINTER_TO_INT (value), ==, FLATPAK_FILESYSTEM_MODE_NONE); -+ g_assert_false (g_hash_table_lookup_extended (lowest->filesystems, "/one", NULL, NULL)); -+ g_assert_true (g_hash_table_lookup_extended (lowest->filesystems, "/two", NULL, &value)); -+ g_assert_cmpint (GPOINTER_TO_INT (value), ==, FLATPAK_FILESYSTEM_MODE_READ_WRITE); -+ g_assert_true (g_hash_table_lookup_extended (lowest->filesystems, "/three", NULL, &value)); -+ g_assert_cmpint (GPOINTER_TO_INT (value), ==, FLATPAK_FILESYSTEM_MODE_READ_WRITE); -+ } -+ -+ for (merge_order = LOWEST_FIRST; merge_order < INVALID; merge_order++) -+ { -+ g_autoptr(FlatpakContext) lowest = flatpak_context_new (); -+ g_autoptr(FlatpakContext) mid_low = flatpak_context_new (); -+ g_autoptr(FlatpakContext) mid_high = flatpak_context_new (); -+ g_autoptr(FlatpakContext) highest = flatpak_context_new (); -+ g_autoptr(GError) local_error = NULL; -+ g_autoptr(GKeyFile) metakey = g_key_file_new (); -+ g_autoptr(GPtrArray) args = g_ptr_array_new_with_free_func (g_free); -+ g_autofree char *filesystems = NULL; -+ gpointer value; -+ -+ context_parse_args (lowest, -+ "--filesystem=/one", -+ NULL); -+ context_parse_args (mid_low, -+ "--nofilesystem=host:reset", -+ "--filesystem=/two", -+ NULL); -+ context_parse_args (mid_high, -+ "--filesystem=host", -+ "--filesystem=/three", -+ NULL); -+ context_parse_args (highest, -+ "--nofilesystem=host", -+ "--filesystem=/four", -+ NULL); -+ -+ g_assert_false (g_hash_table_lookup_extended (lowest->filesystems, "host", NULL, NULL)); -+ g_assert_false (g_hash_table_lookup_extended (lowest->filesystems, "host-reset", NULL, NULL)); -+ g_assert_true (g_hash_table_lookup_extended (lowest->filesystems, "/one", NULL, &value)); -+ g_assert_cmpint (GPOINTER_TO_INT (value), ==, FLATPAK_FILESYSTEM_MODE_READ_WRITE); -+ g_assert_false (g_hash_table_lookup_extended (lowest->filesystems, "/two", NULL, NULL)); -+ g_assert_false (g_hash_table_lookup_extended (lowest->filesystems, "/three", NULL, NULL)); -+ g_assert_false (g_hash_table_lookup_extended (lowest->filesystems, "/four", NULL, NULL)); -+ -+ g_assert_true (g_hash_table_lookup_extended (mid_low->filesystems, "host", NULL, &value)); -+ g_assert_cmpint (GPOINTER_TO_INT (value), ==, FLATPAK_FILESYSTEM_MODE_NONE); -+ g_assert_true (g_hash_table_lookup_extended (mid_low->filesystems, "host-reset", NULL, &value)); -+ g_assert_cmpint (GPOINTER_TO_INT (value), ==, FLATPAK_FILESYSTEM_MODE_NONE); -+ g_assert_false (g_hash_table_lookup_extended (mid_low->filesystems, "/one", NULL, NULL)); -+ g_assert_true (g_hash_table_lookup_extended (mid_low->filesystems, "/two", NULL, &value)); -+ g_assert_cmpint (GPOINTER_TO_INT (value), ==, FLATPAK_FILESYSTEM_MODE_READ_WRITE); -+ g_assert_false (g_hash_table_lookup_extended (mid_low->filesystems, "/three", NULL, NULL)); -+ g_assert_false (g_hash_table_lookup_extended (mid_low->filesystems, "/four", NULL, NULL)); -+ -+ g_assert_true (g_hash_table_lookup_extended (mid_high->filesystems, "host", NULL, &value)); -+ g_assert_cmpint (GPOINTER_TO_INT (value), ==, FLATPAK_FILESYSTEM_MODE_READ_WRITE); -+ g_assert_false (g_hash_table_lookup_extended (mid_high->filesystems, "host-reset", NULL, NULL)); -+ g_assert_false (g_hash_table_lookup_extended (mid_high->filesystems, "/one", NULL, NULL)); -+ g_assert_false (g_hash_table_lookup_extended (mid_high->filesystems, "/two", NULL, NULL)); -+ g_assert_true (g_hash_table_lookup_extended (mid_high->filesystems, "/three", NULL, &value)); -+ g_assert_cmpint (GPOINTER_TO_INT (value), ==, FLATPAK_FILESYSTEM_MODE_READ_WRITE); -+ g_assert_false (g_hash_table_lookup_extended (mid_high->filesystems, "/four", NULL, NULL)); -+ -+ g_assert_true (g_hash_table_lookup_extended (highest->filesystems, "host", NULL, &value)); -+ g_assert_cmpint (GPOINTER_TO_INT (value), ==, FLATPAK_FILESYSTEM_MODE_NONE); -+ g_assert_false (g_hash_table_lookup_extended (mid_high->filesystems, "host-reset", NULL, NULL)); -+ g_assert_false (g_hash_table_lookup_extended (highest->filesystems, "/one", NULL, NULL)); -+ g_assert_false (g_hash_table_lookup_extended (highest->filesystems, "/two", NULL, NULL)); -+ g_assert_false (g_hash_table_lookup_extended (highest->filesystems, "/three", NULL, NULL)); -+ g_assert_true (g_hash_table_lookup_extended (highest->filesystems, "/four", NULL, &value)); -+ g_assert_cmpint (GPOINTER_TO_INT (value), ==, FLATPAK_FILESYSTEM_MODE_READ_WRITE); -+ -+ if (merge_order == LOWEST_FIRST) -+ { -+ flatpak_context_merge (lowest, mid_low); -+ -+ g_assert_true (g_hash_table_lookup_extended (lowest->filesystems, "host", NULL, &value)); -+ g_assert_cmpint (GPOINTER_TO_INT (value), ==, FLATPAK_FILESYSTEM_MODE_NONE); -+ g_assert_true (g_hash_table_lookup_extended (lowest->filesystems, "host-reset", NULL, &value)); -+ g_assert_cmpint (GPOINTER_TO_INT (value), ==, FLATPAK_FILESYSTEM_MODE_NONE); -+ g_assert_false (g_hash_table_lookup_extended (lowest->filesystems, "/one", NULL, NULL)); -+ g_assert_true (g_hash_table_lookup_extended (lowest->filesystems, "/two", NULL, &value)); -+ g_assert_cmpint (GPOINTER_TO_INT (value), ==, FLATPAK_FILESYSTEM_MODE_READ_WRITE); -+ g_assert_false (g_hash_table_lookup_extended (lowest->filesystems, "/three", NULL, NULL)); -+ g_assert_false (g_hash_table_lookup_extended (lowest->filesystems, "/four", NULL, NULL)); -+ -+ flatpak_context_merge (lowest, mid_high); -+ -+ g_assert_true (g_hash_table_lookup_extended (lowest->filesystems, "host", NULL, &value)); -+ g_assert_cmpint (GPOINTER_TO_INT (value), ==, FLATPAK_FILESYSTEM_MODE_READ_WRITE); -+ g_assert_true (g_hash_table_lookup_extended (lowest->filesystems, "host-reset", NULL, &value)); -+ g_assert_cmpint (GPOINTER_TO_INT (value), ==, FLATPAK_FILESYSTEM_MODE_NONE); -+ g_assert_false (g_hash_table_lookup_extended (lowest->filesystems, "/one", NULL, NULL)); -+ g_assert_true (g_hash_table_lookup_extended (lowest->filesystems, "/two", NULL, &value)); -+ g_assert_cmpint (GPOINTER_TO_INT (value), ==, FLATPAK_FILESYSTEM_MODE_READ_WRITE); -+ g_assert_true (g_hash_table_lookup_extended (lowest->filesystems, "/three", NULL, &value)); -+ g_assert_cmpint (GPOINTER_TO_INT (value), ==, FLATPAK_FILESYSTEM_MODE_READ_WRITE); -+ g_assert_false (g_hash_table_lookup_extended (lowest->filesystems, "/four", NULL, NULL)); -+ -+ flatpak_context_merge (lowest, highest); -+ } -+ else -+ { -+ flatpak_context_merge (mid_high, highest); -+ -+ g_assert_true (g_hash_table_lookup_extended (mid_high->filesystems, "host", NULL, &value)); -+ g_assert_cmpint (GPOINTER_TO_INT (value), ==, FLATPAK_FILESYSTEM_MODE_NONE); -+ g_assert_false (g_hash_table_lookup_extended (mid_high->filesystems, "host-reset", NULL, NULL)); -+ g_assert_false (g_hash_table_lookup_extended (mid_high->filesystems, "/one", NULL, NULL)); -+ g_assert_false (g_hash_table_lookup_extended (mid_high->filesystems, "/two", NULL, NULL)); -+ g_assert_true (g_hash_table_lookup_extended (mid_high->filesystems, "/three", NULL, &value)); -+ g_assert_cmpint (GPOINTER_TO_INT (value), ==, FLATPAK_FILESYSTEM_MODE_READ_WRITE); -+ g_assert_true (g_hash_table_lookup_extended (mid_high->filesystems, "/four", NULL, &value)); -+ g_assert_cmpint (GPOINTER_TO_INT (value), ==, FLATPAK_FILESYSTEM_MODE_READ_WRITE); -+ -+ flatpak_context_merge (mid_low, mid_high); -+ -+ g_assert_true (g_hash_table_lookup_extended (mid_low->filesystems, "host", NULL, &value)); -+ g_assert_cmpint (GPOINTER_TO_INT (value), ==, FLATPAK_FILESYSTEM_MODE_NONE); -+ g_assert_true (g_hash_table_lookup_extended (mid_low->filesystems, "host-reset", NULL, &value)); -+ g_assert_cmpint (GPOINTER_TO_INT (value), ==, FLATPAK_FILESYSTEM_MODE_NONE); -+ g_assert_false (g_hash_table_lookup_extended (mid_low->filesystems, "/one", NULL, NULL)); -+ g_assert_true (g_hash_table_lookup_extended (mid_low->filesystems, "/two", NULL, &value)); -+ g_assert_cmpint (GPOINTER_TO_INT (value), ==, FLATPAK_FILESYSTEM_MODE_READ_WRITE); -+ g_assert_true (g_hash_table_lookup_extended (mid_low->filesystems, "/three", NULL, &value)); -+ g_assert_cmpint (GPOINTER_TO_INT (value), ==, FLATPAK_FILESYSTEM_MODE_READ_WRITE); -+ g_assert_true (g_hash_table_lookup_extended (mid_low->filesystems, "/four", NULL, &value)); -+ g_assert_cmpint (GPOINTER_TO_INT (value), ==, FLATPAK_FILESYSTEM_MODE_READ_WRITE); -+ -+ flatpak_context_merge (lowest, mid_low); -+ } -+ -+ g_assert_true (g_hash_table_lookup_extended (lowest->filesystems, "host", NULL, &value)); -+ g_assert_cmpint (GPOINTER_TO_INT (value), ==, FLATPAK_FILESYSTEM_MODE_NONE); -+ g_assert_true (g_hash_table_lookup_extended (lowest->filesystems, "host-reset", NULL, &value)); -+ g_assert_cmpint (GPOINTER_TO_INT (value), ==, FLATPAK_FILESYSTEM_MODE_NONE); -+ g_assert_false (g_hash_table_lookup_extended (lowest->filesystems, "/one", NULL, NULL)); -+ g_assert_true (g_hash_table_lookup_extended (lowest->filesystems, "/two", NULL, &value)); -+ g_assert_cmpint (GPOINTER_TO_INT (value), ==, FLATPAK_FILESYSTEM_MODE_READ_WRITE); -+ g_assert_true (g_hash_table_lookup_extended (lowest->filesystems, "/three", NULL, &value)); -+ g_assert_cmpint (GPOINTER_TO_INT (value), ==, FLATPAK_FILESYSTEM_MODE_READ_WRITE); -+ g_assert_true (g_hash_table_lookup_extended (lowest->filesystems, "/four", NULL, &value)); -+ g_assert_cmpint (GPOINTER_TO_INT (value), ==, FLATPAK_FILESYSTEM_MODE_READ_WRITE); -+ -+ flatpak_context_save_metadata (lowest, FALSE, metakey); -+ filesystems = g_key_file_get_value (metakey, -+ FLATPAK_METADATA_GROUP_CONTEXT, -+ FLATPAK_METADATA_KEY_FILESYSTEMS, -+ &local_error); -+ g_assert_no_error (local_error); -+ g_test_message ("%s=%s", FLATPAK_METADATA_KEY_FILESYSTEMS, filesystems); -+ /* !host:reset is serialized first */ -+ g_assert_true (g_str_has_prefix (filesystems, "!host:reset;")); -+ /* The rest are serialized in arbitrary order */ -+ g_assert_nonnull (strstr (filesystems, ";!host;")); -+ g_assert_null (strstr (filesystems, "/one")); -+ g_assert_nonnull (strstr (filesystems, ";/two;")); -+ g_assert_nonnull (strstr (filesystems, ";/three;")); -+ g_assert_nonnull (strstr (filesystems, ";/four;")); -+ -+ flatpak_context_to_args (lowest, args); -+ /* !host:reset is serialized first */ -+ g_assert_cmpuint (args->len, >, 0); -+ g_assert_cmpstr (g_ptr_array_index (args, 0), ==, -+ "--nofilesystem=host:reset"); -+ /* The rest are serialized in arbitrary order */ -+ g_assert_true (g_ptr_array_find_with_equal_func (args, "--nofilesystem=host", g_str_equal, NULL)); -+ g_assert_false (g_ptr_array_find_with_equal_func (args, "--filesystem=/one", str_has_prefix, NULL)); -+ g_assert_false (g_ptr_array_find_with_equal_func (args, "--nofilesystem=/one", str_has_prefix, NULL)); -+ g_assert_true (g_ptr_array_find_with_equal_func (args, "--filesystem=/two", g_str_equal, NULL)); -+ g_assert_true (g_ptr_array_find_with_equal_func (args, "--filesystem=/three", g_str_equal, NULL)); -+ g_assert_true (g_ptr_array_find_with_equal_func (args, "--filesystem=/four", g_str_equal, NULL)); -+ } -+} -+ -+int -+main (int argc, char *argv[]) -+{ -+ g_test_init (&argc, &argv, NULL); -+ -+ g_test_add_func ("/context/merge-fs", test_context_merge_fs); -+ -+ return g_test_run (); -+} diff --git a/CVE-2023-28100-pre2.patch b/CVE-2023-28100-pre2.patch deleted file mode 100644 index 5bd847a5aa4e4e13f03cbb63c3a62fc9e28fa9c3..0000000000000000000000000000000000000000 --- a/CVE-2023-28100-pre2.patch +++ /dev/null @@ -1,231 +0,0 @@ -From b83fb81d1a66fe4ea31fd9c36ca425705eaaca99 Mon Sep 17 00:00:00 2001 -From: Simon McVittie -Date: Thu, 21 Oct 2021 17:39:08 +0100 -Subject: [PATCH] tests: Add try-syscall helper - -This exercises various syscalls. It's heavily based on the one from -, but with the -addition of a mode to output the numeric values of various expected -errno codes, which are not otherwise available to shell scripts. - -Signed-off-by: Simon McVittie -(cherry picked from commit 4ce251882c488953ca6e3734f00c5dbe2e1e3e7a) -(cherry picked from commit f82e2a45777e6f370b9d3be787a84cddc3ed0575) ---- - .gitignore | 1 + - tests/Makefile.am.inc | 14 +++- - tests/try-syscall.c | 173 ++++++++++++++++++++++++++++++++++++++++++ - 3 files changed, 187 insertions(+), 1 deletion(-) - create mode 100644 tests/try-syscall.c - -diff --git a/tests/Makefile.am.inc b/tests/Makefile.am.inc -index 3632591a04..2548080254 100644 ---- a/tests/Makefile.am.inc -+++ b/tests/Makefile.am.inc -@@ -99,6 +99,10 @@ tests_test_authenticator_CFLAGS = $(AM_CFLAGS) $(BASE_CFLAGS) \ - tests_test_authenticator_LDADD = $(AM_LDADD) $(BASE_LIBS) libflatpak-common.la libflatpak-common-base.la libglnx.la - tests_test_authenticator_SOURCES = tests/test-authenticator.c - -+tests_try_syscall_CFLAGS = $(AM_CFLAGS) -+tests_try_syscall_LDADD = $(AM_LDADD) -+tests_try_syscall_SOURCES = tests/try-syscall.c -+ - tests_list_unused_CFLAGS = $(AM_CFLAGS) $(BASE_CFLAGS) $(OSTREE_CFLAGS) $(SOUP_CFLAGS) $(JSON_CFLAGS) $(APPSTREAM_GLIB_CFLAGS) \ - -DFLATPAK_COMPILATION \ - -DLOCALEDIR=\"$(localedir)\" -@@ -263,7 +267,15 @@ test_programs = \ - testcommon \ - testlibrary \ - $(NULL) --test_extra_programs = tests/httpcache tests/test-update-portal tests/test-portal-impl tests/test-authenticator tests/list-unused -+ -+test_extra_programs = \ -+ tests/httpcache \ -+ tests/list-unused \ -+ tests/test-authenticator \ -+ tests/test-portal-impl \ -+ tests/test-update-portal \ -+ tests/try-syscall \ -+ $(NULL) - - @VALGRIND_CHECK_RULES@ - VALGRIND_SUPPRESSIONS_FILES=tests/flatpak.supp tests/glib.supp -diff --git a/tests/try-syscall.c b/tests/try-syscall.c -new file mode 100644 -index 0000000000..84a0ca6673 ---- /dev/null -+++ b/tests/try-syscall.c -@@ -0,0 +1,173 @@ -+/* -+ * Copyright 2021 Simon McVittie -+ * SPDX-License-Identifier: LGPL-2.0-or-later -+ * -+ * Try one or more system calls that might have been blocked by a -+ * seccomp filter. Return the last value of errno seen. -+ * -+ * In general, we pass a bad fd or pointer to each syscall that will -+ * accept one, so that it will fail with EBADF or EFAULT without side-effects. -+ */ -+ -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+ -+#if defined(_MIPS_SIM) -+# if _MIPS_SIM == _MIPS_SIM_ABI32 -+# define MISSING_SYSCALL_BASE 4000 -+# elif _MIPS_SIM == _MIPS_SIM_ABI64 -+# define MISSING_SYSCALL_BASE 5000 -+# elif _MIPS_SIM == _MIPS_SIM_NABI32 -+# define MISSING_SYSCALL_BASE 6000 -+# else -+# error "Unknown MIPS ABI" -+# endif -+#endif -+ -+#if defined(__ia64__) -+# define MISSING_SYSCALL_BASE 1024 -+#endif -+ -+#if defined(__alpha__) -+# define MISSING_SYSCALL_BASE 110 -+#endif -+ -+#if defined(__x86_64__) && defined(__ILP32__) -+# define MISSING_SYSCALL_BASE 0x40000000 -+#endif -+ -+/* -+ * MISSING_SYSCALL_BASE: -+ * -+ * Number to add to the syscall numbers of recently-added syscalls -+ * to get the appropriate syscall for the current ABI. -+ */ -+#ifndef MISSING_SYSCALL_BASE -+# define MISSING_SYSCALL_BASE 0 -+#endif -+ -+#ifndef __NR_clone3 -+# define __NR_clone3 (MISSING_SYSCALL_BASE + 435) -+#endif -+ -+/* -+ * The size of clone3's parameter (as of 2021) -+ */ -+#define SIZEOF_STRUCT_CLONE_ARGS ((size_t) 88) -+ -+/* -+ * An invalid pointer that will cause syscalls to fail with EFAULT -+ */ -+#define WRONG_POINTER ((char *) 1) -+ -+int -+main (int argc, char **argv) -+{ -+ int errsv = 0; -+ int i; -+ -+ for (i = 1; i < argc; i++) -+ { -+ const char *arg = argv[i]; -+ -+ if (strcmp (arg, "print-errno-values") == 0) -+ { -+ printf ("EBADF=%d\n", EBADF); -+ printf ("EFAULT=%d\n", EFAULT); -+ printf ("ENOENT=%d\n", ENOENT); -+ printf ("ENOSYS=%d\n", ENOSYS); -+ printf ("EPERM=%d\n", EPERM); -+ } -+ else if (strcmp (arg, "chmod") == 0) -+ { -+ /* If not blocked by seccomp, this will fail with EFAULT */ -+ if (chmod (WRONG_POINTER, 0700) != 0) -+ { -+ errsv = errno; -+ perror (arg); -+ } -+ } -+ else if (strcmp (arg, "chroot") == 0) -+ { -+ /* If not blocked by seccomp, this will fail with EFAULT */ -+ if (chroot (WRONG_POINTER) != 0) -+ { -+ errsv = errno; -+ perror (arg); -+ } -+ } -+ else if (strcmp (arg, "clone3") == 0) -+ { -+ /* If not blocked by seccomp, this will fail with EFAULT */ -+ if (syscall (__NR_clone3, WRONG_POINTER, SIZEOF_STRUCT_CLONE_ARGS) != 0) -+ { -+ errsv = errno; -+ perror (arg); -+ } -+ } -+ else if (strcmp (arg, "ioctl TIOCNOTTY") == 0) -+ { -+ /* If not blocked by seccomp, this will fail with EBADF */ -+ if (ioctl (-1, TIOCNOTTY) != 0) -+ { -+ errsv = errno; -+ perror (arg); -+ } -+ } -+ else if (strcmp (arg, "ioctl TIOCSTI") == 0) -+ { -+ /* If not blocked by seccomp, this will fail with EBADF */ -+ if (ioctl (-1, TIOCSTI, WRONG_POINTER) != 0) -+ { -+ errsv = errno; -+ perror (arg); -+ } -+ } -+#ifdef __LP64__ -+ else if (strcmp (arg, "ioctl TIOCSTI CVE-2019-10063") == 0) -+ { -+ unsigned long not_TIOCSTI = (0x123UL << 32) | (unsigned long) TIOCSTI; -+ -+ /* If not blocked by seccomp, this will fail with EBADF */ -+ if (syscall (__NR_ioctl, -1, not_TIOCSTI, WRONG_POINTER) != 0) -+ { -+ errsv = errno; -+ perror (arg); -+ } -+ } -+#endif -+ else if (strcmp (arg, "listen") == 0) -+ { -+ /* If not blocked by seccomp, this will fail with EBADF */ -+ if (listen (-1, 42) != 0) -+ { -+ errsv = errno; -+ perror (arg); -+ } -+ } -+ else if (strcmp (arg, "prctl") == 0) -+ { -+ /* If not blocked by seccomp, this will fail with EFAULT */ -+ if (prctl (PR_GET_CHILD_SUBREAPER, WRONG_POINTER, 0, 0, 0) != 0) -+ { -+ errsv = errno; -+ perror (arg); -+ } -+ } -+ else -+ { -+ fprintf (stderr, "Unsupported syscall \"%s\"\n", arg); -+ errsv = ENOENT; -+ } -+ } -+ -+ return errsv; -+} diff --git a/CVE-2023-28100-pre3.patch b/CVE-2023-28100-pre3.patch deleted file mode 100644 index 3caff79e434b1f52db949d03dcb54c78f03d132f..0000000000000000000000000000000000000000 --- a/CVE-2023-28100-pre3.patch +++ /dev/null @@ -1,142 +0,0 @@ -From e7880e25b9d400feeaacb82f115fae676ce6c65d Mon Sep 17 00:00:00 2001 -From: Simon McVittie -Date: Thu, 21 Oct 2021 17:41:08 +0100 -Subject: [PATCH] tests: Add basic test coverage for our seccomp filters - -In particular, this checks that CVE-2017-5226, CVE-2019-10063 and -CVE-2021-41133 are still prevented. - -Signed-off-by: Simon McVittie -(cherry picked from commit 7c5aec474caef7aa004286cc9359611ad21d227b) -(cherry picked from commit ff0f5a15b26dac28c8efd88c8d47e51751df8043) ---- - tests/Makefile-test-matrix.am.inc | 1 + - tests/Makefile.am.inc | 1 + - tests/test-seccomp.sh | 94 +++++++++++++++++++++++++++++++ - 3 files changed, 96 insertions(+) - create mode 100755 tests/test-seccomp.sh - -diff --git a/tests/Makefile-test-matrix.am.inc b/tests/Makefile-test-matrix.am.inc -index f56c169e60..e1ec09ffb0 100644 ---- a/tests/Makefile-test-matrix.am.inc -+++ b/tests/Makefile-test-matrix.am.inc -@@ -43,6 +43,7 @@ TEST_MATRIX_DIST= \ - tests/test-override.sh \ - tests/test-auth.sh \ - tests/test-unused.sh \ -+ tests/test-seccomp.sh \ - $(NULL) - TEST_MATRIX_EXTRA_DIST= \ - tests/test-run.sh \ -diff --git a/tests/Makefile.am.inc b/tests/Makefile.am.inc -index 2548080254..fd13c0cd3d 100644 ---- a/tests/Makefile.am.inc -+++ b/tests/Makefile.am.inc -@@ -237,6 +237,7 @@ TEST_MATRIX_SOURCE = \ - tests/test-unused.sh \ - tests/test-summaries.sh{user+system} \ - tests/test-subset.sh{user+system} \ -+ tests/test-seccomp.sh \ - $(NULL) - - update-test-matrix: -diff --git a/tests/test-seccomp.sh b/tests/test-seccomp.sh -new file mode 100755 -index 0000000000..72b0dad231 ---- /dev/null -+++ b/tests/test-seccomp.sh -@@ -0,0 +1,94 @@ -+#!/bin/bash -+# Copyright 2021 Collabora Ltd. -+# SPDX-License-Identifier: LGPL-2.0-or-later -+ -+set -euo pipefail -+ -+. $(dirname $0)/libtest.sh -+ -+skip_without_bwrap -+ -+echo "1..16" -+ -+setup_repo -+install_repo -+ -+cp -a "$G_TEST_BUILDDIR/try-syscall" "$test_tmpdir/try-syscall" -+ -+# How this works: -+# try-syscall tries to make various syscalls, some benign, some not. -+# -+# The parameters are chosen to make them fail with EBADF or EFAULT if -+# not blocked. If they are blocked, we get ENOSYS or EPERM. If the syscall -+# is impossible for a particular architecture, we get ENOENT. -+# -+# The exit status is an errno value, which we can compare with the expected -+# errno value. -+ -+eval "$("$test_tmpdir/try-syscall" print-errno-values)" -+ -+try_syscall () { -+ ${FLATPAK} run \ -+ --filesystem="$test_tmpdir" \ -+ --command="$test_tmpdir/try-syscall" \ -+ $extra_argv \ -+ org.test.Hello "$@" -+} -+ -+for extra_argv in "" "--allow=multiarch"; do -+ echo "# testing with extra argv: '$extra_argv'" -+ -+ echo "# chmod (benign)" -+ e=0 -+ try_syscall chmod || e="$?" -+ assert_streq "$e" "$EFAULT" -+ ok "chmod not blocked" -+ -+ echo "# chroot (harmful)" -+ e=0 -+ try_syscall chroot || e="$?" -+ assert_streq "$e" "$EPERM" -+ ok "chroot blocked with EPERM" -+ -+ echo "# clone3 (harmful)" -+ e=0 -+ try_syscall clone3 || e="$?" -+ # This is either ENOSYS because the kernel genuinely doesn't implement it, -+ # or because we successfully blocked it. We can't tell which. -+ assert_streq "$e" "$ENOSYS" -+ ok "clone3 blocked with ENOSYS (CVE-2021-41133)" -+ -+ echo "# ioctl TIOCNOTTY (benign)" -+ e=0 -+ try_syscall "ioctl TIOCNOTTY" || e="$?" -+ assert_streq "$e" "$EBADF" -+ ok "ioctl TIOCNOTTY not blocked" -+ -+ echo "# ioctl TIOCSTI (CVE-2017-5226)" -+ e=0 -+ try_syscall "ioctl TIOCSTI" || e="$?" -+ assert_streq "$e" "$EPERM" -+ ok "ioctl TIOCSTI blocked (CVE-2017-5226)" -+ -+ echo "# ioctl TIOCSTI (trying to repeat CVE-2019-10063)" -+ e=0 -+ try_syscall "ioctl TIOCSTI CVE-2019-10063" || e="$?" -+ if test "$e" = "$ENOENT"; then -+ echo "ok # SKIP Cannot replicate CVE-2019-10063 on 32-bit architecture" -+ else -+ assert_streq "$e" "$EPERM" -+ ok "ioctl TIOCSTI with high bits blocked (CVE-2019-10063)" -+ fi -+ -+ echo "# listen (benign)" -+ e=0 -+ try_syscall "listen" || e="$?" -+ assert_streq "$e" "$EBADF" -+ ok "listen not blocked" -+ -+ echo "# prctl (benign)" -+ e=0 -+ try_syscall "prctl" || e="$?" -+ assert_streq "$e" "$EFAULT" -+ ok "prctl not blocked" -+done diff --git a/CVE-2023-28100.patch b/CVE-2023-28100.patch deleted file mode 100644 index 36844efb136efdc5740b892da9aafe92979b0e21..0000000000000000000000000000000000000000 --- a/CVE-2023-28100.patch +++ /dev/null @@ -1,85 +0,0 @@ -From a9bf18040cc075a70657c6090a59d7f6fe78f893 Mon Sep 17 00:00:00 2001 -From: Simon McVittie -Date: Wed, 15 Mar 2023 09:58:56 +0000 -Subject: [PATCH] run: Prevent TIOCLINUX ioctl, the same as TIOCSTI - -The TIOCLINUX ioctl is only available on Linux virtual consoles such as -/dev/tty1. It has several Linux-specific functions, one of which is a -copy/paste operation which can be used for attacks similar to TIOCSTI. - -This vulnerability does not affect typical graphical terminal emulators -such as xterm, gnome-terminal and Konsole, and Flatpak is primarily -designed to be run from a Wayland or X11 graphical environment, so this -is relatively unlikely to be a practical problem. - -CVE-2023-28100, GHSA-7qpw-3vjv-xrqp - -Resolves: https://github.com/flatpak/flatpak/security/advisories/GHSA-7qpw-3vjv-xrqp -Signed-off-by: Simon McVittie ---- - common/flatpak-run.c | 4 ++++ - tests/test-seccomp.sh | 8 +++++++- - tests/try-syscall.c | 9 +++++++++ - 3 files changed, 20 insertions(+), 1 deletion(-) - -diff --git a/common/flatpak-run.c b/common/flatpak-run.c -index 1c43ca7205..c4dcaca9e6 100644 ---- a/common/flatpak-run.c -+++ b/common/flatpak-run.c -@@ -2872,6 +2872,10 @@ setup_seccomp (FlatpakBwrap *bwrap, - - /* Don't allow faking input to the controlling tty (CVE-2017-5226) */ - {SCMP_SYS (ioctl), EPERM, &SCMP_A1 (SCMP_CMP_MASKED_EQ, 0xFFFFFFFFu, (int) TIOCSTI)}, -+ /* In the unlikely event that the controlling tty is a Linux virtual -+ * console (/dev/tty2 or similar), copy/paste operations have an effect -+ * similar to TIOCSTI (CVE-2023-28100) */ -+ {SCMP_SYS (ioctl), EPERM, &SCMP_A1 (SCMP_CMP_MASKED_EQ, 0xFFFFFFFFu, (int) TIOCLINUX)}, - - /* seccomp can't look into clone3()'s struct clone_args to check whether - * the flags are OK, so we have no choice but to block clone3(). -diff --git a/tests/test-seccomp.sh b/tests/test-seccomp.sh -index 72b0dad231..be6fb085d0 100755 ---- a/tests/test-seccomp.sh -+++ b/tests/test-seccomp.sh -@@ -8,7 +8,7 @@ set -euo pipefail - - skip_without_bwrap - --echo "1..16" -+echo "1..18" - - setup_repo - install_repo -@@ -80,6 +80,12 @@ for extra_argv in "" "--allow=multiarch"; do - ok "ioctl TIOCSTI with high bits blocked (CVE-2019-10063)" - fi - -+ echo "# ioctl TIOCLINUX (CVE-2023-28100)" -+ e=0 -+ try_syscall "ioctl TIOCLINUX" || e="$?" -+ assert_streq "$e" "$EPERM" -+ ok "ioctl TIOCLINUX blocked" -+ - echo "# listen (benign)" - e=0 - try_syscall "listen" || e="$?" -diff --git a/tests/try-syscall.c b/tests/try-syscall.c -index 84a0ca6673..9dab899ba3 100644 ---- a/tests/try-syscall.c -+++ b/tests/try-syscall.c -@@ -144,6 +144,15 @@ main (int argc, char **argv) - } - } - #endif -+ else if (strcmp (arg, "ioctl TIOCLINUX") == 0) -+ { -+ /* If not blocked by seccomp, this will fail with EBADF */ -+ if (ioctl (-1, TIOCLINUX, WRONG_POINTER) != 0) -+ { -+ errsv = errno; -+ perror (arg); -+ } -+ } - else if (strcmp (arg, "listen") == 0) - { - /* If not blocked by seccomp, this will fail with EBADF */ diff --git a/CVE-2023-28101-1.patch b/CVE-2023-28101-1.patch deleted file mode 100644 index 3478800958eb74b9d275a3201d087cd51ce22ac3..0000000000000000000000000000000000000000 --- a/CVE-2023-28101-1.patch +++ /dev/null @@ -1,320 +0,0 @@ -From acd627a2fabe9856947399044dbf7aa79247c75b Mon Sep 17 00:00:00 2001 -From: Ryan Gonzalez -Date: Sat, 4 Mar 2023 16:23:37 -0600 -Subject: [PATCH] Ensure special characters in permissions and metadata are - escaped - -This prevents someone from placing special characters in order to -manipulate the appearance of the permissions list. - -CVE-2023-28101, GHSA-h43h-fwqx-mpp8 - -Signed-off-by: Ryan Gonzalez ---- - app/flatpak-builtins-info.c | 8 +++- - app/flatpak-builtins-remote-info.c | 5 +- - app/flatpak-cli-transaction.c | 12 +++-- - common/flatpak-utils-private.h | 11 +++++ - common/flatpak-utils.c | 77 ++++++++++++++++++++++++++++++ - tests/make-test-app.sh | 8 ++++ - tests/test-info.sh | 14 ++++-- - tests/testcommon.c | 39 +++++++++++++++ - 8 files changed, 164 insertions(+), 10 deletions(-) - -diff --git a/app/flatpak-builtins-info.c b/app/flatpak-builtins-info.c -index c13d2d89eb..35d49c446a 100644 ---- a/app/flatpak-builtins-info.c -+++ b/app/flatpak-builtins-info.c -@@ -400,7 +400,9 @@ flatpak_builtin_info (int argc, char **argv, GCancellable *cancellable, GError * - if (!g_file_load_contents (file, cancellable, &data, &data_size, NULL, error)) - return FALSE; - -- g_print ("%s", data); -+ flatpak_print_escaped_string (data, -+ FLATPAK_ESCAPE_ALLOW_NEWLINES -+ | FLATPAK_ESCAPE_DO_NOT_QUOTE); - } - - if (opt_show_permissions || opt_file_access) -@@ -421,7 +423,9 @@ flatpak_builtin_info (int argc, char **argv, GCancellable *cancellable, GError * - if (contents == NULL) - return FALSE; - -- g_print ("%s", contents); -+ flatpak_print_escaped_string (contents, -+ FLATPAK_ESCAPE_ALLOW_NEWLINES -+ | FLATPAK_ESCAPE_DO_NOT_QUOTE); - } - - if (opt_file_access) -diff --git a/app/flatpak-builtins-remote-info.c b/app/flatpak-builtins-remote-info.c -index 20705a97ca..0ab05b7ca4 100644 ---- a/app/flatpak-builtins-remote-info.c -+++ b/app/flatpak-builtins-remote-info.c -@@ -441,7 +441,10 @@ flatpak_builtin_remote_info (int argc, char **argv, GCancellable *cancellable, G - - if (opt_show_metadata) - { -- g_print ("%s", xa_metadata ? xa_metadata : ""); -+ if (xa_metadata != NULL) -+ flatpak_print_escaped_string (xa_metadata, -+ FLATPAK_ESCAPE_ALLOW_NEWLINES -+ | FLATPAK_ESCAPE_DO_NOT_QUOTE); - if (xa_metadata == NULL || !g_str_has_suffix (xa_metadata, "\n")) - g_print ("\n"); - } -diff --git a/app/flatpak-cli-transaction.c b/app/flatpak-cli-transaction.c -index a258f905c4..b915bedd04 100644 ---- a/app/flatpak-cli-transaction.c -+++ b/app/flatpak-cli-transaction.c -@@ -894,12 +894,16 @@ print_perm_line (int idx, - int cols) - { - g_autoptr(GString) res = g_string_new (NULL); -+ g_autofree char *escaped_first_perm = NULL; - int i; - -- g_string_append_printf (res, " [%d] %s", idx, (char *) items->pdata[0]); -+ escaped_first_perm = flatpak_escape_string (items->pdata[0], FLATPAK_ESCAPE_DEFAULT); -+ g_string_append_printf (res, " [%d] %s", idx, escaped_first_perm); - - for (i = 1; i < items->len; i++) - { -+ g_autofree char *escaped = flatpak_escape_string (items->pdata[i], -+ FLATPAK_ESCAPE_DEFAULT); - char *p; - int len; - -@@ -908,10 +912,10 @@ print_perm_line (int idx, - p = res->str; - - len = (res->str + strlen (res->str)) - p; -- if (len + strlen ((char *) items->pdata[i]) + 2 >= cols) -- g_string_append_printf (res, ",\n %s", (char *) items->pdata[i]); -+ if (len + strlen (escaped) + 2 >= cols) -+ g_string_append_printf (res, ",\n %s", escaped); - else -- g_string_append_printf (res, ", %s", (char *) items->pdata[i]); -+ g_string_append_printf (res, ", %s", escaped); - } - - g_print ("%s\n", res->str); -diff --git a/common/flatpak-utils-private.h b/common/flatpak-utils-private.h -index 1a92154706..c1282641f9 100644 ---- a/common/flatpak-utils-private.h -+++ b/common/flatpak-utils-private.h -@@ -902,6 +902,17 @@ null_safe_g_ptr_array_unref (gpointer data) - g_clear_pointer (&data, g_ptr_array_unref); - } - -+typedef enum { -+ FLATPAK_ESCAPE_DEFAULT = 0, -+ FLATPAK_ESCAPE_ALLOW_NEWLINES = 1 << 0, -+ FLATPAK_ESCAPE_DO_NOT_QUOTE = 1 << 1, -+} FlatpakEscapeFlags; -+ -+char * flatpak_escape_string (const char *s, -+ FlatpakEscapeFlags flags); -+void flatpak_print_escaped_string (const char *s, -+ FlatpakEscapeFlags flags); -+ - #define FLATPAK_MESSAGE_ID "c7b39b1e006b464599465e105b361485" - - #endif /* __FLATPAK_UTILS_H__ */ -diff --git a/common/flatpak-utils.c b/common/flatpak-utils.c -index 3a5adb82ee..0b91ae3f91 100644 ---- a/common/flatpak-utils.c -+++ b/common/flatpak-utils.c -@@ -8613,4 +8613,81 @@ flatpak_dconf_path_is_similar (const char *path1, - return (path1[i1] == '\0'); - } - -+static gboolean -+is_char_safe (gunichar c) -+{ -+ return g_unichar_isgraph (c) || c == ' '; -+} -+ -+static gboolean -+should_hex_escape (gunichar c, -+ FlatpakEscapeFlags flags) -+{ -+ if ((flags & FLATPAK_ESCAPE_ALLOW_NEWLINES) && c == '\n') -+ return FALSE; - -+ return !is_char_safe (c); -+} -+ -+static void -+append_hex_escaped_character (GString *result, -+ gunichar c) -+{ -+ if (c <= 0xFF) -+ g_string_append_printf (result, "\\x%02X", c); -+ else if (c <= 0xFFFF) -+ g_string_append_printf (result, "\\u%04X", c); -+ else -+ g_string_append_printf (result, "\\U%08X", c); -+} -+ -+char * -+flatpak_escape_string (const char *s, -+ FlatpakEscapeFlags flags) -+{ -+ g_autoptr(GString) res = g_string_new (""); -+ gboolean did_escape = FALSE; -+ -+ while (*s) -+ { -+ gunichar c = g_utf8_get_char_validated (s, -1); -+ if (c == (gunichar)-2 || c == (gunichar)-1) -+ { -+ /* Need to convert to unsigned first, to avoid negative chars becoming -+ huge gunichars. */ -+ append_hex_escaped_character (res, (unsigned char)*s++); -+ did_escape = TRUE; -+ continue; -+ } -+ else if (should_hex_escape (c, flags)) -+ { -+ append_hex_escaped_character (res, c); -+ did_escape = TRUE; -+ } -+ else if (c == '\\' || (!(flags & FLATPAK_ESCAPE_DO_NOT_QUOTE) && c == '\'')) -+ { -+ g_string_append_printf (res, "\\%c", (char) c); -+ did_escape = TRUE; -+ } -+ else -+ g_string_append_unichar (res, c); -+ -+ s = g_utf8_find_next_char (s, NULL); -+ } -+ -+ if (did_escape && !(flags & FLATPAK_ESCAPE_DO_NOT_QUOTE)) -+ { -+ g_string_prepend_c (res, '\''); -+ g_string_append_c (res, '\''); -+ } -+ -+ return g_string_free (g_steal_pointer (&res), FALSE); -+} -+ -+void -+flatpak_print_escaped_string (const char *s, -+ FlatpakEscapeFlags flags) -+{ -+ g_autofree char *escaped = flatpak_escape_string (s, flags); -+ g_print ("%s", escaped); -+} -diff --git a/tests/make-test-app.sh b/tests/make-test-app.sh -index 731160535c..125e97f6b5 100755 ---- a/tests/make-test-app.sh -+++ b/tests/make-test-app.sh -@@ -40,6 +40,14 @@ required-flatpak=$REQUIRED_VERSION - EOF - fi - -+if [ x${INCLUDE_SPECIAL_CHARACTER-} != x ]; then -+TAB=$'\t' -+cat >> ${DIR}/metadata <> ${DIR}/metadata < info -+ -+# CVE-2023-28101 -+assert_file_has_content info "name=org\.test\.Hello" -+assert_file_has_content info "^A=x\\\\x09y" -+ -+ok "info --show-metadata" -+ - ${FLATPAK} info --show-permissions org.test.Hello > info - --assert_file_empty info -+assert_file_has_content info "^A=x\\\\x09y" - - ok "info --show-permissions" - -diff --git a/tests/testcommon.c b/tests/testcommon.c -index 1d217c072a..daae5e4aac 100644 ---- a/tests/testcommon.c -+++ b/tests/testcommon.c -@@ -1557,6 +1557,44 @@ test_dconf_paths (void) - } - } - -+typedef struct { -+ const char *in; -+ FlatpakEscapeFlags flags; -+ const char *out; -+} EscapeData; -+ -+static EscapeData escapes[] = { -+ {"abc def", FLATPAK_ESCAPE_DEFAULT, "abc def"}, -+ {"やあ", FLATPAK_ESCAPE_DEFAULT, "やあ"}, -+ {"\033[;1m", FLATPAK_ESCAPE_DEFAULT, "'\\x1B[;1m'"}, -+ // non-printable U+061C -+ {"\u061C", FLATPAK_ESCAPE_DEFAULT, "'\\u061C'"}, -+ // non-printable U+1343F -+ {"\xF0\x93\x90\xBF", FLATPAK_ESCAPE_DEFAULT, "'\\U0001343F'"}, -+ // invalid utf-8 -+ {"\xD8\1", FLATPAK_ESCAPE_DEFAULT, "'\\xD8\\x01'"}, -+ {"\b \n abc ' \\", FLATPAK_ESCAPE_DEFAULT, "'\\x08 \\x0A abc \\' \\\\'"}, -+ {"\b \n abc ' \\", FLATPAK_ESCAPE_DO_NOT_QUOTE, "\\x08 \\x0A abc ' \\\\"}, -+ {"abc\tdef\n\033[;1m ghi\b", FLATPAK_ESCAPE_ALLOW_NEWLINES | FLATPAK_ESCAPE_DO_NOT_QUOTE, -+ "abc\\x09def\n\\x1B[;1m ghi\\x08"}, -+}; -+ -+/* CVE-2023-28101 */ -+static void -+test_string_escape (void) -+{ -+ gsize idx; -+ -+ for (idx = 0; idx < G_N_ELEMENTS (escapes); idx++) -+ { -+ EscapeData *data = &escapes[idx]; -+ g_autofree char *ret = NULL; -+ -+ ret = flatpak_escape_string (data->in, data->flags); -+ g_assert_cmpstr (ret, ==, data->out); -+ } -+} -+ - int - main (int argc, char *argv[]) - { -@@ -1585,6 +1623,7 @@ main (int argc, char *argv[]) - g_test_add_func ("/common/dconf-app-id", test_dconf_app_id); - g_test_add_func ("/common/dconf-paths", test_dconf_paths); - g_test_add_func ("/common/decompose-ref", test_decompose); -+ g_test_add_func ("/common/string-escape", test_string_escape); - - g_test_add_func ("/app/looks-like-branch", test_looks_like_branch); - g_test_add_func ("/app/columns", test_columns); diff --git a/CVE-2023-28101-2.patch b/CVE-2023-28101-2.patch deleted file mode 100644 index f4c66d4384136d4af99fbc71f1ac38efaff0cc41..0000000000000000000000000000000000000000 --- a/CVE-2023-28101-2.patch +++ /dev/null @@ -1,408 +0,0 @@ -From e88eedce76f79a5573df4fc38b344bbeaf7af024 Mon Sep 17 00:00:00 2001 -From: Ryan Gonzalez -Date: Sat, 4 Mar 2023 21:07:03 -0600 -Subject: [PATCH] Reject paths given to --filesystem/--persist with special - characters - -There isn't much in the way of legit reasons for this, but it's a -potential security footgun when displaying the text. - -CVE-2023-28101, GHSA-h43h-fwqx-mpp8 - -Signed-off-by: Ryan Gonzalez -Co-authored-by: Simon McVittie ---- - common/flatpak-context.c | 36 ++++++++++++--- - common/flatpak-utils-private.h | 3 ++ - common/flatpak-utils.c | 40 ++++++++++++++++ - tests/test-context.c | 84 ++++++++++++++++++++++++++++++++-- - tests/testcommon.c | 41 +++++++++++++++-- - 5 files changed, 190 insertions(+), 14 deletions(-) - -diff --git a/common/flatpak-context.c b/common/flatpak-context.c -index 9c506499a4..512a577f81 100644 ---- a/common/flatpak-context.c -+++ b/common/flatpak-context.c -@@ -487,11 +487,17 @@ flatpak_context_apply_generic_policy (FlatpakContext *context, - g_ptr_array_free (new, FALSE)); - } - --static void -+ -+static gboolean - flatpak_context_set_persistent (FlatpakContext *context, -- const char *path) -+ const char *path, -+ GError **error) - { -+ if (!flatpak_validate_path_characters (path, error)) -+ return FALSE; -+ - g_hash_table_insert (context->persistent, g_strdup (path), GINT_TO_POINTER (1)); -+ return TRUE; - } - - static gboolean -@@ -853,6 +859,9 @@ flatpak_context_parse_filesystem (const char *filesystem_and_mode, - g_autofree char *filesystem = NULL; - char *slash; - -+ if (!flatpak_validate_path_characters (filesystem_and_mode, error)) -+ return FALSE; -+ - filesystem = parse_filesystem_flags (filesystem_and_mode, negated, mode_out, error); - if (filesystem == NULL) - return FALSE; -@@ -1484,8 +1493,7 @@ option_persist_cb (const gchar *option_name, - { - FlatpakContext *context = data; - -- flatpak_context_set_persistent (context, value); -- return TRUE; -+ return flatpak_context_set_persistent (context, value, error); - } - - static gboolean option_no_desktop_deprecated; -@@ -1677,11 +1685,24 @@ flatpak_context_load_metadata (FlatpakContext *context, - { - const char *fs = parse_negated (filesystems[i], &remove); - g_autofree char *filesystem = NULL; -+ g_autoptr(GError) local_error = NULL; - FlatpakFilesystemMode mode; - - if (!flatpak_context_parse_filesystem (fs, remove, -- &filesystem, &mode, NULL)) -- g_debug ("Unknown filesystem type %s", filesystems[i]); -+ &filesystem, &mode, &local_error)) -+ { -+ if (g_error_matches (local_error, G_IO_ERROR, G_IO_ERROR_INVALID_DATA)) -+ { -+ /* Invalid characters, so just hard-fail. */ -+ g_propagate_error (error, g_steal_pointer (&local_error)); -+ return FALSE; -+ } -+ else -+ { -+ g_debug ("Unknown filesystem type %s", filesystems[i]); -+ g_clear_error (&local_error); -+ } -+ } - else - { - g_assert (mode == FLATPAK_FILESYSTEM_MODE_NONE || !remove); -@@ -1698,7 +1719,8 @@ flatpak_context_load_metadata (FlatpakContext *context, - return FALSE; - - for (i = 0; persistent[i] != NULL; i++) -- flatpak_context_set_persistent (context, persistent[i]); -+ if (!flatpak_context_set_persistent (context, persistent[i], error)) -+ return FALSE; - } - - if (g_key_file_has_group (metakey, FLATPAK_METADATA_GROUP_SESSION_BUS_POLICY)) -diff --git a/common/flatpak-utils-private.h b/common/flatpak-utils-private.h -index c1282641f9..195023c20f 100644 ---- a/common/flatpak-utils-private.h -+++ b/common/flatpak-utils-private.h -@@ -913,6 +913,9 @@ char * flatpak_escape_string (const char *s, - void flatpak_print_escaped_string (const char *s, - FlatpakEscapeFlags flags); - -+gboolean flatpak_validate_path_characters (const char *path, -+ GError **error); -+ - #define FLATPAK_MESSAGE_ID "c7b39b1e006b464599465e105b361485" - - #endif /* __FLATPAK_UTILS_H__ */ -diff --git a/common/flatpak-utils.c b/common/flatpak-utils.c -index 0b91ae3f91..b562522e58 100644 ---- a/common/flatpak-utils.c -+++ b/common/flatpak-utils.c -@@ -8641,6 +8641,14 @@ append_hex_escaped_character (GString *result, - g_string_append_printf (result, "\\U%08X", c); - } - -+static char * -+escape_character (gunichar c) -+{ -+ g_autoptr(GString) res = g_string_new (""); -+ append_hex_escaped_character (res, c); -+ return g_string_free (g_steal_pointer (&res), FALSE); -+} -+ - char * - flatpak_escape_string (const char *s, - FlatpakEscapeFlags flags) -@@ -8691,3 +8699,35 @@ flatpak_print_escaped_string (const char *s, - g_autofree char *escaped = flatpak_escape_string (s, flags); - g_print ("%s", escaped); - } -+ -+gboolean -+flatpak_validate_path_characters (const char *path, -+ GError **error) -+{ -+ while (*path) -+ { -+ gunichar c = g_utf8_get_char_validated (path, -1); -+ if (c == (gunichar)-1 || c == (gunichar)-2) -+ { -+ /* Need to convert to unsigned first, to avoid negative chars becoming -+ huge gunichars. */ -+ g_autofree char *escaped_char = escape_character ((unsigned char)*path); -+ g_autofree char *escaped = flatpak_escape_string (path, FLATPAK_ESCAPE_DEFAULT); -+ g_set_error (error, G_IO_ERROR, G_IO_ERROR_INVALID_DATA, -+ "Non-UTF8 byte %s in path %s", escaped_char, escaped); -+ return FALSE; -+ } -+ else if (!is_char_safe (c)) -+ { -+ g_autofree char *escaped_char = escape_character (c); -+ g_autofree char *escaped = flatpak_escape_string (path, FLATPAK_ESCAPE_DEFAULT); -+ g_set_error (error, G_IO_ERROR, G_IO_ERROR_INVALID_DATA, -+ "Non-graphical character %s in path %s", escaped_char, escaped); -+ return FALSE; -+ } -+ -+ path = g_utf8_find_next_char (path, NULL); -+ } -+ -+ return TRUE; -+} -diff --git a/tests/test-context.c b/tests/test-context.c -index c128a83fae..6c15feb013 100644 ---- a/tests/test-context.c -+++ b/tests/test-context.c -@@ -34,13 +34,14 @@ str_has_prefix (gconstpointer candidate, - } - - static void context_parse_args (FlatpakContext *context, -+ GError **error, - ...) G_GNUC_NULL_TERMINATED; - - static void - context_parse_args (FlatpakContext *context, -+ GError **error, - ...) - { -- g_autoptr(GError) local_error = NULL; - g_autoptr(GOptionContext) oc = NULL; - g_autoptr(GOptionGroup) group = NULL; - g_autoptr(GPtrArray) args = g_ptr_array_new_with_free_func (g_free); -@@ -50,7 +51,7 @@ context_parse_args (FlatpakContext *context, - - g_ptr_array_add (args, g_strdup ("argv[0]")); - -- va_start (ap, context); -+ va_start (ap, error); - - while ((arg = va_arg (ap, const char *)) != NULL) - g_ptr_array_add (args, g_strdup (arg)); -@@ -63,8 +64,7 @@ context_parse_args (FlatpakContext *context, - oc = g_option_context_new (""); - group = flatpak_context_get_options (context); - g_option_context_add_group (oc, group); -- g_option_context_parse_strv (oc, &argv, &local_error); -- g_assert_no_error (local_error); -+ g_option_context_parse_strv (oc, &argv, error); - } - - static void -@@ -84,19 +84,26 @@ test_context_merge_fs (void) - g_autoptr(FlatpakContext) lowest = flatpak_context_new (); - g_autoptr(FlatpakContext) middle = flatpak_context_new (); - g_autoptr(FlatpakContext) highest = flatpak_context_new (); -+ g_autoptr(GError) local_error = NULL; - gpointer value; - - context_parse_args (lowest, -+ &local_error, - "--filesystem=/one", - NULL); -+ g_assert_no_error (local_error); - context_parse_args (middle, -+ &local_error, - "--nofilesystem=host:reset", - "--filesystem=/two", - NULL); -+ g_assert_no_error (local_error); - context_parse_args (highest, -+ &local_error, - "--nofilesystem=host", - "--filesystem=/three", - NULL); -+ g_assert_no_error (local_error); - - g_assert_false (g_hash_table_lookup_extended (lowest->filesystems, "host", NULL, NULL)); - g_assert_false (g_hash_table_lookup_extended (lowest->filesystems, "host-reset", NULL, NULL)); -@@ -178,20 +185,28 @@ test_context_merge_fs (void) - gpointer value; - - context_parse_args (lowest, -+ &local_error, - "--filesystem=/one", - NULL); -+ g_assert_no_error (local_error); - context_parse_args (mid_low, -+ &local_error, - "--nofilesystem=host:reset", - "--filesystem=/two", - NULL); -+ g_assert_no_error (local_error); - context_parse_args (mid_high, -+ &local_error, - "--filesystem=host", - "--filesystem=/three", - NULL); -+ g_assert_no_error (local_error); - context_parse_args (highest, -+ &local_error, - "--nofilesystem=host", - "--filesystem=/four", - NULL); -+ g_assert_no_error (local_error); - - g_assert_false (g_hash_table_lookup_extended (lowest->filesystems, "host", NULL, NULL)); - g_assert_false (g_hash_table_lookup_extended (lowest->filesystems, "host-reset", NULL, NULL)); -@@ -332,12 +347,73 @@ test_context_merge_fs (void) - } - } - -+const char *invalid_path_args[] = { -+ "--filesystem=/\033[J:ro", -+ "--filesystem=/\033[J", -+ "--persist=\033[J", -+}; -+ -+/* CVE-2023-28101 */ -+static void -+test_validate_path_args (void) -+{ -+ gsize idx; -+ -+ for (idx = 0; idx < G_N_ELEMENTS (invalid_path_args); idx++) -+ { -+ g_autoptr(FlatpakContext) context = flatpak_context_new (); -+ g_autoptr(GError) local_error = NULL; -+ const char *path = invalid_path_args[idx]; -+ -+ context_parse_args (context, &local_error, path, NULL); -+ g_assert_error (local_error, G_IO_ERROR, G_IO_ERROR_INVALID_DATA); -+ g_assert (strstr (local_error->message, "Non-graphical character")); -+ } -+} -+ -+typedef struct { -+ const char *key; -+ const char *value; -+} PathValidityData; -+ -+PathValidityData invalid_path_meta[] = { -+ {FLATPAK_METADATA_KEY_FILESYSTEMS, "\033[J"}, -+ {FLATPAK_METADATA_KEY_PERSISTENT, "\033[J"}, -+}; -+ -+/* CVE-2023-28101 */ -+static void -+test_validate_path_meta (void) -+{ -+ gsize idx; -+ -+ for (idx = 0; idx < G_N_ELEMENTS (invalid_path_meta); idx++) -+ { -+ g_autoptr(FlatpakContext) context = flatpak_context_new (); -+ g_autoptr(GKeyFile) metakey = g_key_file_new (); -+ g_autoptr(GError) local_error = NULL; -+ PathValidityData *data = &invalid_path_meta[idx]; -+ gboolean ret = FALSE; -+ -+ g_key_file_set_string_list (metakey, FLATPAK_METADATA_GROUP_CONTEXT, -+ data->key, &data->value, 1); -+ -+ ret = flatpak_context_load_metadata (context, metakey, &local_error); -+ g_assert_false (ret); -+ g_assert_error (local_error, G_IO_ERROR, G_IO_ERROR_INVALID_DATA); -+ g_assert (strstr (local_error->message, "Non-graphical character")); -+ } -+ -+} -+ - int - main (int argc, char *argv[]) - { - g_test_init (&argc, &argv, NULL); - - g_test_add_func ("/context/merge-fs", test_context_merge_fs); -+ g_test_add_func ("/context/validate-path-args", test_validate_path_args); -+ g_test_add_func ("/context/validate-path-meta", test_validate_path_meta); - - return g_test_run (); - } -diff --git a/tests/testcommon.c b/tests/testcommon.c -index daae5e4aac..0840632575 100644 ---- a/tests/testcommon.c -+++ b/tests/testcommon.c -@@ -1567,11 +1567,12 @@ static EscapeData escapes[] = { - {"abc def", FLATPAK_ESCAPE_DEFAULT, "abc def"}, - {"やあ", FLATPAK_ESCAPE_DEFAULT, "やあ"}, - {"\033[;1m", FLATPAK_ESCAPE_DEFAULT, "'\\x1B[;1m'"}, -- // non-printable U+061C -+ /* U+061C ARABIC LETTER MARK, non-printable */ - {"\u061C", FLATPAK_ESCAPE_DEFAULT, "'\\u061C'"}, -- // non-printable U+1343F -+ /* U+1343F EGYPTIAN HIEROGLYPH END WALLED ENCLOSURE, non-printable and -+ * outside BMP */ - {"\xF0\x93\x90\xBF", FLATPAK_ESCAPE_DEFAULT, "'\\U0001343F'"}, -- // invalid utf-8 -+ /* invalid utf-8 */ - {"\xD8\1", FLATPAK_ESCAPE_DEFAULT, "'\\xD8\\x01'"}, - {"\b \n abc ' \\", FLATPAK_ESCAPE_DEFAULT, "'\\x08 \\x0A abc \\' \\\\'"}, - {"\b \n abc ' \\", FLATPAK_ESCAPE_DO_NOT_QUOTE, "\\x08 \\x0A abc ' \\\\"}, -@@ -1595,6 +1596,39 @@ test_string_escape (void) - } - } - -+typedef struct { -+ const char *path; -+ gboolean ret; -+} PathValidityData; -+ -+static PathValidityData paths[] = { -+ {"/a/b/../c.def", TRUE}, -+ {"やあ", TRUE}, -+ /* U+061C ARABIC LETTER MARK, non-printable */ -+ {"\u061C", FALSE}, -+ /* U+1343F EGYPTIAN HIEROGLYPH END WALLED ENCLOSURE, non-printable and -+ * outside BMP */ -+ {"\xF0\x93\x90\xBF", FALSE}, -+ /* invalid utf-8 */ -+ {"\xD8\1", FALSE}, -+}; -+ -+/* CVE-2023-28101 */ -+static void -+test_validate_path_characters (void) -+{ -+ gsize idx; -+ -+ for (idx = 0; idx < G_N_ELEMENTS (paths); idx++) -+ { -+ PathValidityData *data = &paths[idx]; -+ gboolean ret = FALSE; -+ -+ ret = flatpak_validate_path_characters (data->path, NULL); -+ g_assert_cmpint (ret, ==, data->ret); -+ } -+} -+ - int - main (int argc, char *argv[]) - { -@@ -1624,6 +1658,7 @@ main (int argc, char *argv[]) - g_test_add_func ("/common/dconf-paths", test_dconf_paths); - g_test_add_func ("/common/decompose-ref", test_decompose); - g_test_add_func ("/common/string-escape", test_string_escape); -+ g_test_add_func ("/common/validate-path-characters", test_validate_path_characters); - - g_test_add_func ("/app/looks-like-branch", test_looks_like_branch); - g_test_add_func ("/app/columns", test_columns); diff --git a/backport-0001-CVE-2021-41133.patch b/backport-0001-CVE-2021-41133.patch deleted file mode 100644 index 9737a01a7114b92dfc7dcabaed3537b4c4a24626..0000000000000000000000000000000000000000 --- a/backport-0001-CVE-2021-41133.patch +++ /dev/null @@ -1,154 +0,0 @@ -From e26ac7586c392b5eb35ff4609fe232c52523b2cf Mon Sep 17 00:00:00 2001 -From: Simon McVittie -Date: Wed, 1 Sep 2021 11:53:23 +0100 -Subject: [PATCH] run: Add an errno value to seccomp filters - -At the moment, if we block a syscall we always make it fail with EPERM, -but this is risky: user-space libraries can start to use new replacements -for old syscalls at any time, and will often treat EPERM as a fatal error. -For new syscalls, we should make the syscall fail with ENOSYS, which is -indistinguishable from running on an older kernel and will cause fallback -to an older implementation, for example clone3() to clone(). - -In future we should probably move from EPERM to ENOSYS for some of the -syscalls we already block, but for now keep the status quo. - -This is a prerequisite for fixing the vulnerability tracked as -GHSA-67h7-w3jq-vh4q. - -Signed-off-by: Simon McVittie - -Conflict:NA -Reference:https://github.com/flatpak/flatpak/commit/e26ac7586c392b5eb35ff4609fe232c52523b2cf - ---- - common/flatpak-run.c | 62 +++++++++++++++++++++++++------------------- - 1 file changed, 36 insertions(+), 26 deletions(-) - -diff --git a/common/flatpak-run.c b/common/flatpak-run.c -index f48f402..3931820 100644 ---- a/common/flatpak-run.c -+++ b/common/flatpak-run.c -@@ -2784,61 +2784,63 @@ setup_seccomp (FlatpakBwrap *bwrap, - struct - { - int scall; -+ int errnum; - struct scmp_arg_cmp *arg; - } syscall_blocklist[] = { - /* Block dmesg */ -- {SCMP_SYS (syslog)}, -+ {SCMP_SYS (syslog), EPERM}, - /* Useless old syscall */ -- {SCMP_SYS (uselib)}, -+ {SCMP_SYS (uselib), EPERM}, - /* Don't allow disabling accounting */ -- {SCMP_SYS (acct)}, -+ {SCMP_SYS (acct), EPERM}, - /* 16-bit code is unnecessary in the sandbox, and modify_ldt is a - historic source of interesting information leaks. */ -- {SCMP_SYS (modify_ldt)}, -+ {SCMP_SYS (modify_ldt), EPERM}, - /* Don't allow reading current quota use */ -- {SCMP_SYS (quotactl)}, -+ {SCMP_SYS (quotactl), EPERM}, - - /* Don't allow access to the kernel keyring */ -- {SCMP_SYS (add_key)}, -- {SCMP_SYS (keyctl)}, -- {SCMP_SYS (request_key)}, -+ {SCMP_SYS (add_key), EPERM}, -+ {SCMP_SYS (keyctl), EPERM}, -+ {SCMP_SYS (request_key), EPERM}, - - /* Scary VM/NUMA ops */ -- {SCMP_SYS (move_pages)}, -- {SCMP_SYS (mbind)}, -- {SCMP_SYS (get_mempolicy)}, -- {SCMP_SYS (set_mempolicy)}, -- {SCMP_SYS (migrate_pages)}, -+ {SCMP_SYS (move_pages), EPERM}, -+ {SCMP_SYS (mbind), EPERM}, -+ {SCMP_SYS (get_mempolicy), EPERM}, -+ {SCMP_SYS (set_mempolicy), EPERM}, -+ {SCMP_SYS (migrate_pages), EPERM}, - - /* Don't allow subnamespace setups: */ -- {SCMP_SYS (unshare)}, -- {SCMP_SYS (mount)}, -- {SCMP_SYS (pivot_root)}, -+ {SCMP_SYS (unshare), EPERM}, -+ {SCMP_SYS (mount), EPERM}, -+ {SCMP_SYS (pivot_root), EPERM}, - #if defined(__s390__) || defined(__s390x__) || defined(__CRIS__) - /* Architectures with CONFIG_CLONE_BACKWARDS2: the child stack - * and flags arguments are reversed so the flags come second */ -- {SCMP_SYS (clone), &SCMP_A1 (SCMP_CMP_MASKED_EQ, CLONE_NEWUSER, CLONE_NEWUSER)}, -+ {SCMP_SYS (clone), EPERM, &SCMP_A1 (SCMP_CMP_MASKED_EQ, CLONE_NEWUSER, CLONE_NEWUSER)}, - #else - /* Normally the flags come first */ -- {SCMP_SYS (clone), &SCMP_A0 (SCMP_CMP_MASKED_EQ, CLONE_NEWUSER, CLONE_NEWUSER)}, -+ {SCMP_SYS (clone), EPERM, &SCMP_A0 (SCMP_CMP_MASKED_EQ, CLONE_NEWUSER, CLONE_NEWUSER)}, - #endif - - /* Don't allow faking input to the controlling tty (CVE-2017-5226) */ -- {SCMP_SYS (ioctl), &SCMP_A1 (SCMP_CMP_MASKED_EQ, 0xFFFFFFFFu, (int) TIOCSTI)}, -+ {SCMP_SYS (ioctl), EPERM, &SCMP_A1 (SCMP_CMP_MASKED_EQ, 0xFFFFFFFFu, (int) TIOCSTI)}, - }; - - struct - { - int scall; -+ int errnum; - struct scmp_arg_cmp *arg; - } syscall_nondevel_blocklist[] = { - /* Profiling operations; we expect these to be done by tools from outside - * the sandbox. In particular perf has been the source of many CVEs. - */ -- {SCMP_SYS (perf_event_open)}, -+ {SCMP_SYS (perf_event_open), EPERM}, - /* Don't allow you to switch to bsd emulation or whatnot */ -- {SCMP_SYS (personality), &SCMP_A0 (SCMP_CMP_NE, allowed_personality)}, -- {SCMP_SYS (ptrace)} -+ {SCMP_SYS (personality), EPERM, &SCMP_A0 (SCMP_CMP_NE, allowed_personality)}, -+ {SCMP_SYS (ptrace), EPERM} - }; - /* Blocklist all but unix, inet, inet6 and netlink */ - struct -@@ -2922,10 +2924,14 @@ setup_seccomp (FlatpakBwrap *bwrap, - for (i = 0; i < G_N_ELEMENTS (syscall_blocklist); i++) - { - int scall = syscall_blocklist[i].scall; -+ int errnum = syscall_blocklist[i].errnum; -+ -+ g_return_val_if_fail (errnum == EPERM || errnum == ENOSYS, FALSE); -+ - if (syscall_blocklist[i].arg) -- r = seccomp_rule_add (seccomp, SCMP_ACT_ERRNO (EPERM), scall, 1, *syscall_blocklist[i].arg); -+ r = seccomp_rule_add (seccomp, SCMP_ACT_ERRNO (errnum), scall, 1, *syscall_blocklist[i].arg); - else -- r = seccomp_rule_add (seccomp, SCMP_ACT_ERRNO (EPERM), scall, 0); -+ r = seccomp_rule_add (seccomp, SCMP_ACT_ERRNO (errnum), scall, 0); - if (r < 0 && r == -EFAULT /* unknown syscall */) - return flatpak_fail_error (error, FLATPAK_ERROR_SETUP_FAILED, _("Failed to block syscall %d"), scall); - } -@@ -2935,10 +2941,14 @@ setup_seccomp (FlatpakBwrap *bwrap, - for (i = 0; i < G_N_ELEMENTS (syscall_nondevel_blocklist); i++) - { - int scall = syscall_nondevel_blocklist[i].scall; -+ int errnum = syscall_nondevel_blocklist[i].errnum; -+ -+ g_return_val_if_fail (errnum == EPERM || errnum == ENOSYS, FALSE); -+ - if (syscall_nondevel_blocklist[i].arg) -- r = seccomp_rule_add (seccomp, SCMP_ACT_ERRNO (EPERM), scall, 1, *syscall_nondevel_blocklist[i].arg); -+ r = seccomp_rule_add (seccomp, SCMP_ACT_ERRNO (errnum), scall, 1, *syscall_nondevel_blocklist[i].arg); - else -- r = seccomp_rule_add (seccomp, SCMP_ACT_ERRNO (EPERM), scall, 0); -+ r = seccomp_rule_add (seccomp, SCMP_ACT_ERRNO (errnum), scall, 0); - - if (r < 0 && r == -EFAULT /* unknown syscall */) - return flatpak_fail_error (error, FLATPAK_ERROR_SETUP_FAILED, _("Failed to block syscall %d"), scall); --- -2.27.0 - diff --git a/backport-0001-CVE-2021-43860.patch b/backport-0001-CVE-2021-43860.patch deleted file mode 100644 index da1537b7818cd89c5a7ea14460db4fa29224e62f..0000000000000000000000000000000000000000 --- a/backport-0001-CVE-2021-43860.patch +++ /dev/null @@ -1,210 +0,0 @@ -From 54ec1a482dfc668127eaae57f135e6a8e0bc52da Mon Sep 17 00:00:00 2001 -From: Phaedrus Leeds -Date: Tue, 28 Dec 2021 11:48:16 -0800 -Subject: [PATCH] Add test for metadata validation - -This tests for invalid metadata, missing xa.metadata and mismatched -values in xa.metadata and the real metadata, including the embedded -null leading to the hidden permissions of CVE-2021-43860. - -Conflict:NA -Reference:https://github.com/flatpak/flatpak/commit/54ec1a482dfc668127eaae57f135e6a8e0bc52da - ---- - tests/Makefile-test-matrix.am.inc | 1 + - tests/Makefile.am.inc | 1 + - tests/test-metadata-validation.sh | 158 ++++++++++++++++++++++++++++++ - 3 files changed, 160 insertions(+) - create mode 100644 tests/test-metadata-validation.sh - -diff --git a/tests/Makefile-test-matrix.am.inc b/tests/Makefile-test-matrix.am.inc -index 30b402d..eef5a7e 100644 ---- a/tests/Makefile-test-matrix.am.inc -+++ b/tests/Makefile-test-matrix.am.inc -@@ -36,6 +36,7 @@ TEST_MATRIX_DIST= \ - tests/test-build-update-repo.sh \ - tests/test-http-utils.sh \ - tests/test-default-remotes.sh \ -+ tests/test-metadata-validation.sh \ - tests/test-extensions.sh \ - tests/test-oci.sh \ - tests/test-override.sh \ -diff --git a/tests/Makefile.am.inc b/tests/Makefile.am.inc -index 2458445..53d6403 100644 ---- a/tests/Makefile.am.inc -+++ b/tests/Makefile.am.inc -@@ -216,6 +216,7 @@ TEST_MATRIX_SOURCE = \ - tests/test-repo.sh{{user+system+system-norevokefs}+{{user+system},oldsummary}} \ - tests/test-sideload.sh{user+system} \ - tests/test-default-remotes.sh \ -+ tests/test-metadata-validation.sh \ - tests/test-extensions.sh \ - tests/test-bundle.sh{user+system+system-norevokefs} \ - tests/test-oci.sh \ -diff --git a/tests/test-metadata-validation.sh b/tests/test-metadata-validation.sh -new file mode 100644 -index 0000000..7e3efcc ---- /dev/null -+++ b/tests/test-metadata-validation.sh -@@ -0,0 +1,158 @@ -+#!/bin/bash -+# -+# Copyright (C) 2021 Matthew Leeds -+# -+# SPDX-License-Identifier: LGPL-2.0-or-later -+ -+set -euo pipefail -+ -+. $(dirname $0)/libtest.sh -+ -+echo "1..7" -+ -+setup_repo -+ -+COUNTER=1 -+ -+create_app () { -+ local OPTIONS="$1" -+ local DIR=`mktemp -d` -+ -+ mkdir ${DIR}/files -+ echo $COUNTER > ${DIR}/files/counter -+ let COUNTER=COUNTER+1 -+ -+ local INVALID="" -+ if [[ $OPTIONS =~ "invalid" ]]; then -+ INVALID=invalidkeyfileline -+ fi -+ cat > ${DIR}/metadata <> ${DIR}/metadata -+ fi -+ if [[ $OPTIONS =~ "hidden" ]]; then -+ echo -ne "\0" >> ${DIR}/metadata -+ echo -e "\nfilesystems=home;" >> ${DIR}/metadata -+ fi -+ local XA_METADATA=--add-metadata-string=xa.metadata="$(head -n6 ${DIR}/metadata)"$'\n' -+ if [[ $OPTIONS =~ "no-xametadata" ]]; then -+ XA_METADATA="--add-metadata-string=xa.nometadata=1" -+ fi -+ ostree commit --repo=repos/test --branch=app/org.test.Malicious/${ARCH}/master ${FL_GPGARGS} "$XA_METADATA" ${DIR}/ -+ if [[ $OPTIONS =~ "no-cache-in-summary" ]]; then -+ ostree --repo=repos/test ${FL_GPGARGS} summary -u -+ # force use of legacy summary format -+ rm -rf repos/test/summary.idx repos/test/summaries -+ else -+ update_repo -+ fi -+ rm -rf ${DIR} -+} -+ -+cleanup_repo () { -+ ostree refs --repo=repos/test --delete app/org.test.Malicious/${ARCH}/master -+ update_repo -+} -+ -+create_app "hidden" -+ -+if ${FLATPAK} ${U} install -y test-repo org.test.Malicious 2>install-error-log; then -+ assert_not_reached "Should not be able to install app with hidden permissions" -+fi -+ -+assert_file_has_content install-error-log "not matching expected metadata" -+ -+assert_not_has_dir $FL_DIR/app/org.test.Malicious/current/active -+ -+cleanup_repo -+ -+ok "app with hidden permissions can't be installed (CVE-2021-43860)" -+ -+create_app no-xametadata -+ -+# The install will fail because the metadata in the summary doesn't match the metadata on the commit -+# The missing xa.metadata in the commit got turned into "" in the xa.cache -+if ${FLATPAK} ${U} install -y test-repo org.test.Malicious 2>install-error-log; then -+ assert_not_reached "Should not be able to install app with missing xa.metadata" -+fi -+ -+assert_file_has_content install-error-log "not matching expected metadata" -+ -+assert_not_has_dir $FL_DIR/app/org.test.Malicious/current/active -+ -+cleanup_repo -+ -+ok "app with no xa.metadata can't be installed" -+ -+create_app "no-xametadata no-cache-in-summary" -+ -+# The install will fail because there's no metadata in the summary or on the commit -+if ${FLATPAK} ${U} install -y test-repo org.test.Malicious 2>install-error-log; then -+ assert_not_reached "Should not be able to install app with missing metadata" -+fi -+assert_file_has_content install-error-log "No xa.metadata in local commit" -+ -+assert_not_has_dir $FL_DIR/app/org.test.Malicious/current/active -+ -+cleanup_repo -+ -+ok "app with no xa.metadata and no metadata in summary can't be installed" -+ -+create_app "invalid" -+ -+if ${FLATPAK} ${U} install -y test-repo org.test.Malicious 2>install-error-log; then -+ assert_not_reached "Should not be able to install app with invalid metadata" -+fi -+assert_file_has_content install-error-log "Metadata for .* is invalid" -+ -+assert_not_has_dir $FL_DIR/app/org.test.Malicious/current/active -+ -+cleanup_repo -+ -+ok "app with invalid metadata (in summary) can't be installed" -+ -+create_app "invalid no-cache-in-summary" -+ -+if ${FLATPAK} ${U} install -y test-repo org.test.Malicious 2>install-error-log; then -+ assert_not_reached "Should not be able to install app with invalid metadata" -+fi -+assert_file_has_content install-error-log "Metadata for .* is invalid" -+ -+assert_not_has_dir $FL_DIR/app/org.test.Malicious/current/active -+ -+cleanup_repo -+ -+ok "app with invalid metadata (in commit) can't be installed" -+ -+create_app "mismatch no-cache-in-summary" -+ -+if ${FLATPAK} ${U} install -y test-repo org.test.Malicious 2>install-error-log; then -+ assert_not_reached "Should not be able to install app with non-matching metadata" -+fi -+assert_file_has_content install-error-log "Commit metadata for .* not matching expected metadata" -+ -+assert_not_has_dir $FL_DIR/app/org.test.Malicious/current/active -+ -+cleanup_repo -+ -+ok "app with mismatched metadata (in commit) can't be installed" -+ -+create_app "mismatch" -+ -+if ${FLATPAK} ${U} install -y test-repo org.test.Malicious 2>install-error-log; then -+ assert_not_reached "Should not be able to install app with non-matching metadata" -+fi -+assert_file_has_content install-error-log "Commit metadata for .* not matching expected metadata" -+ -+assert_not_has_dir $FL_DIR/app/org.test.Malicious/current/active -+ -+cleanup_repo -+ -+ok "app with mismatched metadata (in summary) can't be installed" --- -2.27.0 - diff --git a/backport-0002-CVE-2021-41133.patch b/backport-0002-CVE-2021-41133.patch deleted file mode 100644 index 29b024088a3676bef522f1ce620d98f2a53200b6..0000000000000000000000000000000000000000 --- a/backport-0002-CVE-2021-41133.patch +++ /dev/null @@ -1,33 +0,0 @@ -From 89ae9fe74c6d445bb1b3a40e568d77cf5de47e48 Mon Sep 17 00:00:00 2001 -From: Simon McVittie -Date: Wed, 1 Sep 2021 12:44:04 +0100 -Subject: [PATCH] run: Add cross-references for some other seccomp syscall - filters - -Signed-off-by: Simon McVittie - -Conflict:NA -Reference:https://github.com/flatpak/flatpak/commit/89ae9fe74c6d445bb1b3a40e568d77cf5de47e48 - ---- - common/flatpak-run.c | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/common/flatpak-run.c b/common/flatpak-run.c -index 3931820..38ba16f 100644 ---- a/common/flatpak-run.c -+++ b/common/flatpak-run.c -@@ -2779,6 +2779,10 @@ setup_seccomp (FlatpakBwrap *bwrap, - * https://git.gnome.org/browse/linux-user-chroot - * in src/setup-seccomp.c - * -+ * Other useful resources: -+ * https://github.com/systemd/systemd/blob/HEAD/src/shared/seccomp-util.c -+ * https://github.com/moby/moby/blob/HEAD/profiles/seccomp/default.json -+ * - **** END NOTE ON CODE SHARING - */ - struct --- -2.27.0 - diff --git a/backport-0002-CVE-2021-43860.patch b/backport-0002-CVE-2021-43860.patch deleted file mode 100644 index b90c9d5c4a9ff07629b4fe17f102f3622c3c52f4..0000000000000000000000000000000000000000 --- a/backport-0002-CVE-2021-43860.patch +++ /dev/null @@ -1,36 +0,0 @@ -From 65cbfac982cb1c83993a9e19aa424daee8e9f042 Mon Sep 17 00:00:00 2001 -From: Alexander Larsson -Date: Wed, 12 Jan 2022 11:00:56 +0100 -Subject: [PATCH] Ensure that bundles have metadata on install - -If we have a bundle without metadata we wouldn't properly present -the permissions in the transaction. - -Conflict:NA -Reference:https://github.com/flatpak/flatpak/commit/65cbfac982cb1c83993a9e19aa424daee8e9f042 - ---- - common/flatpak-dir.c | 7 +++++++ - 1 file changed, 7 insertions(+) - -diff --git a/common/flatpak-dir.c b/common/flatpak-dir.c -index 94a86f4..ddc5ee9 100644 ---- a/common/flatpak-dir.c -+++ b/common/flatpak-dir.c -@@ -9295,6 +9295,13 @@ flatpak_dir_ensure_bundle_remote (FlatpakDir *self, - if (metadata == NULL) - return NULL; - -+ /* If we rely on metadata (to e.g. print permissions), check it exists before creating the remote */ -+ if (out_metadata && fp_metadata == NULL) -+ { -+ flatpak_fail_error (error, FLATPAK_ERROR_INVALID_DATA, "No metadata in bundler header"); -+ return NULL; -+ } -+ - gpg_data = extra_gpg_data ? extra_gpg_data : included_gpg_data; - - deploy_data = flatpak_dir_get_deploy_data (self, ref, FLATPAK_DEPLOY_VERSION_ANY, cancellable, NULL); --- -2.27.0 - diff --git a/backport-0003-CVE-2021-41133.patch b/backport-0003-CVE-2021-41133.patch deleted file mode 100644 index 36a335d039dfbef9e93d8ba8f909ac8e97ca84be..0000000000000000000000000000000000000000 --- a/backport-0003-CVE-2021-41133.patch +++ /dev/null @@ -1,252 +0,0 @@ -From 26b12484eb8a6219b9e7aa287b298a894b2f34ca Mon Sep 17 00:00:00 2001 -From: Simon McVittie -Date: Wed, 1 Sep 2021 14:17:04 +0100 -Subject: [PATCH] common: Add a list of recently-added Linux syscalls - -Historically, syscalls could take arbitrarily-different values on -different architectures, but new syscalls are added with syscall numbers -that align on each architecture. - -Signed-off-by: Simon McVittie - -Conflict:NA -Reference:https://github.com/flatpak/flatpak/commit/26b12484eb8a6219b9e7aa287b298a894b2f34ca - ---- - common/Makefile.am.inc | 1 + - common/flatpak-run.c | 2 + - common/flatpak-syscalls-private.h | 197 ++++++++++++++++++++++++++++++ - 3 files changed, 200 insertions(+) - create mode 100644 common/flatpak-syscalls-private.h - -diff --git a/common/Makefile.am.inc b/common/Makefile.am.inc -index b681294..919b015 100644 ---- a/common/Makefile.am.inc -+++ b/common/Makefile.am.inc -@@ -160,6 +160,7 @@ libflatpak_common_la_SOURCES = \ - common/flatpak-remote.c \ - common/flatpak-run-private.h \ - common/flatpak-run.c \ -+ common/flatpak-syscalls-private.h \ - common/flatpak-transaction-private.h \ - common/flatpak-transaction.c \ - common/flatpak-transaction.h \ -diff --git a/common/flatpak-run.c b/common/flatpak-run.c -index 38ba16f..5cf6d2e 100644 ---- a/common/flatpak-run.c -+++ b/common/flatpak-run.c -@@ -41,6 +41,8 @@ - #include - #endif - -+#include "flatpak-syscalls-private.h" -+ - #ifdef ENABLE_SECCOMP - #include - #endif -diff --git a/common/flatpak-syscalls-private.h b/common/flatpak-syscalls-private.h -new file mode 100644 -index 0000000..04eb38c ---- /dev/null -+++ b/common/flatpak-syscalls-private.h -@@ -0,0 +1,197 @@ -+/* -+ * Copyright 2021 Collabora Ltd. -+ * SPDX-License-Identifier: LGPL-2.1-or-later -+ * -+ * This program is free software; you can redistribute it and/or -+ * modify it under the terms of the GNU Lesser General Public -+ * License as published by the Free Software Foundation; either -+ * version 2.1 of the License, or (at your option) any later version. -+ * -+ * This library is distributed in the hope that it will be useful, -+ * but WITHOUT ANY WARRANTY; without even the implied warranty of -+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -+ * Lesser General Public License for more details. -+ * -+ * You should have received a copy of the GNU Lesser General Public -+ * License along with this library. If not, see . -+ */ -+ -+#pragma once -+ -+#include -+ -+#if defined(_MIPS_SIM) -+# if _MIPS_SIM == _MIPS_SIM_ABI32 -+# define FLATPAK_MISSING_SYSCALL_BASE 4000 -+# elif _MIPS_SIM == _MIPS_SIM_ABI64 -+# define FLATPAK_MISSING_SYSCALL_BASE 5000 -+# elif _MIPS_SIM == _MIPS_SIM_NABI32 -+# define FLATPAK_MISSING_SYSCALL_BASE 6000 -+# else -+# error "Unknown MIPS ABI" -+# endif -+#endif -+ -+#if defined(__ia64__) -+# define FLATPAK_MISSING_SYSCALL_BASE 1024 -+#endif -+ -+#if defined(__alpha__) -+# define FLATPAK_MISSING_SYSCALL_BASE 110 -+#endif -+ -+#if defined(__x86_64__) && defined(__ILP32__) -+# define FLATPAK_MISSING_SYSCALL_BASE 0x40000000 -+#endif -+ -+/* -+ * FLATPAK_MISSING_SYSCALL_BASE: -+ * -+ * Number to add to the syscall numbers of recently-added syscalls -+ * to get the appropriate syscall for the current ABI. -+ */ -+#ifndef FLATPAK_MISSING_SYSCALL_BASE -+# define FLATPAK_MISSING_SYSCALL_BASE 0 -+#endif -+ -+#ifndef __NR_open_tree -+# define __NR_open_tree (FLATPAK_MISSING_SYSCALL_BASE + 428) -+#endif -+#ifndef __SNR_open_tree -+# define __SNR_open_tree __NR_open_tree -+#endif -+ -+#ifndef __NR_move_mount -+# define __NR_move_mount (FLATPAK_MISSING_SYSCALL_BASE + 429) -+#endif -+#ifndef __SNR_move_mount -+# define __SNR_move_mount __NR_move_mount -+#endif -+ -+#ifndef __NR_fsopen -+# define __NR_fsopen (FLATPAK_MISSING_SYSCALL_BASE + 430) -+#endif -+#ifndef __SNR_fsopen -+# define __SNR_fsopen __NR_fsopen -+#endif -+ -+#ifndef __NR_fsconfig -+# define __NR_fsconfig (FLATPAK_MISSING_SYSCALL_BASE + 431) -+#endif -+#ifndef __SNR_fsconfig -+# define __SNR_fsconfig __NR_fsconfig -+#endif -+ -+#ifndef __NR_fsmount -+# define __NR_fsmount (FLATPAK_MISSING_SYSCALL_BASE + 432) -+#endif -+#ifndef __SNR_fsmount -+# define __SNR_fsmount __NR_fsmount -+#endif -+ -+#ifndef __NR_fspick -+# define __NR_fspick (FLATPAK_MISSING_SYSCALL_BASE + 433) -+#endif -+#ifndef __SNR_fspick -+# define __SNR_fspick __NR_fspick -+#endif -+ -+#ifndef __NR_pidfd_open -+# define __NR_pidfd_open (FLATPAK_MISSING_SYSCALL_BASE + 434) -+#endif -+#ifndef __SNR_pidfd_open -+# define __SNR_pidfd_open __NR_pidfd_open -+#endif -+ -+#ifndef __NR_clone3 -+# define __NR_clone3 (FLATPAK_MISSING_SYSCALL_BASE + 435) -+#endif -+#ifndef __SNR_clone3 -+# define __SNR_clone3 __NR_clone3 -+#endif -+ -+#ifndef __NR_close_range -+# define __NR_close_range (FLATPAK_MISSING_SYSCALL_BASE + 436) -+#endif -+#ifndef __SNR_close_range -+# define __SNR_close_range __NR_close_range -+#endif -+ -+#ifndef __NR_openat2 -+# define __NR_openat2 (FLATPAK_MISSING_SYSCALL_BASE + 437) -+#endif -+#ifndef __SNR_openat2 -+# define __SNR_openat2 __NR_openat2 -+#endif -+ -+#ifndef __NR_pidfd_getfd -+# define __NR_pidfd_getfd (FLATPAK_MISSING_SYSCALL_BASE + 438) -+#endif -+#ifndef __SNR_pidfd_getfd -+# define __SNR_pidfd_getfd __NR_pidfd_getfd -+#endif -+ -+#ifndef __NR_faccessat2 -+# define __NR_faccessat2 (FLATPAK_MISSING_SYSCALL_BASE + 439) -+#endif -+#ifndef __SNR_faccessat2 -+# define __SNR_faccessat2 __NR_faccessat2 -+#endif -+ -+#ifndef __NR_process_madvise -+# define __NR_process_madvise (FLATPAK_MISSING_SYSCALL_BASE + 440) -+#endif -+#ifndef __SNR_process_madvise -+# define __SNR_process_madvise __NR_process_madvise -+#endif -+ -+#ifndef __NR_epoll_pwait2 -+# define __NR_epoll_pwait2 (FLATPAK_MISSING_SYSCALL_BASE + 441) -+#endif -+#ifndef __SNR_epoll_pwait2 -+# define __SNR_epoll_pwait2 __NR_epoll_pwait2 -+#endif -+ -+#ifndef __NR_mount_setattr -+# define __NR_mount_setattr (FLATPAK_MISSING_SYSCALL_BASE + 442) -+#endif -+#ifndef __SNR_mount_setattr -+# define __SNR_mount_setattr __NR_mount_setattr -+#endif -+ -+#ifndef __NR_quotactl_fd -+# define __NR_quotactl_fd (FLATPAK_MISSING_SYSCALL_BASE + 443) -+#endif -+#ifndef __SNR_quotactl_fd -+# define __SNR_quotactl_fd __NR_quotactl_fd -+#endif -+ -+#ifndef __NR_landlock_create_ruleset -+# define __NR_landlock_create_ruleset (FLATPAK_MISSING_SYSCALL_BASE + 444) -+#endif -+#ifndef __SNR_landlock_create_ruleset -+# define __SNR_landlock_create_ruleset __NR_landlock_create_ruleset -+#endif -+ -+#ifndef __NR_landlock_add_rule -+# define __NR_landlock_add_rule (FLATPAK_MISSING_SYSCALL_BASE + 445) -+#endif -+#ifndef __SNR_landlock_add_rule -+# define __SNR_landlock_add_rule __NR_landlock_add_rule -+#endif -+ -+#ifndef __NR_landlock_restrict_self -+# define __NR_landlock_restrict_self (FLATPAK_MISSING_SYSCALL_BASE + 446) -+#endif -+#ifndef __SNR_landlock_restrict_self -+# define __SNR_landlock_restrict_self __NR_landlock_restrict_self -+#endif -+ -+#ifndef __NR_memfd_secret -+# define __NR_memfd_secret (FLATPAK_MISSING_SYSCALL_BASE + 447) -+#endif -+#ifndef __SNR_memfd_secret -+# define __SNR_memfd_secret __NR_memfd_secret -+#endif -+ -+/* Last updated: Linux 5.14, syscall numbers < 448 */ --- -2.27.0 - diff --git a/backport-0003-CVE-2021-43860.patch b/backport-0003-CVE-2021-43860.patch deleted file mode 100644 index f6ee0a6560bc85f81659924c9905d1721d8e1430..0000000000000000000000000000000000000000 --- a/backport-0003-CVE-2021-43860.patch +++ /dev/null @@ -1,210 +0,0 @@ -From ba818f504c926baaf6e362be8159cfacf994310e Mon Sep 17 00:00:00 2001 -From: Ryan Gonzalez -Date: Thu, 23 Dec 2021 18:30:17 -0600 -Subject: [PATCH] Fix metadata file contents after null terminators being - ignored - -In particular, if a null terminator is placed inside the metadata file, -Flatpak will only compare the text *before* it to the value of -xa.metadata, but the full file will be parsed when permissions are set -at runtime. This means that any app can include a null terminator in its -permissions metadata, and Flatpak will only show the user the -permissions *preceding* the terminator during install, but the -permissions *after* the terminator are applied at runtime. - -Fixes GHSA-qpjc-vq3c-572j / CVE-2021-43860 - -Signed-off-by: Ryan Gonzalez - -Conflict:NA -Reference:https://github.com/flatpak/flatpak/commit/ba818f504c926baaf6e362be8159cfacf994310e - ---- - common/flatpak-dir.c | 36 +++++++++++++++++++++++++++--------- - common/flatpak-transaction.c | 8 ++++---- - common/flatpak-utils.c | 9 +++++---- - 3 files changed, 36 insertions(+), 17 deletions(-) - -diff --git a/common/flatpak-dir.c b/common/flatpak-dir.c -index ddc5ee9..e6c8046 100644 ---- a/common/flatpak-dir.c -+++ b/common/flatpak-dir.c -@@ -1762,19 +1762,29 @@ static gboolean - validate_commit_metadata (GVariant *commit_data, - const char *ref, - const char *required_metadata, -+ gsize required_metadata_size, - gboolean require_xa_metadata, - GError **error) - { - g_autoptr(GVariant) commit_metadata = NULL; -+ g_autoptr(GVariant) xa_metadata_v = NULL; - const char *xa_metadata = NULL; -+ gsize xa_metadata_size = 0; - - commit_metadata = g_variant_get_child_value (commit_data, 0); - - if (commit_metadata != NULL) -- g_variant_lookup (commit_metadata, "xa.metadata", "&s", &xa_metadata); -+ { -+ xa_metadata_v = g_variant_lookup_value (commit_metadata, -+ "xa.metadata", -+ G_VARIANT_TYPE_STRING); -+ if (xa_metadata_v) -+ xa_metadata = g_variant_get_string (xa_metadata_v, &xa_metadata_size); -+ } - - if ((xa_metadata == NULL && require_xa_metadata) || -- (xa_metadata != NULL && g_strcmp0 (required_metadata, xa_metadata) != 0)) -+ (xa_metadata != NULL && (xa_metadata_size != required_metadata_size || -+ memcmp (xa_metadata, required_metadata, xa_metadata_size) != 0))) - { - g_set_error (error, G_IO_ERROR, G_IO_ERROR_PERMISSION_DENIED, - _("Commit metadata for %s not matching expected metadata"), ref); -@@ -3478,6 +3488,7 @@ upgrade_deploy_data (GBytes *deploy_data, - g_autoptr(GKeyFile) keyfile = NULL; - g_autoptr(GFile) metadata_file = NULL; - g_autofree char *metadata_contents = NULL; -+ gsize metadata_size = 0; - g_autofree char *id = flatpak_decomposed_dup_id (ref); - - /* Add fields from commit metadata to deploy */ -@@ -3491,9 +3502,9 @@ upgrade_deploy_data (GBytes *deploy_data, - keyfile = g_key_file_new (); - metadata_file = g_file_resolve_relative_path (deploy_dir, "metadata"); - if (!g_file_load_contents (metadata_file, cancellable, -- &metadata_contents, NULL, NULL, error)) -+ &metadata_contents, &metadata_size, NULL, error)) - return NULL; -- if (!g_key_file_load_from_data (keyfile, metadata_contents, -1, 0, error)) -+ if (!g_key_file_load_from_data (keyfile, metadata_contents, metadata_size, 0, error)) - return NULL; - add_metadata_to_deploy_data (&metadata_dict, keyfile); - -@@ -5799,8 +5810,13 @@ flatpak_dir_pull (FlatpakDir *self, - { - g_autoptr(GVariant) commit_data = NULL; - if (!ostree_repo_load_commit (repo, rev, &commit_data, NULL, error) || -- !validate_commit_metadata (commit_data, ref, (const char *)g_bytes_get_data (require_metadata, NULL), TRUE, error)) -- return FALSE; -+ !validate_commit_metadata (commit_data, -+ ref, -+ (const char *)g_bytes_get_data (require_metadata, NULL), -+ g_bytes_get_size (require_metadata), -+ TRUE, -+ error)) -+ goto out; - } - - if (!flatpak_dir_pull_extra_data (self, repo, -@@ -8111,6 +8127,7 @@ flatpak_dir_deploy (FlatpakDir *self, - g_auto(GLnxLockFile) lock = { 0, }; - g_autoptr(GFile) metadata_file = NULL; - g_autofree char *metadata_contents = NULL; -+ gsize metadata_size = 0; - gboolean is_oci; - - if (!flatpak_dir_ensure_repo (self, cancellable, error)) -@@ -8320,11 +8337,12 @@ flatpak_dir_deploy (FlatpakDir *self, - keyfile = g_key_file_new (); - metadata_file = g_file_resolve_relative_path (checkoutdir, "metadata"); - if (g_file_load_contents (metadata_file, NULL, -- &metadata_contents, NULL, NULL, NULL)) -+ &metadata_contents, -+ &metadata_size, NULL, NULL)) - { - if (!g_key_file_load_from_data (keyfile, - metadata_contents, -- -1, -+ metadata_size, - 0, error)) - return FALSE; - -@@ -8340,7 +8358,7 @@ flatpak_dir_deploy (FlatpakDir *self, - */ - is_oci = flatpak_dir_get_remote_oci (self, origin); - if (!validate_commit_metadata (commit_data, flatpak_decomposed_get_ref (ref), -- metadata_contents, !is_oci, error)) -+ metadata_contents, metadata_size, !is_oci, error)) - return FALSE; - - dotref = g_file_resolve_relative_path (checkoutdir, "files/.ref"); -diff --git a/common/flatpak-transaction.c b/common/flatpak-transaction.c -index 1927498..721da14 100644 ---- a/common/flatpak-transaction.c -+++ b/common/flatpak-transaction.c -@@ -2520,7 +2520,7 @@ flatpak_transaction_add_ref (FlatpakTransaction *self, - return FALSE; - - if (external_metadata) -- op->external_metadata = g_bytes_new (external_metadata, strlen (external_metadata) + 1); -+ op->external_metadata = g_bytes_new (external_metadata, strlen (external_metadata)); - - return TRUE; - } -@@ -2937,7 +2937,7 @@ load_deployed_metadata (FlatpakTransaction *self, FlatpakDecomposed *ref, char * - return NULL; - } - -- return g_bytes_new_take (g_steal_pointer (&metadata_contents), metadata_contents_length + 1); -+ return g_bytes_new_take (g_steal_pointer (&metadata_contents), metadata_contents_length); - } - - static void -@@ -3034,7 +3034,7 @@ resolve_op_from_commit (FlatpakTransaction *self, - if (xa_metadata == NULL) - g_message ("Warning: No xa.metadata in local commit %s ref %s", checksum, flatpak_decomposed_get_ref (op->ref)); - else -- metadata_bytes = g_bytes_new (xa_metadata, strlen (xa_metadata) + 1); -+ metadata_bytes = g_bytes_new (xa_metadata, strlen (xa_metadata)); - - if (g_variant_lookup (commit_metadata, "xa.download-size", "t", &download_size)) - op->download_size = GUINT64_FROM_BE (download_size); -@@ -3074,7 +3074,7 @@ try_resolve_op_from_metadata (FlatpakTransaction *self, - &download_size, &installed_size, &metadata, NULL)) - return FALSE; - -- metadata_bytes = g_bytes_new (metadata, strlen (metadata) + 1); -+ metadata_bytes = g_bytes_new (metadata, strlen (metadata)); - - if (flatpak_remote_state_lookup_ref (state, flatpak_decomposed_get_ref (op->ref), - NULL, NULL, &info, NULL, NULL)) -diff --git a/common/flatpak-utils.c b/common/flatpak-utils.c -index 6901a62..9eedbfa 100644 ---- a/common/flatpak-utils.c -+++ b/common/flatpak-utils.c -@@ -6604,6 +6604,7 @@ flatpak_pull_from_bundle (OstreeRepo *repo, - GCancellable *cancellable, - GError **error) - { -+ gsize metadata_size = 0; - g_autofree char *metadata_contents = NULL; - g_autofree char *to_checksum = NULL; - g_autoptr(GFile) root = NULL; -@@ -6620,6 +6621,8 @@ flatpak_pull_from_bundle (OstreeRepo *repo, - if (metadata == NULL) - return FALSE; - -+ metadata_size = strlen (metadata_contents); -+ - if (!ostree_repo_get_remote_option (repo, remote, "collection-id", NULL, - &remote_collection_id, NULL)) - remote_collection_id = NULL; -@@ -6689,12 +6692,10 @@ flatpak_pull_from_bundle (OstreeRepo *repo, - cancellable, error) < 0) - return FALSE; - -- /* Null terminate */ -- g_output_stream_write (G_OUTPUT_STREAM (data_stream), "\0", 1, NULL, NULL); -- - metadata_valid = - metadata_contents != NULL && -- strcmp (metadata_contents, g_memory_output_stream_get_data (data_stream)) == 0; -+ metadata_size == g_memory_output_stream_get_data_size (data_stream) && -+ memcmp (metadata_contents, g_memory_output_stream_get_data (data_stream), metadata_size) == 0; - } - else - { --- -2.27.0 - diff --git a/backport-0004-CVE-2021-41133.patch b/backport-0004-CVE-2021-41133.patch deleted file mode 100644 index 9f618796a7fee562a6b3d537319e848cbc225b6d..0000000000000000000000000000000000000000 --- a/backport-0004-CVE-2021-41133.patch +++ /dev/null @@ -1,43 +0,0 @@ -From a10f52a7565c549612c92b8e736a6698a53db330 Mon Sep 17 00:00:00 2001 -From: Simon McVittie -Date: Wed, 1 Sep 2021 11:59:00 +0100 -Subject: [PATCH] run: Block clone3() in sandbox - -clone3() can be used to implement clone() with CLONE_NEWUSER, allowing -a sandboxed process to get CAP_SYS_ADMIN in a new namespace and -manipulate its root directory. We need to block this so that AF_UNIX-based -socket servers (X11, Wayland, etc.) can rely on -/proc/PID/root/.flatpak-info existing for all Flatpak-sandboxed apps. - -Partially fixes GHSA-67h7-w3jq-vh4q. - -Thanks: an anonymous reporter -Signed-off-by: Simon McVittie - -Conflict:NA -Reference:https://github.com/flatpak/flatpak/commit/a10f52a7565c549612c92b8e736a6698a53db330 - ---- - common/flatpak-run.c | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git a/common/flatpak-run.c b/common/flatpak-run.c -index 5cf6d2e..dad0cfe 100644 ---- a/common/flatpak-run.c -+++ b/common/flatpak-run.c -@@ -2832,6 +2832,12 @@ setup_seccomp (FlatpakBwrap *bwrap, - - /* Don't allow faking input to the controlling tty (CVE-2017-5226) */ - {SCMP_SYS (ioctl), EPERM, &SCMP_A1 (SCMP_CMP_MASKED_EQ, 0xFFFFFFFFu, (int) TIOCSTI)}, -+ -+ /* seccomp can't look into clone3()'s struct clone_args to check whether -+ * the flags are OK, so we have no choice but to block clone3(). -+ * Return ENOSYS so user-space will fall back to clone(). -+ * (GHSA-67h7-w3jq-vh4q; see also https://github.com/moby/moby/commit/9f6b562d) */ -+ {SCMP_SYS (clone3), ENOSYS}, - }; - - struct --- -2.27.0 - diff --git a/backport-0004-CVE-2021-43860.patch b/backport-0004-CVE-2021-43860.patch deleted file mode 100644 index 67aab694c86d072341ce34bab70ba3e6c267bd3b..0000000000000000000000000000000000000000 --- a/backport-0004-CVE-2021-43860.patch +++ /dev/null @@ -1,76 +0,0 @@ -From 93357d357119093804df05acc32ff335839c6451 Mon Sep 17 00:00:00 2001 -From: Alexander Larsson -Date: Tue, 11 Jan 2022 10:27:46 +0100 -Subject: [PATCH] Require metadata in commit also for OCI remotes - -This was disables a long time ago because the fedora remotes didn't -contain metadata, but that has been added since then. Requiring fixes -a security concern where an app claims to require no permissions (by -having no metadata in commit) but then actually requires permissions -in the installed app. - -Conflict:NA -Reference:https://github.com/flatpak/flatpak/commit/93357d357119093804df05acc32ff335839c6451 - ---- - common/flatpak-dir.c | 14 ++++---------- - 1 file changed, 4 insertions(+), 10 deletions(-) - -diff --git a/common/flatpak-dir.c b/common/flatpak-dir.c -index e6c8046..e6a83cf 100644 ---- a/common/flatpak-dir.c -+++ b/common/flatpak-dir.c -@@ -1763,7 +1763,6 @@ validate_commit_metadata (GVariant *commit_data, - const char *ref, - const char *required_metadata, - gsize required_metadata_size, -- gboolean require_xa_metadata, - GError **error) - { - g_autoptr(GVariant) commit_metadata = NULL; -@@ -1782,9 +1781,9 @@ validate_commit_metadata (GVariant *commit_data, - xa_metadata = g_variant_get_string (xa_metadata_v, &xa_metadata_size); - } - -- if ((xa_metadata == NULL && require_xa_metadata) || -- (xa_metadata != NULL && (xa_metadata_size != required_metadata_size || -- memcmp (xa_metadata, required_metadata, xa_metadata_size) != 0))) -+ if (xa_metadata == NULL || -+ xa_metadata_size != required_metadata_size || -+ memcmp (xa_metadata, required_metadata, xa_metadata_size) != 0) - { - g_set_error (error, G_IO_ERROR, G_IO_ERROR_PERMISSION_DENIED, - _("Commit metadata for %s not matching expected metadata"), ref); -@@ -5814,7 +5813,6 @@ flatpak_dir_pull (FlatpakDir *self, - ref, - (const char *)g_bytes_get_data (require_metadata, NULL), - g_bytes_get_size (require_metadata), -- TRUE, - error)) - goto out; - } -@@ -8128,7 +8126,6 @@ flatpak_dir_deploy (FlatpakDir *self, - g_autoptr(GFile) metadata_file = NULL; - g_autofree char *metadata_contents = NULL; - gsize metadata_size = 0; -- gboolean is_oci; - - if (!flatpak_dir_ensure_repo (self, cancellable, error)) - return FALSE; -@@ -8353,12 +8350,9 @@ flatpak_dir_deploy (FlatpakDir *self, - /* Check the metadata in the commit to make sure it matches the actual - * deployed metadata, in case we relied on the one in the commit for - * a decision -- * Note: For historical reason we don't enforce commits to contain xa.metadata -- * since this was lacking in fedora builds. - */ -- is_oci = flatpak_dir_get_remote_oci (self, origin); - if (!validate_commit_metadata (commit_data, flatpak_decomposed_get_ref (ref), -- metadata_contents, metadata_size, !is_oci, error)) -+ metadata_contents, metadata_size, error)) - return FALSE; - - dotref = g_file_resolve_relative_path (checkoutdir, "files/.ref"); --- -2.27.0 - diff --git a/backport-0005-CVE-2021-41133.patch b/backport-0005-CVE-2021-41133.patch deleted file mode 100644 index 7515f08a2b62ffa55e14c5e2f8d3c68985321123..0000000000000000000000000000000000000000 --- a/backport-0005-CVE-2021-41133.patch +++ /dev/null @@ -1,45 +0,0 @@ -From 9766ee05b1425db397d2cf23afd24c7f6146a69f Mon Sep 17 00:00:00 2001 -From: Simon McVittie -Date: Wed, 1 Sep 2021 12:45:54 +0100 -Subject: [PATCH] run: Disallow recently-added mount-manipulation syscalls - -If we don't allow mount() then we shouldn't allow these either. - -Partially fixes GHSA-67h7-w3jq-vh4q. - -Thanks: an anonymous reporter -Signed-off-by: Simon McVittie - -Conflict:NA -Reference:https://github.com/flatpak/flatpak/commit/9766ee05b1425db397d2cf23afd24c7f6146a69f - ---- - common/flatpak-run.c | 12 ++++++++++++ - 1 file changed, 12 insertions(+) - -diff --git a/common/flatpak-run.c b/common/flatpak-run.c -index dad0cfe..2781694 100644 ---- a/common/flatpak-run.c -+++ b/common/flatpak-run.c -@@ -2838,6 +2838,18 @@ setup_seccomp (FlatpakBwrap *bwrap, - * Return ENOSYS so user-space will fall back to clone(). - * (GHSA-67h7-w3jq-vh4q; see also https://github.com/moby/moby/commit/9f6b562d) */ - {SCMP_SYS (clone3), ENOSYS}, -+ -+ /* New mount manipulation APIs can also change our VFS. There's no -+ * legitimate reason to do these in the sandbox, so block all of them -+ * rather than thinking about which ones might be dangerous. -+ * (GHSA-67h7-w3jq-vh4q) */ -+ {SCMP_SYS (open_tree), ENOSYS}, -+ {SCMP_SYS (move_mount), ENOSYS}, -+ {SCMP_SYS (fsopen), ENOSYS}, -+ {SCMP_SYS (fsconfig), ENOSYS}, -+ {SCMP_SYS (fsmount), ENOSYS}, -+ {SCMP_SYS (fspick), ENOSYS}, -+ {SCMP_SYS (mount_setattr), ENOSYS}, - }; - - struct --- -2.27.0 - diff --git a/backport-0005-CVE-2021-43860.patch b/backport-0005-CVE-2021-43860.patch deleted file mode 100644 index 9212b914b021e18225fee37635941d83a5aacf73..0000000000000000000000000000000000000000 --- a/backport-0005-CVE-2021-43860.patch +++ /dev/null @@ -1,239 +0,0 @@ -From d9a8f9d8ccc0b7c1135d0ecde006a75d25f66aee Mon Sep 17 00:00:00 2001 -From: Alexander Larsson -Date: Mon, 10 Jan 2022 16:43:08 +0100 -Subject: [PATCH] Transaction: Fail the resolve if xa.metadata invalid or - missing - -If we fail to parse xa.metadata from the summary cache or the commit -xa.metadata we fail the resolve. - -If xa.metadata is missing in the commit we fail the resolve (it is -always set in the summary cache, because summary update converts -missing xa.metadata to "", so we either get that, or cache miss which -leads to resolving from the commit. - -This means that op->resolved_metadata is always set during install and -updates, which means we will show the app permissions. The transaction -will also always make sure that this data actually matches what gets -deployed. - -Before this change an invalid metadata in the summary cache could lead -to a NULL resolved_metadata, which means we wouldn't print the app -permissions, yet we would still deploy some metadata file that could -have permissions. (NOTE: It would fail to deploy unless the -xa.metadata in the commit matched the metadata file, but in this -corner case we would't compare the summary and commit metadata, so -they may differ.) - -Conflict:NA -Reference:https://github.com/flatpak/flatpak/commit/d9a8f9d8ccc0b7c1135d0ecde006a75d25f66aee - ---- - common/flatpak-transaction.c | 84 +++++++++++++++++++++++------------- - 1 file changed, 55 insertions(+), 29 deletions(-) - -diff --git a/common/flatpak-transaction.c b/common/flatpak-transaction.c -index 721da14..b0908c3 100644 ---- a/common/flatpak-transaction.c -+++ b/common/flatpak-transaction.c -@@ -2957,12 +2957,13 @@ emit_eol_and_maybe_skip (FlatpakTransaction *self, - g_signal_emit (self, signals[END_OF_LIFED_WITH_REBASE], 0, op->remote, flatpak_decomposed_get_ref (op->ref), op->eol, op->eol_rebase, previous_ids, &op->skip); - } - --static void -+static gboolean - mark_op_resolved (FlatpakTransactionOperation *op, - const char *commit, - GFile *sideload_path, - GBytes *metadata, -- GBytes *old_metadata) -+ GBytes *old_metadata, -+ GError **error) - { - g_debug ("marking op %s:%s resolved to %s", kind_to_str (op->kind), flatpak_decomposed_get_ref (op->ref), commit ? commit : "-"); - -@@ -2980,13 +2981,12 @@ mark_op_resolved (FlatpakTransactionOperation *op, - if (metadata) - { - g_autoptr(GKeyFile) metakey = g_key_file_new (); -- if (g_key_file_load_from_bytes (metakey, metadata, G_KEY_FILE_NONE, NULL)) -- { -- op->resolved_metadata = g_bytes_ref (metadata); -- op->resolved_metakey = g_steal_pointer (&metakey); -- } -- else -- g_message ("Warning: Failed to parse metadata for %s\n", flatpak_decomposed_get_ref (op->ref)); -+ if (!g_key_file_load_from_bytes (metakey, metadata, G_KEY_FILE_NONE, NULL)) -+ return flatpak_fail_error (error, FLATPAK_ERROR_INVALID_DATA, -+ "Metadata for %s is invalid", flatpak_decomposed_get_ref (op->ref)); -+ -+ op->resolved_metadata = g_bytes_ref (metadata); -+ op->resolved_metakey = g_steal_pointer (&metakey); - } - if (old_metadata) - { -@@ -2997,31 +2997,40 @@ mark_op_resolved (FlatpakTransactionOperation *op, - op->resolved_old_metakey = g_steal_pointer (&metakey); - } - else -- g_message ("Warning: Failed to parse old metadata for %s\n", flatpak_decomposed_get_ref (op->ref)); -+ { -+ /* This shouldn't happen, but a NULL old metadata is safe (all permisssions are considered new) */ -+ g_message ("Warning: Failed to parse old metadata for %s\n", flatpak_decomposed_get_ref (op->ref)); -+ } - } -+ -+ return TRUE; - } - --static void -+static gboolean - resolve_op_end (FlatpakTransaction *self, - FlatpakTransactionOperation *op, - const char *checksum, - GFile *sideload_path, -- GBytes *metadata_bytes) -+ GBytes *metadata_bytes, -+ GError **error) - { - g_autoptr(GBytes) old_metadata_bytes = NULL; - - old_metadata_bytes = load_deployed_metadata (self, op->ref, NULL, NULL); -- mark_op_resolved (op, checksum, sideload_path, metadata_bytes, old_metadata_bytes); -+ if (!mark_op_resolved (op, checksum, sideload_path, metadata_bytes, old_metadata_bytes, error)) -+ return FALSE; - emit_eol_and_maybe_skip (self, op); -+ return TRUE; - } - - --static void -+static gboolean - resolve_op_from_commit (FlatpakTransaction *self, - FlatpakTransactionOperation *op, - const char *checksum, - GFile *sideload_path, -- GVariant *commit_data) -+ GVariant *commit_data, -+ GError **error) - { - g_autoptr(GBytes) metadata_bytes = NULL; - g_autoptr(GVariant) commit_metadata = NULL; -@@ -3032,9 +3041,11 @@ resolve_op_from_commit (FlatpakTransaction *self, - commit_metadata = g_variant_get_child_value (commit_data, 0); - g_variant_lookup (commit_metadata, "xa.metadata", "&s", &xa_metadata); - if (xa_metadata == NULL) -- g_message ("Warning: No xa.metadata in local commit %s ref %s", checksum, flatpak_decomposed_get_ref (op->ref)); -- else -- metadata_bytes = g_bytes_new (xa_metadata, strlen (xa_metadata)); -+ return flatpak_fail_error (error, FLATPAK_ERROR_INVALID_DATA, -+ "No xa.metadata in local commit %s ref %s", -+ checksum, flatpak_decomposed_get_ref (op->ref)); -+ -+ metadata_bytes = g_bytes_new (xa_metadata, strlen (xa_metadata)); - - if (g_variant_lookup (commit_metadata, "xa.download-size", "t", &download_size)) - op->download_size = GUINT64_FROM_BE (download_size); -@@ -3044,15 +3055,19 @@ resolve_op_from_commit (FlatpakTransaction *self, - g_variant_lookup (commit_metadata, OSTREE_COMMIT_META_KEY_ENDOFLIFE, "s", &op->eol); - g_variant_lookup (commit_metadata, OSTREE_COMMIT_META_KEY_ENDOFLIFE_REBASE, "s", &op->eol_rebase); - -- resolve_op_end (self, op, checksum, sideload_path, metadata_bytes); -+ return resolve_op_end (self, op, checksum, sideload_path, metadata_bytes, error); - } - -+/* NOTE: In case of non-available summary this returns FALSE with a -+ * NULL error, but for other error cases it will be set. -+ */ - static gboolean - try_resolve_op_from_metadata (FlatpakTransaction *self, - FlatpakTransactionOperation *op, - const char *checksum, - GFile *sideload_path, -- FlatpakRemoteState *state) -+ FlatpakRemoteState *state, -+ GError **error) - { - g_autoptr(GBytes) metadata_bytes = NULL; - guint64 download_size = 0; -@@ -3092,8 +3107,7 @@ try_resolve_op_from_metadata (FlatpakTransaction *self, - op->token_type = GINT32_FROM_LE (var_metadata_lookup_int32 (sparse_cache, FLATPAK_SPARSE_CACHE_KEY_TOKEN_TYPE, op->token_type)); - } - -- resolve_op_end (self, op, checksum, sideload_path, metadata_bytes); -- return TRUE; -+ return resolve_op_end (self, op, checksum, sideload_path, metadata_bytes, error); - } - - static gboolean -@@ -3136,7 +3150,8 @@ resolve_ops (FlatpakTransaction *self, - * checksum we got was the version already installed. - */ - g_assert (op->resolved_commit != NULL); -- mark_op_resolved (op, op->resolved_commit, NULL, NULL, NULL); -+ if (!mark_op_resolved (op, op->resolved_commit, NULL, NULL, NULL, error)) -+ return FALSE; - continue; - } - -@@ -3145,14 +3160,16 @@ resolve_ops (FlatpakTransaction *self, - /* We resolve to the deployed metadata, because we need it to uninstall related ops */ - - metadata_bytes = load_deployed_metadata (self, op->ref, &checksum, NULL); -- mark_op_resolved (op, checksum, NULL, metadata_bytes, NULL); -+ if (!mark_op_resolved (op, checksum, NULL, metadata_bytes, NULL, error)) -+ return FALSE; - continue; - } - - if (op->kind == FLATPAK_TRANSACTION_OPERATION_INSTALL_BUNDLE) - { - g_assert (op->commit != NULL); -- mark_op_resolved (op, op->commit, NULL, op->external_metadata, NULL); -+ if (!mark_op_resolved (op, op->commit, NULL, op->external_metadata, NULL, error)) -+ return FALSE; - continue; - } - -@@ -3183,7 +3200,8 @@ resolve_ops (FlatpakTransaction *self, - if (commit_data == NULL) - return FALSE; - -- resolve_op_from_commit (self, op, checksum, NULL, commit_data); -+ if (!resolve_op_from_commit (self, op, checksum, NULL, commit_data, error)) -+ return FALSE; - } - else - { -@@ -3242,9 +3260,16 @@ resolve_ops (FlatpakTransaction *self, - } - - /* First try to resolve via metadata (if remote is available and its metadata matches the commit version) */ -- if (!try_resolve_op_from_metadata (self, op, checksum, sideload_path, state)) -+ if (!try_resolve_op_from_metadata (self, op, checksum, sideload_path, state, &local_error)) - { -- /* Else try to load the commit object. -+ if (local_error) -+ { -+ /* Actual error, not just missing from summary */ -+ g_propagate_error (error, g_steal_pointer (&local_error)); -+ return FALSE; -+ } -+ -+ /* Missing from summary, try to load the commit object. - * Note, we don't have a token here, so this will not work for authenticated apps. - * We handle this by catching the 401 http status and retrying. */ - g_autoptr(GVariant) commit_data = NULL; -@@ -3280,7 +3305,8 @@ resolve_ops (FlatpakTransaction *self, - return FALSE; - } - -- resolve_op_from_commit (self, op, checksum, sideload_path, commit_data); -+ if (!resolve_op_from_commit (self, op, checksum, sideload_path, commit_data, error)) -+ return FALSE; - } - } - } --- -2.27.0 - diff --git a/backport-0006-CVE-2021-41133.patch b/backport-0006-CVE-2021-41133.patch deleted file mode 100644 index ea1d94d42e06b7fa6db9b6007335f9e8ed4902d4..0000000000000000000000000000000000000000 --- a/backport-0006-CVE-2021-41133.patch +++ /dev/null @@ -1,34 +0,0 @@ -From 4c34815784e9ffda5733225c7d95824f96375e36 Mon Sep 17 00:00:00 2001 -From: Simon McVittie -Date: Wed, 1 Sep 2021 14:19:31 +0100 -Subject: [PATCH] run: Block setns() - -If we don't allow unshare() or clone() with CLONE_NEWUSER, we also -shouldn't allow joining an existing (but different) namespace. - -Partially fixes GHSA-67h7-w3jq-vh4q. - -Signed-off-by: Simon McVittie - -Conflict:NA -Reference:https://github.com/flatpak/flatpak/commit/4c34815784e9ffda5733225c7d95824f96375e36 - ---- - common/flatpak-run.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/common/flatpak-run.c b/common/flatpak-run.c -index 2781694..c266dbe 100644 ---- a/common/flatpak-run.c -+++ b/common/flatpak-run.c -@@ -2819,6 +2819,7 @@ setup_seccomp (FlatpakBwrap *bwrap, - - /* Don't allow subnamespace setups: */ - {SCMP_SYS (unshare), EPERM}, -+ {SCMP_SYS (setns), EPERM}, - {SCMP_SYS (mount), EPERM}, - {SCMP_SYS (pivot_root), EPERM}, - #if defined(__s390__) || defined(__s390x__) || defined(__CRIS__) --- -2.27.0 - diff --git a/backport-0007-CVE-2021-41133.patch b/backport-0007-CVE-2021-41133.patch deleted file mode 100644 index 9f08651fe10c63ac8dda011c1f08eeb1a19237e8..0000000000000000000000000000000000000000 --- a/backport-0007-CVE-2021-41133.patch +++ /dev/null @@ -1,35 +0,0 @@ -From 1330662f33a55e88bfe18e76de28b7922d91a999 Mon Sep 17 00:00:00 2001 -From: Simon McVittie -Date: Wed, 1 Sep 2021 14:20:29 +0100 -Subject: [PATCH] run: Don't allow unmounting filesystems - -If we don't allow mounting filesystems, we shouldn't allow unmounting -either. - -Partially fixes GHSA-67h7-w3jq-vh4q. - -Signed-off-by: Simon McVittie - -Conflict:NA -Reference:https://github.com/flatpak/flatpak/commit/1330662f33a55e88bfe18e76de28b7922d91a999 - ---- - common/flatpak-run.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/common/flatpak-run.c b/common/flatpak-run.c -index c266dbe..b1a8db5 100644 ---- a/common/flatpak-run.c -+++ b/common/flatpak-run.c -@@ -2821,6 +2821,8 @@ setup_seccomp (FlatpakBwrap *bwrap, - {SCMP_SYS (unshare), EPERM}, - {SCMP_SYS (setns), EPERM}, - {SCMP_SYS (mount), EPERM}, -+ {SCMP_SYS (umount), EPERM}, -+ {SCMP_SYS (umount2), EPERM}, - {SCMP_SYS (pivot_root), EPERM}, - #if defined(__s390__) || defined(__s390x__) || defined(__CRIS__) - /* Architectures with CONFIG_CLONE_BACKWARDS2: the child stack --- -2.27.0 - diff --git a/backport-0008-CVE-2021-41133.patch b/backport-0008-CVE-2021-41133.patch deleted file mode 100644 index 4ad199e06c56215d40fd68834ec97a0eaf0acbc0..0000000000000000000000000000000000000000 --- a/backport-0008-CVE-2021-41133.patch +++ /dev/null @@ -1,34 +0,0 @@ -From 462fca2c666e0cd2b60d6d2593a7216a83047aaf Mon Sep 17 00:00:00 2001 -From: Simon McVittie -Date: Wed, 1 Sep 2021 14:21:04 +0100 -Subject: [PATCH] run: Don't allow chroot() - -If we don't allow pivot_root() then there seems no reason why we should -allow chroot(). - -Partially fixes GHSA-67h7-w3jq-vh4q. - -Signed-off-by: Simon McVittie - -Conflict:NA -Reference:https://github.com/flatpak/flatpak/commit/462fca2c666e0cd2b60d6d2593a7216a83047aaf - ---- - common/flatpak-run.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/common/flatpak-run.c b/common/flatpak-run.c -index b1a8db5..da96465 100644 ---- a/common/flatpak-run.c -+++ b/common/flatpak-run.c -@@ -2824,6 +2824,7 @@ setup_seccomp (FlatpakBwrap *bwrap, - {SCMP_SYS (umount), EPERM}, - {SCMP_SYS (umount2), EPERM}, - {SCMP_SYS (pivot_root), EPERM}, -+ {SCMP_SYS (chroot), EPERM}, - #if defined(__s390__) || defined(__s390x__) || defined(__CRIS__) - /* Architectures with CONFIG_CLONE_BACKWARDS2: the child stack - * and flags arguments are reversed so the flags come second */ --- -2.27.0 - diff --git a/backport-CVE-2022-21682.patch b/backport-CVE-2022-21682.patch deleted file mode 100644 index 0b3adb53dddea2a82ddfdaafa415a32ad842f0df..0000000000000000000000000000000000000000 --- a/backport-CVE-2022-21682.patch +++ /dev/null @@ -1,340 +0,0 @@ -From 5709f1aaed6579f0136976e14e7f3cae399134ca Mon Sep 17 00:00:00 2001 -From: Simon McVittie -Date: Sun, 16 Jan 2022 12:42:30 +0000 -Subject: [PATCH] context: Introduce new --nofilesystem=host:reset - -This reintroduces the special case that existed in Flatpak 1.12.3, but -under a different name, so that it will be backwards-compatible. With -this change, flatpak-builder will be able to resolve CVE-2022-21682 by -using --filesystem=host:reset. - -We want to implement this as a suffix rather than as a new keyword, -because unknown suffixes are ignored with a warning, rather than causing -a fatal error. This means that the new version of flatpak-builder will -be able to run against older versions of flatpak: it will still be -vulnerable to CVE-2022-21682 in that situation, but at least it will run. - -Co-authored-by: Alexander Larsson - -Conflict:NA -Reference:https://github.com/flatpak/flatpak/commit/5709f1aaed6579f0136976e14e7f3cae399134ca ---- - common/flatpak-context-private.h | 1 + - common/flatpak-context.c | 166 ++++++++++++++++++++++++++++--- - 2 files changed, 153 insertions(+), 14 deletions(-) - -diff --git a/common/flatpak-context-private.h b/common/flatpak-context-private.h -index 45879ac..b6b9e56 100644 ---- a/common/flatpak-context-private.h -+++ b/common/flatpak-context-private.h -@@ -83,6 +83,7 @@ extern const char *flatpak_context_features[]; - extern const char *flatpak_context_shares[]; - - gboolean flatpak_context_parse_filesystem (const char *filesystem_and_mode, -+ gboolean negated, - char **filesystem_out, - FlatpakFilesystemMode *mode_out, - GError **error); -diff --git a/common/flatpak-context.c b/common/flatpak-context.c -index abeda35..a7cd891 100644 ---- a/common/flatpak-context.c -+++ b/common/flatpak-context.c -@@ -86,6 +86,7 @@ const char *flatpak_context_special_filesystems[] = { - "host", - "host-etc", - "host-os", -+ "host-reset", - NULL - }; - -@@ -703,6 +704,12 @@ unparse_filesystem_flags (const char *path, - - case FLATPAK_FILESYSTEM_MODE_NONE: - g_string_insert_c (s, 0, '!'); -+ -+ if (g_str_has_suffix (s->str, "-reset")) -+ { -+ g_string_truncate (s, s->len - 6); -+ g_string_append (s, ":reset"); -+ } - break; - - default: -@@ -715,11 +722,14 @@ unparse_filesystem_flags (const char *path, - - static char * - parse_filesystem_flags (const char *filesystem, -- FlatpakFilesystemMode *mode_out) -+ gboolean negated, -+ FlatpakFilesystemMode *mode_out, -+ GError **error) - { - g_autoptr(GString) s = g_string_new (""); - const char *p, *suffix; - FlatpakFilesystemMode mode; -+ gboolean reset = FALSE; - - p = filesystem; - while (*p != 0 && *p != ':') -@@ -734,7 +744,31 @@ parse_filesystem_flags (const char *filesystem, - g_string_append_c (s, *p++); - } - -- mode = FLATPAK_FILESYSTEM_MODE_READ_WRITE; -+ if (negated) -+ mode = FLATPAK_FILESYSTEM_MODE_NONE; -+ else -+ mode = FLATPAK_FILESYSTEM_MODE_READ_WRITE; -+ -+ if (g_str_equal (s->str, "host-reset")) -+ { -+ reset = TRUE; -+ -+ if (!negated) -+ { -+ g_set_error (error, G_OPTION_ERROR, G_OPTION_ERROR_FAILED, -+ "Filesystem token \"%s\" is only applicable for --nofilesystem", -+ s->str); -+ return NULL; -+ } -+ -+ if (*p != '\0') -+ { -+ g_set_error (error, G_OPTION_ERROR, G_OPTION_ERROR_FAILED, -+ "Filesystem token \"%s\" cannot be used with a suffix", -+ s->str); -+ return NULL; -+ } -+ } - - if (*p == ':') - { -@@ -746,10 +780,63 @@ parse_filesystem_flags (const char *filesystem, - mode = FLATPAK_FILESYSTEM_MODE_READ_WRITE; - else if (strcmp (suffix, "create") == 0) - mode = FLATPAK_FILESYSTEM_MODE_CREATE; -+ else if (strcmp (suffix, "reset") == 0) -+ reset = TRUE; - else if (*suffix != 0) - g_warning ("Unexpected filesystem suffix %s, ignoring", suffix); -+ -+ if (negated && mode != FLATPAK_FILESYSTEM_MODE_NONE) -+ { -+ g_warning ("Filesystem suffix \"%s\" is not applicable for --nofilesystem", -+ suffix); -+ mode = FLATPAK_FILESYSTEM_MODE_NONE; -+ } -+ -+ if (reset) -+ { -+ if (!negated) -+ { -+ g_set_error (error, G_OPTION_ERROR, G_OPTION_ERROR_FAILED, -+ "Filesystem suffix \"%s\" only applies to --nofilesystem", -+ suffix); -+ return NULL; -+ } -+ -+ if (!g_str_equal (s->str, "host")) -+ { -+ g_set_error (error, G_OPTION_ERROR, G_OPTION_ERROR_FAILED, -+ "Filesystem suffix \"%s\" can only be applied to " -+ "--nofilesystem=host", -+ suffix); -+ return NULL; -+ } -+ -+ /* We internally handle host:reset (etc) as host-reset, only exposing it as a flag in the public -+ part to allow it to be ignored (with a warning) for old flatpak versions */ -+ g_string_append (s, "-reset"); -+ } -+ } -+ -+ /* Postcondition check: the code above should make some results -+ * impossible */ -+ if (negated) -+ { -+ g_assert (mode == FLATPAK_FILESYSTEM_MODE_NONE); -+ } -+ else -+ { -+ g_assert (mode > FLATPAK_FILESYSTEM_MODE_NONE); -+ /* This flag is only applicable to --nofilesystem */ -+ g_assert (!reset); - } - -+ /* Postcondition check: filesystem token is host-reset iff reset flag -+ * was found */ -+ if (reset) -+ g_assert (g_str_equal (s->str, "host-reset")); -+ else -+ g_assert (!g_str_equal (s->str, "host-reset")); -+ - if (mode_out) - *mode_out = mode; - -@@ -758,13 +845,18 @@ parse_filesystem_flags (const char *filesystem, - - gboolean - flatpak_context_parse_filesystem (const char *filesystem_and_mode, -+ gboolean negated, - char **filesystem_out, - FlatpakFilesystemMode *mode_out, - GError **error) - { -- g_autofree char *filesystem = parse_filesystem_flags (filesystem_and_mode, mode_out); -+ g_autofree char *filesystem = NULL; - char *slash; - -+ filesystem = parse_filesystem_flags (filesystem_and_mode, negated, mode_out, error); -+ if (filesystem == NULL) -+ return FALSE; -+ - slash = strchr (filesystem, '/'); - - /* Forbid /../ in paths */ -@@ -856,6 +948,14 @@ flatpak_context_take_filesystem (FlatpakContext *context, - char *fs, - FlatpakFilesystemMode mode) - { -+ /* Special case: --nofilesystem=host-reset implies --nofilesystem=host. -+ * --filesystem=host-reset (or host:reset) is not allowed. */ -+ if (g_str_equal (fs, "host-reset")) -+ { -+ g_return_if_fail (mode == FLATPAK_FILESYSTEM_MODE_NONE); -+ g_hash_table_insert (context->filesystems, g_strdup ("host"), GINT_TO_POINTER (mode)); -+ } -+ - g_hash_table_insert (context->filesystems, fs, GINT_TO_POINTER (mode)); - } - -@@ -887,6 +987,14 @@ flatpak_context_merge (FlatpakContext *context, - while (g_hash_table_iter_next (&iter, &key, &value)) - g_hash_table_insert (context->persistent, g_strdup (key), value); - -+ /* We first handle host:reset, as it overrides all other keys from the parent */ -+ if (g_hash_table_lookup_extended (other->filesystems, "host-reset", NULL, &value)) -+ { -+ g_warn_if_fail (GPOINTER_TO_INT (value) == FLATPAK_FILESYSTEM_MODE_NONE); -+ g_hash_table_remove_all (context->filesystems); -+ } -+ -+ /* Then set the new ones, which includes propagating host:reset. */ - g_hash_table_iter_init (&iter, other->filesystems); - while (g_hash_table_iter_next (&iter, &key, &value)) - g_hash_table_insert (context->filesystems, g_strdup (key), value); -@@ -1074,7 +1182,7 @@ option_filesystem_cb (const gchar *option_name, - g_autofree char *fs = NULL; - FlatpakFilesystemMode mode; - -- if (!flatpak_context_parse_filesystem (value, &fs, &mode, error)) -+ if (!flatpak_context_parse_filesystem (value, FALSE, &fs, &mode, error)) - return FALSE; - - flatpak_context_take_filesystem (context, g_steal_pointer (&fs), mode); -@@ -1091,7 +1199,7 @@ option_nofilesystem_cb (const gchar *option_name, - g_autofree char *fs = NULL; - FlatpakFilesystemMode mode; - -- if (!flatpak_context_parse_filesystem (value, &fs, &mode, error)) -+ if (!flatpak_context_parse_filesystem (value, TRUE, &fs, &mode, error)) - return FALSE; - - flatpak_context_take_filesystem (context, g_steal_pointer (&fs), -@@ -1571,15 +1679,13 @@ flatpak_context_load_metadata (FlatpakContext *context, - g_autofree char *filesystem = NULL; - FlatpakFilesystemMode mode; - -- if (!flatpak_context_parse_filesystem (fs, &filesystem, &mode, NULL)) -+ if (!flatpak_context_parse_filesystem (fs, remove, -+ &filesystem, &mode, NULL)) - g_debug ("Unknown filesystem type %s", filesystems[i]); - else - { -- if (remove) -- flatpak_context_take_filesystem (context, g_steal_pointer (&filesystem), -- FLATPAK_FILESYSTEM_MODE_NONE); -- else -- flatpak_context_take_filesystem (context, g_steal_pointer (&filesystem), mode); -+ g_assert (mode == FLATPAK_FILESYSTEM_MODE_NONE || !remove); -+ flatpak_context_take_filesystem (context, g_steal_pointer (&filesystem), mode); - } - } - } -@@ -1825,11 +1931,24 @@ flatpak_context_save_metadata (FlatpakContext *context, - { - g_autoptr(GPtrArray) array = g_ptr_array_new_with_free_func (g_free); - -+ /* Serialize host-reset first, because order can matter in -+ * corner cases. */ -+ if (g_hash_table_lookup_extended (context->filesystems, "host-reset", -+ NULL, &value)) -+ { -+ g_warn_if_fail (GPOINTER_TO_INT (value) == FLATPAK_FILESYSTEM_MODE_NONE); -+ g_ptr_array_add (array, g_strdup ("!host:reset")); -+ } -+ - g_hash_table_iter_init (&iter, context->filesystems); - while (g_hash_table_iter_next (&iter, &key, &value)) - { - FlatpakFilesystemMode mode = GPOINTER_TO_INT (value); - -+ /* We already did this */ -+ if (g_str_equal (key, "host-reset")) -+ continue; -+ - g_ptr_array_add (array, unparse_filesystem_flags (key, mode)); - } - -@@ -1968,7 +2087,8 @@ flatpak_context_save_metadata (FlatpakContext *context, - void - flatpak_context_allow_host_fs (FlatpakContext *context) - { -- flatpak_context_take_filesystem (context, g_strdup ("host"), FLATPAK_FILESYSTEM_MODE_READ_WRITE); -+ flatpak_context_take_filesystem (context, g_strdup ("host"), -+ FLATPAK_FILESYSTEM_MODE_READ_WRITE); - } - - gboolean -@@ -2155,18 +2275,36 @@ flatpak_context_to_args (FlatpakContext *context, - g_ptr_array_add (args, g_strdup_printf ("--system-%s-name=%s", flatpak_policy_to_string (policy), name)); - } - -+ /* Serialize host-reset first, because order can matter in -+ * corner cases. */ -+ if (g_hash_table_lookup_extended (context->filesystems, "host-reset", -+ NULL, &value)) -+ { -+ g_warn_if_fail (GPOINTER_TO_INT (value) == FLATPAK_FILESYSTEM_MODE_NONE); -+ g_ptr_array_add (args, g_strdup ("--nofilesystem=host:reset")); -+ } -+ - g_hash_table_iter_init (&iter, context->filesystems); - while (g_hash_table_iter_next (&iter, &key, &value)) - { -+ g_autofree char *fs = NULL; - FlatpakFilesystemMode mode = GPOINTER_TO_INT (value); - -+ /* We already did this */ -+ if (g_str_equal (key, "host-reset")) -+ continue; -+ -+ fs = unparse_filesystem_flags (key, mode); -+ - if (mode != FLATPAK_FILESYSTEM_MODE_NONE) - { -- g_autofree char *fs = unparse_filesystem_flags (key, mode); - g_ptr_array_add (args, g_strdup_printf ("--filesystem=%s", fs)); - } - else -- g_ptr_array_add (args, g_strdup_printf ("--nofilesystem=%s", (char *) key)); -+ { -+ g_assert (fs[0] == '!'); -+ g_ptr_array_add (args, g_strdup_printf ("--nofilesystem=%s", &fs[1])); -+ } - } - } - --- -2.27.0 - diff --git a/backport-Fix-handling-of-syscalls-only-allowed-by-de.patch b/backport-Fix-handling-of-syscalls-only-allowed-by-de.patch deleted file mode 100644 index f837a04b1d806273851df28b8619f0058da7d34d..0000000000000000000000000000000000000000 --- a/backport-Fix-handling-of-syscalls-only-allowed-by-de.patch +++ /dev/null @@ -1,33 +0,0 @@ -From 3fc8c672676ae016f8e7cc90481b2feecbad9861 Mon Sep 17 00:00:00 2001 -From: Simon McVittie -Date: Fri, 8 Oct 2021 19:00:13 +0100 -Subject: [PATCH] Fix handling of syscalls only allowed by --devel - -This was incorrectly looking at errno instead of -r. - -Fixes: 0b38b0f0 "run: Handle unknown syscalls as intended" -Signed-off-by: Simon McVittie - -Conflict:NA -Reference:https://github.com/flatpak/flatpak/commit/3fc8c672676ae016f8e7cc90481b2feecbad9861 - ---- - common/flatpak-run.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/common/flatpak-run.c b/common/flatpak-run.c -index a416f1b..69eabc0 100644 ---- a/common/flatpak-run.c -+++ b/common/flatpak-run.c -@@ -2988,7 +2988,7 @@ setup_seccomp (FlatpakBwrap *bwrap, - r = seccomp_rule_add (seccomp, SCMP_ACT_ERRNO (errnum), scall, 0); - - /* See above for the meaning of EFAULT. */ -- if (errno == EFAULT) -+ if (r == -EFAULT) - flatpak_debug2 ("Unable to block syscall %d: syscall not known to libseccomp?", - scall); - else if (r < 0) --- -2.27.0 - diff --git a/backport-Fix-several-memory-leaks.patch b/backport-Fix-several-memory-leaks.patch deleted file mode 100644 index 2c75b9c6781a3b805a864adc6b872c6279da04c5..0000000000000000000000000000000000000000 --- a/backport-Fix-several-memory-leaks.patch +++ /dev/null @@ -1,85 +0,0 @@ -From b912053c6cc556f131465c1fd877d7bd0b433539 Mon Sep 17 00:00:00 2001 -From: Phaedrus Leeds -Date: Sun, 2 May 2021 21:53:02 -0500 -Subject: [PATCH] Fix several memory leaks - -(cherry picked from commit 404d7c6941baf63d1b3ccbe9ee9d34f3ff12f35f) ---- - app/flatpak-builtins-document-export.c | 6 +++--- - common/flatpak-dir.c | 7 ++++--- - common/flatpak-utils.c | 1 + - portal/flatpak-portal.c | 2 +- - 4 files changed, 9 insertions(+), 7 deletions(-) - -diff --git a/app/flatpak-builtins-document-export.c b/app/flatpak-builtins-document-export.c -index 15f1ad1275..e701a826bb 100644 ---- a/app/flatpak-builtins-document-export.c -+++ b/app/flatpak-builtins-document-export.c -@@ -90,8 +90,8 @@ flatpak_builtin_document_export (int argc, char **argv, - g_autofree char *dirname = NULL; - g_autofree char *doc_path = NULL; - XdpDbusDocuments *documents; -- int fd, fd_id; -- int i; -+ glnx_autofd int fd = -1; -+ int i, fd_id; - GUnixFDList *fd_list = NULL; - const char *doc_id; - struct stat stbuf; -@@ -173,7 +173,7 @@ flatpak_builtin_document_export (int argc, char **argv, - - fd_list = g_unix_fd_list_new (); - fd_id = g_unix_fd_list_append (fd_list, fd, error); -- close (fd); -+ glnx_close_fd (&fd); - - if (opt_noexist) - { -diff --git a/common/flatpak-dir.c b/common/flatpak-dir.c -index 94a86f4afb..0724677b91 100644 ---- a/common/flatpak-dir.c -+++ b/common/flatpak-dir.c -@@ -13690,14 +13690,15 @@ parse_ref_file (GKeyFile *keyfile, - collection_id = g_key_file_get_string (keyfile, FLATPAK_REF_GROUP, - FLATPAK_REF_DEPLOY_COLLECTION_ID_KEY, NULL); - -- if (collection_id == NULL || *collection_id == '\0') -+ if (collection_id != NULL && *collection_id == '\0') -+ g_clear_pointer (&collection_id, g_free); -+ if (collection_id == NULL) - { - collection_id = g_key_file_get_string (keyfile, FLATPAK_REF_GROUP, - FLATPAK_REF_COLLECTION_ID_KEY, NULL); - } -- - if (collection_id != NULL && *collection_id == '\0') -- collection_id = NULL; -+ g_clear_pointer (&collection_id, g_free); - - if (collection_id != NULL && gpg_data == NULL) - return flatpak_fail_error (error, FLATPAK_ERROR_INVALID_DATA, _("Collection ID requires GPG key to be provided")); -diff --git a/common/flatpak-utils.c b/common/flatpak-utils.c -index 56cbb06db3..84bc6a398d 100644 ---- a/common/flatpak-utils.c -+++ b/common/flatpak-utils.c -@@ -2235,6 +2235,7 @@ flatpak_parse_repofile (const char *remote_name, - decoded = g_base64_decode (gpg_key, &decoded_len); - if (decoded_len < 10) /* Check some minimal size so we don't get crap */ - { -+ g_free (decoded); - flatpak_fail_error (error, FLATPAK_ERROR_INVALID_DATA, _("Invalid gpg key")); - return NULL; - } -diff --git a/portal/flatpak-portal.c b/portal/flatpak-portal.c -index 7887c57a3b..0539ff2d22 100644 ---- a/portal/flatpak-portal.c -+++ b/portal/flatpak-portal.c -@@ -767,7 +767,7 @@ handle_spawn (PortalFlatpak *object, - const gint *fds = NULL; - gint fds_len = 0; - g_autofree FdMapEntry *fd_map = NULL; -- gchar **env; -+ g_auto(GStrv) env = NULL; - gint32 max_fd; - GKeyFile *app_info; - g_autoptr(GPtrArray) flatpak_argv = g_ptr_array_new_with_free_func (g_free); diff --git a/backport-run-Handle-unknown-syscalls-as-intended.patch b/backport-run-Handle-unknown-syscalls-as-intended.patch deleted file mode 100644 index ce16cd2f9eeafe255a248467b191d519f8aa216b..0000000000000000000000000000000000000000 --- a/backport-run-Handle-unknown-syscalls-as-intended.patch +++ /dev/null @@ -1,73 +0,0 @@ -From d419fa67038370e4f4c3ce8c3b5f672d4876cfc8 Mon Sep 17 00:00:00 2001 -From: Simon McVittie -Date: Fri, 8 Oct 2021 17:05:07 +0100 -Subject: [PATCH] run: Handle unknown syscalls as intended - -The error-handling here was - - if (r < 0 && r == -EFAULT) - -but Alex says it was almost certainly intended to be - - if (r < 0 && r != -EFAULT) - -so that syscalls not known to libseccomp are not a fatal error. - -Instead of literally making that change, emit a debug message on -EFAULT -so we can see what is going on. - -This temporarily weakens our defence against CVE-2021-41133 -(GHSA-67h7-w3jq-vh4q) in order to avoid regressions: if the installed -version of libseccomp does not know about the recently-added syscalls, -but the kernel does, then we will not prevent non-native executables -from using those syscalls. - -Resolves: https://github.com/flatpak/flatpak/issues/4458 -Signed-off-by: Simon McVittie - -Conflict:NA -Reference:https://github.com/flatpak/flatpak/commit/d419fa67038370e4f4c3ce8c3b5f672d4876cfc8 - - ---- - common/flatpak-run.c | 17 +++++++++++++++-- - 1 file changed, 15 insertions(+), 2 deletions(-) - -diff --git a/common/flatpak-run.c b/common/flatpak-run.c -index da96465..a416f1b 100644 ---- a/common/flatpak-run.c -+++ b/common/flatpak-run.c -@@ -2960,7 +2960,16 @@ setup_seccomp (FlatpakBwrap *bwrap, - r = seccomp_rule_add (seccomp, SCMP_ACT_ERRNO (errnum), scall, 1, *syscall_blocklist[i].arg); - else - r = seccomp_rule_add (seccomp, SCMP_ACT_ERRNO (errnum), scall, 0); -- if (r < 0 && r == -EFAULT /* unknown syscall */) -+ -+ /* EFAULT means "internal libseccomp error", but in practice we get -+ * this for syscall numbers added via flatpak-syscalls-private.h -+ * when trying to filter them on a non-native architecture, because -+ * libseccomp cannot map the syscall number to a name and back to a -+ * number for the non-native architecture. */ -+ if (r == -EFAULT) -+ flatpak_debug2 ("Unable to block syscall %d: syscall not known to libseccomp?", -+ scall); -+ else if (r < 0) - return flatpak_fail_error (error, FLATPAK_ERROR_SETUP_FAILED, _("Failed to block syscall %d"), scall); - } - -@@ -2978,7 +2987,11 @@ setup_seccomp (FlatpakBwrap *bwrap, - else - r = seccomp_rule_add (seccomp, SCMP_ACT_ERRNO (errnum), scall, 0); - -- if (r < 0 && r == -EFAULT /* unknown syscall */) -+ /* See above for the meaning of EFAULT. */ -+ if (errno == EFAULT) -+ flatpak_debug2 ("Unable to block syscall %d: syscall not known to libseccomp?", -+ scall); -+ else if (r < 0) - return flatpak_fail_error (error, FLATPAK_ERROR_SETUP_FAILED, _("Failed to block syscall %d"), scall); - } - } --- -2.27.0 - diff --git a/backport-support-new-pyparsing.patch b/backport-support-new-pyparsing.patch deleted file mode 100644 index ed1f8c9a34b42b03721625fc8ed601d21457d3da..0000000000000000000000000000000000000000 --- a/backport-support-new-pyparsing.patch +++ /dev/null @@ -1,48 +0,0 @@ -From 8850e4d0da76a85c5f9926cd40e148e0b29bddac Mon Sep 17 00:00:00 2001 -From: Phaedrus Leeds -Date: Thu, 16 Dec 2021 10:50:10 -0800 -Subject: [PATCH] Fix runtime error when using pyparsing >= 3.0.2 - -Ever since this commit -(https://github.com/pyparsing/pyparsing/commit/4ab17bb55) -variant-schema-compiler has failed to execute when used by Flatpak like -this: -$ variant-schema-compiler/variant-schema-compiler --outfile-header -common/flatpak-variant-private.h --outfile -common/flatpak-variant-impl-private.h --prefix var -./data/flatpak-variants.gv - -For some reason our use of leaveWhitespace() to ensure that a named type -has a ' right before its name no longer works. But fortunately pyparsing -has a Combine() which does exactly what we want. - -See https://github.com/flatpak/flatpak/issues/4534 - -Fixes https://gitlab.gnome.org/alexl/variant-schema-compiler/-/issues/4 - -Reference:https://gitlab.gnome.org/alexl/variant-schema-compiler/-/commit/8850e4d0da76a85c5f9926cd40e148e0b29bddac - -diff --git a/variant-schema-compiler/variant-schema-compiler b/variant-schema-compiler/variant-schema-compiler -index 8b54232..7807f7c 100755 ---- a/variant-schema-compiler/variant-schema-compiler -+++ b/variant-schema-compiler/variant-schema-compiler -@@ -4,6 +4,7 @@ import argparse - import sys - import os - from pyparsing import * -+pyparsing_version = tuple(int(x) for x in __version__.split('.')) - - typename_prefix = "" - funcname_prefix = "" -@@ -1741,6 +1742,8 @@ def handleNameableType(toks): - return type - - nameableType = (Optional((Suppress("'") + ident).leaveWhitespace()) + (arrayType ^ maybeType ^ dictType ^ structType)).setParseAction(handleNameableType) -+if pyparsing_version >= (3, 0, 4): -+ nameableType = (Optional((Suppress("'") + ident)) + (arrayType ^ maybeType ^ dictType ^ structType)).setParseAction(handleNameableType) - - typeSpec <<= basicType ^ variantType ^ namedType ^ nameableType - --- -2.30.0 - diff --git a/flatpak-1.10.2.tar.xz b/flatpak-1.10.2.tar.xz deleted file mode 100644 index f7e58fb3248bf39f2fbc145f7b7ecfb782464c97..0000000000000000000000000000000000000000 Binary files a/flatpak-1.10.2.tar.xz and /dev/null differ diff --git a/flatpak-1.15.6.tar.xz b/flatpak-1.15.6.tar.xz new file mode 100644 index 0000000000000000000000000000000000000000..7a99935105394e04697c46b0f05257f08d81dcb8 Binary files /dev/null and b/flatpak-1.15.6.tar.xz differ diff --git a/flatpak.spec b/flatpak.spec index ac485a80af3b6b9fc100104ca38bde4df938bf33..b508bdfe3d04a069e859b0a38e410ecb8016748f 100644 --- a/flatpak.spec +++ b/flatpak.spec @@ -1,49 +1,17 @@ Name: flatpak -Version: 1.10.2 -Release: 7 +Version: 1.15.6 +Release: 1 Summary: Application deployment framework for desktop apps License: LGPLv2+ URL: http://flatpak.org/ Source0: https://github.com/flatpak/flatpak/releases/download/%{version}/%{name}-%{version}.tar.xz -Patch0000: modify-automake-version.patch -Patch0002: CVE-2021-21261-2.patch -Patch0004: CVE-2021-21261-4.patch -Patch0005: 0001-OCI-Switch-to-pax-format-for-tar-archives.patch -Patch6000: backport-0001-CVE-2021-41133.patch -Patch6001: backport-0002-CVE-2021-41133.patch -Patch6002: backport-0003-CVE-2021-41133.patch -Patch6003: backport-0004-CVE-2021-41133.patch -Patch6004: backport-0005-CVE-2021-41133.patch -Patch6005: backport-0006-CVE-2021-41133.patch -Patch6006: backport-0007-CVE-2021-41133.patch -Patch6007: backport-0008-CVE-2021-41133.patch -Patch6008: backport-run-Handle-unknown-syscalls-as-intended.patch -Patch6009: backport-Fix-handling-of-syscalls-only-allowed-by-de.patch -Patch6010: backport-support-new-pyparsing.patch -Patch6011: backport-CVE-2022-21682.patch -Patch6012: backport-0001-CVE-2021-43860.patch -Patch6013: backport-0002-CVE-2021-43860.patch -Patch6014: backport-0003-CVE-2021-43860.patch -Patch6015: backport-0004-CVE-2021-43860.patch -Patch6016: backport-0005-CVE-2021-43860.patch -Patch6017: backport-Fix-several-memory-leaks.patch -# https://github.com/flatpak/flatpak/commit/4206d681c5c52691dec0074e3f8c32dab1953a94 -Patch6018: CVE-2023-28100-pre1.patch -# https://github.com/flatpak/flatpak/commit/b83fb81d1a66fe4ea31fd9c36ca425705eaaca99 -Patch6019: CVE-2023-28100-pre2.patch -# https://github.com/flatpak/flatpak/commit/e7880e25b9d400feeaacb82f115fae676ce6c65d -Patch6020: CVE-2023-28100-pre3.patch -# https://github.com/flatpak/flatpak/commit/a9bf18040cc075a70657c6090a59d7f6fe78f893 -Patch6021: CVE-2023-28100.patch -# https://github.com/flatpak/flatpak/commit/acd627a2fabe9856947399044dbf7aa79247c75b -Patch6022: CVE-2023-28101-1.patch -# https://github.com/flatpak/flatpak/commit/e88eedce76f79a5573df4fc38b344bbeaf7af024 -Patch6023: CVE-2023-28101-2.patch BuildRequires: pkgconfig(appstream-glib) pkgconfig(gio-unix-2.0) pkgconfig(gobject-introspection-1.0) >= 1.40.0 pkgconfig(json-glib-1.0) pkgconfig(libarchive) >= 2.8.0 BuildRequires: pkgconfig(libsoup-2.4) pkgconfig(libxml-2.0) >= 2.4 pkgconfig(ostree-1) >= 2020.8 pkgconfig(polkit-gobject-1) pkgconfig(libseccomp) pkgconfig(xau) BuildRequires: bison bubblewrap >= 0.4.0 docbook-dtds docbook-style-xsl gettext gpgme-devel libcap-devel systemd xmlto libxslt BuildRequires: pkgconfig(libsystemd) pkgconfig(dconf) pkgconfig(fuse) pkgconfig(gdk-pixbuf-2.0) pkgconfig(libzstd) >= 0.8.1 python3-pyparsing xdg-dbus-proxy +BuildRequires: meson cmake pkgconfig(libcurl) pkgconfig(appstream) gtk-doc pkgconfig(wayland-protocols) +BuildRequires: polkit socat %{?systemd_requires} Requires: ostree%{?_isa} >= 2020.8 bubblewrap >= 0.4.0 ostree-libs%{?_isa} >= 2020.8 @@ -65,19 +33,37 @@ Requires: %{name}%{?_isa} = %{version}-%{release} %description devel This package contains the pkg-config file and development headers for %{name}. + +%package selinux +Summary: SELinux policy module for %{name} +BuildRequires: selinux-policy +BuildRequires: selinux-policy-devel +BuildRequires: make +BuildArch: noarch +%{?selinux_requires} + +%description selinux +This package contains the SELinux policy module for %{name}. + + %package_help %prep %autosetup -n %{name}-%{version} -p1 %build -(if ! test -x configure; then NOCONFIGURE=1 ./autogen.sh; CONFIGFLAGS=--enable-gtk-doc; fi; - %configure --with-priv-mode=none --with-system-dbus-proxy \ - --with-system-bubblewrap --enable-docbook-docs $CONFIGFLAGS) -%make_build V=1 +%meson \ + -Dinstalled_tests=true \ + -Dsystem_bubblewrap=/usr/bin/bwrap \ + -Dsystem_dbus_proxy=/usr/bin/xdg-dbus-proxy \ + -Dtmpfilesdir=%{_tmpfilesdir} \ + -Dmalcontent=disabled \ + -Dwayland_security_context=enabled \ + %{nil} +%meson_build %install -%make_install +%meson_install install -pm 644 NEWS README.md %{buildroot}/%{_pkgdocdir} install -d %{buildroot}%{_localstatedir}/lib/flatpak install -d %{buildroot}%{_sysconfdir}/flatpak/remotes.d @@ -90,6 +76,15 @@ rm %{buildroot}%{_systemd_system_env_generator_dir}/60-flatpak-system-only flatpak remote-list --system &> /dev/null || : %ldconfig_scriptlets libs +%post selinux +%selinux_modules_install %{_datadir}/selinux/packages/flatpak.pp.bz2 + +%postun selinux +if [ $1 -eq 0 ]; then + %selinux_modules_uninstall %{_datadir}/selinux/packages/flatpak.pp.bz2 +fi + + %files -f %{name}.lang %license COPYING %doc %{_pkgdocdir} @@ -117,6 +112,7 @@ flatpak remote-list --system &> /dev/null || : %{_libexecdir}/flatpak-system-helper %dir %{_localstatedir}/lib/flatpak %{_sysconfdir}/dbus-1/system.d/org.freedesktop.Flatpak.SystemHelper.conf +%dir %{_sysconfdir}/flatpak %{_sysconfdir}/flatpak/remotes.d %{_sysconfdir}/profile.d/flatpak.sh %{_unitdir}/flatpak-system-helper.service @@ -127,6 +123,9 @@ flatpak remote-list --system &> /dev/null || : %{_systemd_user_env_generator_dir}/60-flatpak %{_libdir}/girepository-1.0/Flatpak-1.0.typelib %{_libdir}/libflatpak.so.* +%{_tmpfilesdir}/%{name}.conf +%{_datadir}/installed-tests +%{_libexecdir}/installed-tests %files devel %{_datadir}/gir-1.0/Flatpak-1.0.gir @@ -135,6 +134,10 @@ flatpak remote-list --system &> /dev/null || : %{_libdir}/libflatpak.so %{_libdir}/pkgconfig/%{name}.pc +%files selinux +%{_datadir}/selinux/packages/flatpak.pp.bz2 +%{_datadir}/selinux/devel/include/contrib/flatpak.if + %files help %{_mandir}/man1/%{name}*.1* %{_mandir}/man5/%{name}-metadata.5* @@ -144,6 +147,9 @@ flatpak remote-list --system &> /dev/null || : %{_mandir}/man5/flatpak-remote.5* %changelog +* Wed Apr 10 2024 xu_ping <707078654@qq.com> - 1.15.6-1 +- Upgrade version to 1.15.6 + * Thu Mar 28 2024 yaoxin - 1.10.2-7 - Fix CVE-2023-28100 and CVE-2023-28101 diff --git a/modify-automake-version.patch b/modify-automake-version.patch deleted file mode 100644 index bbdee72f87338fe4b4b83879fb9298d7915dd72a..0000000000000000000000000000000000000000 --- a/modify-automake-version.patch +++ /dev/null @@ -1,25 +0,0 @@ -From b3dc7f6af7f2812d5b4a42592976c5b9d7febaad Mon Sep 17 00:00:00 2001 -From: wangxiao65 -Date: Sun, 7 Feb 2021 12:02:08 +0800 -Subject: [PATCH] modify automake version -When Makefile.am is modified, automake needs to be executed. -if the version of automake in the compile enviroment is inconsistent -with the version specified in configure, the compile will fail. - ---- - configure.ac | 2 +- - 1 files changed, 1 insertions(+), 1 deletions(-) - -diff --git a/configure.ac b/configure.ac -index c879e47..8bf37b0 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -48,7 +48,7 @@ LT_INIT([disable-static]) - AC_CONFIG_SRCDIR([common/flatpak-dir.c]) - AC_CONFIG_HEADERS([config.h]) - AC_CONFIG_MACRO_DIR([m4]) --AM_INIT_AUTOMAKE([1.13.4 no-define no-dist-gzip dist-xz tar-ustar foreign subdir-objects]) -+AM_INIT_AUTOMAKE([1.16.2 no-define no-dist-gzip dist-xz tar-ustar foreign subdir-objects]) - AC_PROG_SED - AC_PROG_YACC -