diff --git a/CVE-2024-32462.patch b/CVE-2024-32462.patch new file mode 100644 index 0000000000000000000000000000000000000000..5d2e42e0f50376385501ec87571b859c73ed5a11 --- /dev/null +++ b/CVE-2024-32462.patch @@ -0,0 +1,75 @@ +From bbab7ed1e672356d1a78b422462b210e8e875931 Mon Sep 17 00:00:00 2001 +From: Alexander Larsson +Date: Mon, 15 Apr 2024 16:10:36 +0200 +Subject: [PATCH] When starting non-static command using bwrap use "--" + +Origin: https://github.com/flatpak/flatpak/commit/bbab7ed1e672356d1a78b422462b210e8e875931 + +This ensures that the command is not taken to be a bwrap option. + +Resolves: CVE-2024-32462 +Resolves: GHSA-phv6-cpc2-2fgj +Signed-off-by: Alexander Larsson +[smcv: Fix DISABLE_SANDBOXED_TRIGGERS code path] +[smcv: Make flatpak_run_maybe_start_dbus_proxy() more obviously correct] +Signed-off-by: Simon McVittie +--- + app/flatpak-builtins-build.c | 3 ++- + common/flatpak-dir.c | 1 + + common/flatpak-run-dbus.c | 3 +++ + common/flatpak-run.c | 2 +- + 4 files changed, 7 insertions(+), 2 deletions(-) + +diff --git a/app/flatpak-builtins-build.c b/app/flatpak-builtins-build.c +index a606544980..585f8f43ba 100644 +--- a/app/flatpak-builtins-build.c ++++ b/app/flatpak-builtins-build.c +@@ -589,7 +589,8 @@ flatpak_builtin_build (int argc, char **argv, GCancellable *cancellable, GError + if (!flatpak_bwrap_bundle_args (bwrap, 1, -1, FALSE, error)) + return FALSE; + +- flatpak_bwrap_add_args (bwrap, command, NULL); ++ flatpak_bwrap_add_args (bwrap, "--", command, NULL); ++ + flatpak_bwrap_append_argsv (bwrap, + &argv[rest_argv_start + 2], + rest_argc - 2); +diff --git a/common/flatpak-dir.c b/common/flatpak-dir.c +index 3a788469a4..089fb80734 100644 +--- a/common/flatpak-dir.c ++++ b/common/flatpak-dir.c +@@ -7155,6 +7155,7 @@ flatpak_dir_run_triggers (FlatpakDir *self, + "--proc", "/proc", + "--dev", "/dev", + "--bind", basedir, basedir, ++ "--", + NULL); + #endif + flatpak_bwrap_add_args (bwrap, +diff --git a/common/flatpak-run-dbus.c b/common/flatpak-run-dbus.c +index 3074549bc9..bb64c15bf0 100644 +--- a/common/flatpak-run-dbus.c ++++ b/common/flatpak-run-dbus.c +@@ -104,6 +104,9 @@ add_bwrap_wrapper (FlatpakBwrap *bwrap, + if (!flatpak_bwrap_bundle_args (bwrap, 1, -1, FALSE, error)) + return FALSE; + ++ /* End of options: the next argument will be the executable name */ ++ flatpak_bwrap_add_arg (bwrap, "--"); ++ + return TRUE; + } + +diff --git a/common/flatpak-run.c b/common/flatpak-run.c +index bd68b4806f..29fe563f36 100644 +--- a/common/flatpak-run.c ++++ b/common/flatpak-run.c +@@ -3425,7 +3425,7 @@ flatpak_run_app (FlatpakDecomposed *app_ref, + if (!flatpak_bwrap_bundle_args (bwrap, 1, -1, FALSE, error)) + return FALSE; + +- flatpak_bwrap_add_arg (bwrap, command); ++ flatpak_bwrap_add_args (bwrap, "--", command, NULL); + + if (!add_rest_args (bwrap, app_id, + exports, (flags & FLATPAK_RUN_FLAG_FILE_FORWARDING) != 0, diff --git a/flatpak.spec b/flatpak.spec index b508bdfe3d04a069e859b0a38e410ecb8016748f..aaa822833fff02965da086f90c687e05c74891d0 100644 --- a/flatpak.spec +++ b/flatpak.spec @@ -1,10 +1,11 @@ Name: flatpak Version: 1.15.6 -Release: 1 +Release: 2 Summary: Application deployment framework for desktop apps License: LGPLv2+ URL: http://flatpak.org/ Source0: https://github.com/flatpak/flatpak/releases/download/%{version}/%{name}-%{version}.tar.xz +Patch0: CVE-2024-32462.patch BuildRequires: pkgconfig(appstream-glib) pkgconfig(gio-unix-2.0) pkgconfig(gobject-introspection-1.0) >= 1.40.0 pkgconfig(json-glib-1.0) pkgconfig(libarchive) >= 2.8.0 BuildRequires: pkgconfig(libsoup-2.4) pkgconfig(libxml-2.0) >= 2.4 pkgconfig(ostree-1) >= 2020.8 pkgconfig(polkit-gobject-1) pkgconfig(libseccomp) pkgconfig(xau) @@ -147,6 +148,9 @@ fi %{_mandir}/man5/flatpak-remote.5* %changelog +* Fri Apr 19 2024 wangkai <13474090681@163.com> - 1.15.6-2 +- Fix CVE-2024-32462 + * Wed Apr 10 2024 xu_ping <707078654@qq.com> - 1.15.6-1 - Upgrade version to 1.15.6