diff --git a/CVE-2024-32462.patch b/CVE-2024-32462.patch new file mode 100644 index 0000000000000000000000000000000000000000..00433206a45928ab9f8a8a23c6facf35e0797a98 --- /dev/null +++ b/CVE-2024-32462.patch @@ -0,0 +1,72 @@ +From 72016e3fce8fcbeab707daf4f1a02b931fcc004d Mon Sep 17 00:00:00 2001 +From: Alexander Larsson +Date: Mon, 15 Apr 2024 16:10:36 +0200 +Subject: [PATCH] When starting non-static command using bwrap use "--" + +Origin: https://github.com/flatpak/flatpak/commit/72016e3fce8fcbeab707daf4f1a02b931fcc004d + +This ensures that the command is not taken to be a bwrap option. + +Resolves: CVE-2024-32462 +Resolves: GHSA-phv6-cpc2-2fgj +Signed-off-by: Alexander Larsson +[smcv: Fix DISABLE_SANDBOXED_TRIGGERS code path] +[smcv: Make flatpak_run_maybe_start_dbus_proxy() more obviously correct] +Signed-off-by: Simon McVittie +--- + app/flatpak-builtins-build.c | 2 +- + common/flatpak-dir.c | 1 + + common/flatpak-run.c | 5 ++++- + 3 files changed, 6 insertions(+), 2 deletions(-) + +diff --git a/app/flatpak-builtins-build.c b/app/flatpak-builtins-build.c +index ce9ff7e..bb4bd06 100644 +--- a/app/flatpak-builtins-build.c ++++ b/app/flatpak-builtins-build.c +@@ -569,7 +569,7 @@ flatpak_builtin_build (int argc, char **argv, GCancellable *cancellable, GError + if (!flatpak_bwrap_bundle_args (bwrap, 1, -1, FALSE, error)) + return FALSE; + +- flatpak_bwrap_add_args (bwrap, command, NULL); ++ flatpak_bwrap_add_args (bwrap, "--", command, NULL); + flatpak_bwrap_append_argsv (bwrap, + &argv[rest_argv_start + 2], + rest_argc - 2); +diff --git a/common/flatpak-dir.c b/common/flatpak-dir.c +index f00e6bf..e7bc1f8 100644 +--- a/common/flatpak-dir.c ++++ b/common/flatpak-dir.c +@@ -5391,6 +5391,7 @@ flatpak_dir_run_triggers (FlatpakDir *self, + g_ptr_array_add (argv_array, g_strdup ("--dev")); + g_ptr_array_add (argv_array, g_strdup ("/dev")); + g_ptr_array_add (argv_array, g_strdup ("--bind")); ++ g_ptr_array_add (argv_array, g_strdup ("--")); + g_ptr_array_add (argv_array, g_strdup (basedir)); + g_ptr_array_add (argv_array, g_strdup (basedir)); + #endif +diff --git a/common/flatpak-run.c b/common/flatpak-run.c +index d48be1f..0b2bada 100644 +--- a/common/flatpak-run.c ++++ b/common/flatpak-run.c +@@ -754,6 +754,9 @@ add_bwrap_wrapper (FlatpakBwrap *bwrap, + if (!flatpak_bwrap_bundle_args (bwrap, 1, -1, FALSE, error)) + return FALSE; + ++ /* End of options: the next argument will be the executable name */ ++ flatpak_bwrap_add_arg (bwrap, "--"); ++ + return TRUE; + } + +@@ -3176,7 +3179,7 @@ flatpak_run_app (const char *app_ref, + if (!flatpak_bwrap_bundle_args (bwrap, 1, -1, FALSE, error)) + return FALSE; + +- flatpak_bwrap_add_arg (bwrap, command); ++ flatpak_bwrap_add_args (bwrap, "--", command, NULL); + + if (!add_rest_args (bwrap, app_ref_parts[1], + exports, (flags & FLATPAK_RUN_FLAG_FILE_FORWARDING) != 0, +-- +2.33.0 + diff --git a/flatpak.spec b/flatpak.spec index 362e6f01c9cb4169646aa425aea2fa5929b265f0..3fa6d3ecbfd84d837bf5189de2e70b98ed4f7c10 100644 --- a/flatpak.spec +++ b/flatpak.spec @@ -1,6 +1,6 @@ Name: flatpak Version: 1.0.3 -Release: 11 +Release: 12 Summary: Application deployment framework for desktop apps License: LGPLv2+ URL: http://flatpak.org/ @@ -36,6 +36,7 @@ Patch6016: backport-0003-CVE-2022-21682.patch Patch6017: backport-0004-CVE-2022-21682.patch Patch6018: backport-0005-CVE-2022-21682.patch Patch6019: backport-0006-CVE-2022-21682.patch +Patch6020: CVE-2024-32462.patch BuildRequires: pkgconfig(appstream-glib) pkgconfig(gio-unix-2.0) pkgconfig(gobject-introspection-1.0) >= 1.40.0 pkgconfig(json-glib-1.0) pkgconfig(libarchive) >= 2.8.0 BuildRequires: pkgconfig(libsoup-2.4) pkgconfig(libxml-2.0) >= 2.4 pkgconfig(ostree-1) >= 2018.7 pkgconfig(polkit-gobject-1) pkgconfig(libseccomp) pkgconfig(xau) @@ -130,6 +131,9 @@ flatpak remote-list --system &> /dev/null || : %{_mandir}/man5/flatpak-remote.5* %changelog +* Fri Apr 19 2024 wangkai <13474090681@163.com> - 1.0.3-12 +- Fix CVE-2024-32462 + * Tue Feb 15 2022 dongyuzhen - 1.0.3-11 - Fix CVE-2022-21682