diff --git a/1.15.12.tar.gz b/1.15.12.tar.gz new file mode 100644 index 0000000000000000000000000000000000000000..fe6c063d9c26a724a984188695cf14e526a016cd Binary files /dev/null and b/1.15.12.tar.gz differ diff --git a/CVE-2024-32462.patch b/CVE-2024-32462.patch deleted file mode 100644 index 5d2e42e0f50376385501ec87571b859c73ed5a11..0000000000000000000000000000000000000000 --- a/CVE-2024-32462.patch +++ /dev/null @@ -1,75 +0,0 @@ -From bbab7ed1e672356d1a78b422462b210e8e875931 Mon Sep 17 00:00:00 2001 -From: Alexander Larsson -Date: Mon, 15 Apr 2024 16:10:36 +0200 -Subject: [PATCH] When starting non-static command using bwrap use "--" - -Origin: https://github.com/flatpak/flatpak/commit/bbab7ed1e672356d1a78b422462b210e8e875931 - -This ensures that the command is not taken to be a bwrap option. - -Resolves: CVE-2024-32462 -Resolves: GHSA-phv6-cpc2-2fgj -Signed-off-by: Alexander Larsson -[smcv: Fix DISABLE_SANDBOXED_TRIGGERS code path] -[smcv: Make flatpak_run_maybe_start_dbus_proxy() more obviously correct] -Signed-off-by: Simon McVittie ---- - app/flatpak-builtins-build.c | 3 ++- - common/flatpak-dir.c | 1 + - common/flatpak-run-dbus.c | 3 +++ - common/flatpak-run.c | 2 +- - 4 files changed, 7 insertions(+), 2 deletions(-) - -diff --git a/app/flatpak-builtins-build.c b/app/flatpak-builtins-build.c -index a606544980..585f8f43ba 100644 ---- a/app/flatpak-builtins-build.c -+++ b/app/flatpak-builtins-build.c -@@ -589,7 +589,8 @@ flatpak_builtin_build (int argc, char **argv, GCancellable *cancellable, GError - if (!flatpak_bwrap_bundle_args (bwrap, 1, -1, FALSE, error)) - return FALSE; - -- flatpak_bwrap_add_args (bwrap, command, NULL); -+ flatpak_bwrap_add_args (bwrap, "--", command, NULL); -+ - flatpak_bwrap_append_argsv (bwrap, - &argv[rest_argv_start + 2], - rest_argc - 2); -diff --git a/common/flatpak-dir.c b/common/flatpak-dir.c -index 3a788469a4..089fb80734 100644 ---- a/common/flatpak-dir.c -+++ b/common/flatpak-dir.c -@@ -7155,6 +7155,7 @@ flatpak_dir_run_triggers (FlatpakDir *self, - "--proc", "/proc", - "--dev", "/dev", - "--bind", basedir, basedir, -+ "--", - NULL); - #endif - flatpak_bwrap_add_args (bwrap, -diff --git a/common/flatpak-run-dbus.c b/common/flatpak-run-dbus.c -index 3074549bc9..bb64c15bf0 100644 ---- a/common/flatpak-run-dbus.c -+++ b/common/flatpak-run-dbus.c -@@ -104,6 +104,9 @@ add_bwrap_wrapper (FlatpakBwrap *bwrap, - if (!flatpak_bwrap_bundle_args (bwrap, 1, -1, FALSE, error)) - return FALSE; - -+ /* End of options: the next argument will be the executable name */ -+ flatpak_bwrap_add_arg (bwrap, "--"); -+ - return TRUE; - } - -diff --git a/common/flatpak-run.c b/common/flatpak-run.c -index bd68b4806f..29fe563f36 100644 ---- a/common/flatpak-run.c -+++ b/common/flatpak-run.c -@@ -3425,7 +3425,7 @@ flatpak_run_app (FlatpakDecomposed *app_ref, - if (!flatpak_bwrap_bundle_args (bwrap, 1, -1, FALSE, error)) - return FALSE; - -- flatpak_bwrap_add_arg (bwrap, command); -+ flatpak_bwrap_add_args (bwrap, "--", command, NULL); - - if (!add_rest_args (bwrap, app_id, - exports, (flags & FLATPAK_RUN_FLAG_FILE_FORWARDING) != 0, diff --git a/CVE-2024-42472.patch b/CVE-2024-42472.patch deleted file mode 100644 index 43aee74e7156ae8186ba5d4e42e89485947ec997..0000000000000000000000000000000000000000 --- a/CVE-2024-42472.patch +++ /dev/null @@ -1,219 +0,0 @@ -Origin: -https://github.com/flatpak/flatpak/commit/3caeb16c31a3ed62d744e2aaf01d684f7991051a -https://github.com/flatpak/flatpak/commit/2cdd1e1e5ae90d7c3a4b60ce2e36e4d609e44e72 -https://github.com/flatpak/flatpak/commit/6bd603f6836e9b38b9b937d3b78f3fbf36e7ff75 - -From 6bd603f6836e9b38b9b937d3b78f3fbf36e7ff75 Mon Sep 17 00:00:00 2001 -From: Alexander Larsson -Date: Tue, 18 Jun 2024 11:31:05 +0200 -Subject: [PATCH] persist directories: Pass using new bwrap --bind-fd option - -Instead of passing a /proc/self/fd bind mount we use --bind-fd, which -has two advantages: - * bwrap closes the fd when used, so it doesn't leak into the started app - * bwrap ensures that what was mounted was the passed in fd (same dev/ino), - as there is a small (required) gap between symlink resolve and mount - where the target path could be replaced. - -Please note that this change requires an updated version of bubblewrap. - -Resolves: CVE-2024-42472, GHSA-7hgv-f2j8-xw87 -[smcv: Make whitespace consistent] -Co-authored-by: Simon McVittie -Signed-off-by: Simon McVittie - - ---- - common/flatpak-context.c | 109 +++++++++++++++++++++++++++++++++++++-- - tests/test-run.sh | 41 ++++++++++++++- - 2 files changed, 145 insertions(+), 5 deletions(-) - -diff --git a/common/flatpak-context.c b/common/flatpak-context.c -index 2d98d5c..b4b2108 100644 ---- a/common/flatpak-context.c -+++ b/common/flatpak-context.c -@@ -2859,6 +2859,90 @@ flatpak_context_apply_env_appid (FlatpakBwrap *bwrap, - flatpak_bwrap_set_env (bwrap, "HOST_XDG_STATE_HOME", g_getenv ("XDG_STATE_HOME"), TRUE); - } - -+/* This creates zero or more directories unders base_fd+basedir, each -+ * being guaranteed to either exist and be a directory (no symlinks) -+ * or be created as a directory. The last directory is opened -+ * and the fd is returned. -+ */ -+static gboolean -+mkdir_p_open_nofollow_at (int base_fd, -+ const char *basedir, -+ int mode, -+ const char *subdir, -+ int *out_fd, -+ GError **error) -+{ -+ glnx_autofd int parent_fd = -1; -+ -+ if (g_path_is_absolute (subdir)) -+ { -+ const char *skipped_prefix = subdir; -+ -+ while (*skipped_prefix == '/') -+ skipped_prefix++; -+ -+ g_warning ("--persist=\"%s\" is deprecated, treating it as --persist=\"%s\"", subdir, skipped_prefix); -+ subdir = skipped_prefix; -+ } -+ -+ g_autofree char *subdir_dirname = g_path_get_dirname (subdir); -+ -+ if (strcmp (subdir_dirname, ".") == 0) -+ { -+ /* It is ok to open basedir with follow=true */ -+ if (!glnx_opendirat (base_fd, basedir, TRUE, &parent_fd, error)) -+ return FALSE; -+ } -+ else if (strcmp (subdir_dirname, "..") == 0) -+ { -+ return glnx_throw (error, "'..' not supported in --persist paths"); -+ } -+ else -+ { -+ if (!mkdir_p_open_nofollow_at (base_fd, basedir, mode, -+ subdir_dirname, &parent_fd, error)) -+ return FALSE; -+ } -+ -+ g_autofree char *subdir_basename = g_path_get_basename (subdir); -+ -+ if (strcmp (subdir_basename, ".") == 0) -+ { -+ *out_fd = glnx_steal_fd (&parent_fd); -+ return TRUE; -+ } -+ else if (strcmp (subdir_basename, "..") == 0) -+ { -+ return glnx_throw (error, "'..' not supported in --persist paths"); -+ } -+ -+ if (!glnx_shutil_mkdir_p_at (parent_fd, subdir_basename, mode, NULL, error)) -+ return FALSE; -+ -+ int fd = openat (parent_fd, subdir_basename, O_PATH | O_NONBLOCK | O_DIRECTORY | O_CLOEXEC | O_NOCTTY | O_NOFOLLOW); -+ if (fd == -1) -+ { -+ int saved_errno = errno; -+ struct stat stat_buf; -+ -+ /* If it's a symbolic link, that could be a user trying to offload -+ * large data to another filesystem, but it could equally well be -+ * a malicious or compromised app trying to exploit GHSA-7hgv-f2j8-xw87. -+ * Produce a clearer error message in this case. -+ * Unfortunately the errno we get in this case is ENOTDIR, so we have -+ * to ask again to find out whether it's really a symlink. */ -+ if (saved_errno == ENOTDIR && -+ fstatat (parent_fd, subdir_basename, &stat_buf, AT_SYMLINK_NOFOLLOW) == 0 && -+ S_ISLNK (stat_buf.st_mode)) -+ return glnx_throw (error, "Symbolic link \"%s\" not allowed to avoid sandbox escape", subdir_basename); -+ -+ return glnx_throw_errno_prefix (error, "openat(%s)", subdir_basename); -+ } -+ -+ *out_fd = fd; -+ return TRUE; -+} -+ - void - flatpak_context_append_bwrap_filesystem (FlatpakContext *context, - FlatpakBwrap *bwrap, -@@ -2882,13 +2966,30 @@ flatpak_context_append_bwrap_filesystem (FlatpakContext *context, - while (g_hash_table_iter_next (&iter, &key, NULL)) - { - const char *persist = key; -- g_autofree char *src = g_build_filename (g_get_home_dir (), ".var/app", app_id, persist, NULL); -+ g_autofree char *appdir = g_build_filename (g_get_home_dir (), ".var/app", app_id, NULL); - g_autofree char *dest = g_build_filename (g_get_home_dir (), persist, NULL); -+ g_autoptr(GError) local_error = NULL; -+ -+ if (g_mkdir_with_parents (appdir, 0755) != 0) -+ { -+ g_warning ("Unable to create directory %s", appdir); -+ continue; -+ } -+ -+ /* Don't follow symlinks from the persist directory, as it is under user control */ -+ glnx_autofd int src_fd = -1; -+ if (!mkdir_p_open_nofollow_at (AT_FDCWD, appdir, 0755, -+ persist, &src_fd, -+ &local_error)) -+ { -+ g_warning ("Failed to create persist path %s: %s", persist, local_error->message); -+ continue; -+ } - -- if (g_mkdir_with_parents (src, 0755) != 0) -- g_info ("Unable to create directory %s", src); -+ g_autofree char *src_via_proc = g_strdup_printf ("%d", src_fd); - -- flatpak_bwrap_add_bind_arg (bwrap, "--bind", src, dest); -+ flatpak_bwrap_add_fd (bwrap, g_steal_fd (&src_fd)); -+ flatpak_bwrap_add_bind_arg (bwrap, "--bind-fd", src_via_proc, dest); - } - } - -diff --git a/tests/test-run.sh b/tests/test-run.sh -index 7138bc6..244b533 100644 ---- a/tests/test-run.sh -+++ b/tests/test-run.sh -@@ -24,7 +24,7 @@ set -euo pipefail - skip_without_bwrap - skip_revokefs_without_fuse - --echo "1..20" -+echo "1..26" - - # Use stable rather than master as the branch so we can test that the run - # command automatically finds the branch correctly -@@ -543,3 +543,42 @@ ${FLATPAK} ${U} info -m org.test.App > out - assert_file_has_content out "^sdk=org\.test\.Sdk/$(flatpak --default-arch)/stable$" - - ok "--sdk option" -+ -+rm -fr "$HOME/.var/app/org.test.Hello" -+mkdir -p "$HOME/.var/app/org.test.Hello" -+run --command=sh --persist=.persist org.test.Hello -c 'echo can-persist > .persist/rc' -+sed -e 's,^,#--persist=.persist# ,g' < "$HOME/.var/app/org.test.Hello/.persist/rc" >&2 -+assert_file_has_content "$HOME/.var/app/org.test.Hello/.persist/rc" "can-persist" -+ -+ok "--persist=.persist persists a directory" -+ -+rm -fr "$HOME/.var/app/org.test.Hello" -+mkdir -p "$HOME/.var/app/org.test.Hello" -+# G_DEBUG= to avoid the deprecation warning being fatal -+G_DEBUG= run --command=sh --persist=/.persist org.test.Hello -c 'echo can-persist > .persist/rc' -+sed -e 's,^,#--persist=/.persist# ,g' < "$HOME/.var/app/org.test.Hello/.persist/rc" >&2 -+assert_file_has_content "$HOME/.var/app/org.test.Hello/.persist/rc" "can-persist" -+ -+ok "--persist=/.persist is a deprecated form of --persist=.persist" -+ -+rm -fr "$HOME/.var/app/org.test.Hello" -+mkdir -p "$HOME/.var/app/org.test.Hello" -+run --command=sh --persist=. org.test.Hello -c 'echo can-persist > .persistrc' -+sed -e 's,^,#--persist=.# ,g' < "$HOME/.var/app/org.test.Hello/.persistrc" >&2 -+assert_file_has_content "$HOME/.var/app/org.test.Hello/.persistrc" "can-persist" -+ -+ok "--persist=. persists all files" -+ -+mkdir "${TEST_DATA_DIR}/inaccessible" -+echo FOO > ${TEST_DATA_DIR}/inaccessible/secret-file -+rm -fr "$HOME/.var/app/org.test.Hello" -+mkdir -p "$HOME/.var/app/org.test.Hello" -+ln -fns "${TEST_DATA_DIR}/inaccessible" "$HOME/.var/app/org.test.Hello/persist" -+# G_DEBUG= to avoid the warnings being fatal when we reject a --persist option. -+# LC_ALL=C so we get the expected non-localized string. -+LC_ALL=C G_DEBUG= run --command=ls --persist=persist --persist=relative/../escape org.test.Hello -la ~/persist &> hello_out || true -+sed -e 's,^,#--persist=symlink# ,g' < hello_out >&2 -+assert_file_has_content hello_out "not allowed to avoid sandbox escape" -+assert_not_file_has_content hello_out "secret-file" -+ -+ok "--persist doesn't allow sandbox escape via a symlink (CVE-2024-42472)" --- -2.33.0 - diff --git a/flatpak-1.15.6.tar.xz b/flatpak-1.15.6.tar.xz deleted file mode 100644 index 7a99935105394e04697c46b0f05257f08d81dcb8..0000000000000000000000000000000000000000 Binary files a/flatpak-1.15.6.tar.xz and /dev/null differ diff --git a/flatpak.spec b/flatpak.spec index 1dfc9e2c430b0741c37be71dd7518073c0b3eedf..5a1a1819f3d438bf0b1537d91e6f8e7bfc59b275 100644 --- a/flatpak.spec +++ b/flatpak.spec @@ -1,12 +1,10 @@ Name: flatpak -Version: 1.15.6 -Release: 3 +Version: 1.15.12 +Release: 1 Summary: Application deployment framework for desktop apps License: LGPLv2+ URL: http://flatpak.org/ -Source0: https://github.com/flatpak/flatpak/releases/download/%{version}/%{name}-%{version}.tar.xz -Patch0: CVE-2024-32462.patch -Patch1: CVE-2024-42472.patch +Source0: https://github.com/flatpak/flatpak/releases/download/%{version}/%{version}.tar.gz BuildRequires: pkgconfig(appstream-glib) pkgconfig(gio-unix-2.0) pkgconfig(gobject-introspection-1.0) >= 1.40.0 pkgconfig(json-glib-1.0) pkgconfig(libarchive) >= 2.8.0 BuildRequires: pkgconfig(libsoup-2.4) pkgconfig(libxml-2.0) >= 2.4 pkgconfig(ostree-1) >= 2020.8 pkgconfig(polkit-gobject-1) pkgconfig(libseccomp) pkgconfig(xau) @@ -115,6 +113,7 @@ fi %dir %{_localstatedir}/lib/flatpak %{_sysconfdir}/dbus-1/system.d/org.freedesktop.Flatpak.SystemHelper.conf %dir %{_sysconfdir}/flatpak +%{_sysconfdir}/profile.d/flatpak.csh %{_sysconfdir}/flatpak/remotes.d %{_sysconfdir}/profile.d/flatpak.sh %{_unitdir}/flatpak-system-helper.service @@ -147,8 +146,13 @@ fi %{_mandir}/man5/flatpak-flatpakrepo.5* %{_mandir}/man5/flatpak-installation.5* %{_mandir}/man5/flatpak-remote.5* +%{_mandir}/man5/flatpakref.5* +%{_mandir}/man5/flatpakrepo.5* %changelog +* Thu Nov 07 2024 sqfu - 1.15.12-1 +- update to 1.15.12 + * Thu Aug 15 2024 wangkai <13474090681@163.com> - 1.15.6-3 - Fix CVE-2024-42472