From 3878a93499ad42a59f039636fc2cc47e4bee2cdc Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Apr 09 2022 12:11:49 +0000 Subject: import flatpak-builder-1.0.14-2.el8 --- diff --git a/SOURCES/flatpak-builder-CVE-2022-21682.patch b/SOURCES/flatpak-builder-CVE-2022-21682.patch new file mode 100644 index 0000000..435ff5b --- /dev/null +++ b/SOURCES/flatpak-builder-CVE-2022-21682.patch @@ -0,0 +1,172 @@ +From dd05ea86a4701a33cc4d271edf0a36b5c972e2e1 Mon Sep 17 00:00:00 2001 +From: Simon McVittie +Date: Mon, 17 Jan 2022 21:59:02 +0000 +Subject: [PATCH 1/2] Disable filesystem access with --nofilesystem=host:reset + +This requires . + +In addition to counteracting an earlier --filesystem=host, in Flatpak +versions that support it, the new --nofilesystem=host:reset removes all +filesystem access that might have been inherited from the app manifest +or overrides. This prevents CVE-2022-21682, while avoiding behaviour +changes in Flatpak for non-builder use cases. + +In older Flatpak versions, this option acts as --filesystem=host with an +unknown mode suffix, which is ignored (with a warning, which is harmless +but will hopefully nudge people towards upgrading Flatpak to a version +that enables CVE-2022-21682 to be avoided). flatpak-builder will still +be vulnerable to CVE-2022-21682 in this case. + +Signed-off-by: Simon McVittie +(cherry picked from commit 2d1b6799e782d5e5577072aa7bbfed00ddf0b087) +--- + src/builder-main.c | 2 +- + src/builder-manifest.c | 4 ++-- + src/builder-module.c | 2 +- + src/builder-source-shell.c | 2 +- + 4 files changed, 5 insertions(+), 5 deletions(-) + +diff --git a/src/builder-main.c b/src/builder-main.c +index a177f4b0c8b6..dc6f3e97603a 100644 +--- a/src/builder-main.c ++++ b/src/builder-main.c +@@ -942,7 +942,7 @@ main (int argc, + "flatpak", + "build", + "--die-with-parent", +- "--nofilesystem=host", ++ "--nofilesystem=host:reset", + fs_app_dir, + fs_cache, + "--share=network", +diff --git a/src/builder-manifest.c b/src/builder-manifest.c +index 62e7096674fa..ae83e493db52 100644 +--- a/src/builder-manifest.c ++++ b/src/builder-manifest.c +@@ -2124,7 +2124,7 @@ command (GFile *app_dir, + g_ptr_array_add (args, g_strdup ("build")); + + g_ptr_array_add (args, g_strdup ("--die-with-parent")); +- g_ptr_array_add (args, g_strdup ("--nofilesystem=host")); ++ g_ptr_array_add (args, g_strdup ("--nofilesystem=host:reset")); + if (extra_args) + { + for (i = 0; extra_args[i] != NULL; i++) +@@ -2304,7 +2304,7 @@ appstream_compose (GFile *app_dir, + g_ptr_array_add (args, g_strdup ("flatpak")); + g_ptr_array_add (args, g_strdup ("build")); + g_ptr_array_add (args, g_strdup ("--die-with-parent")); +- g_ptr_array_add (args, g_strdup ("--nofilesystem=host")); ++ g_ptr_array_add (args, g_strdup ("--nofilesystem=host:reset")); + g_ptr_array_add (args, g_file_get_path (app_dir)); + g_ptr_array_add (args, g_strdup ("appstream-compose")); + +diff --git a/src/builder-module.c b/src/builder-module.c +index 8d1819a3e530..862c247e2fb2 100644 +--- a/src/builder-module.c ++++ b/src/builder-module.c +@@ -1177,7 +1177,7 @@ setup_build_args (GFile *app_dir, + builddir = "/run/build/"; + + g_ptr_array_add (args, g_strdup_printf ("--env=FLATPAK_BUILDER_BUILDDIR=%s%s", builddir, module_name)); +- g_ptr_array_add (args, g_strdup ("--nofilesystem=host")); ++ g_ptr_array_add (args, g_strdup ("--nofilesystem=host:reset")); + + /* We mount the canonical location, because bind-mounts of symlinks don't really work */ + g_ptr_array_add (args, g_strdup_printf ("--filesystem=%s", source_dir_path_canonical)); +diff --git a/src/builder-source-shell.c b/src/builder-source-shell.c +index 152257b12476..8132a5c49d8a 100644 +--- a/src/builder-source-shell.c ++++ b/src/builder-source-shell.c +@@ -136,7 +136,7 @@ run_script (BuilderContext *context, + + source_dir_path_canonical = realpath (source_dir_path, NULL); + +- g_ptr_array_add (args, g_strdup ("--nofilesystem=host")); ++ g_ptr_array_add (args, g_strdup ("--nofilesystem=host:reset")); + g_ptr_array_add (args, g_strdup_printf ("--filesystem=%s", source_dir_path_canonical)); + + if (env) +-- +2.35.1 + + +From 26cab8d7aae2146fa95cf5ad28e286f8034d97dc Mon Sep 17 00:00:00 2001 +From: Alexander Larsson +Date: Tue, 18 Jan 2022 09:58:29 +0100 +Subject: [PATCH 2/2] Allow --nofilesystem=host:reset in flatpak-builder --run + +This adds support for the new host:reset mode. We don't verify +that the argument is used as carefully as flatpak does, but any +issue will be reported later when passed to flatpak. + +Co-authored-by: Simon McVittie +(cherry picked from commit 27aa2f5e4508d03178bf905ee7099d6d69a79aa4) +--- + src/builder-flatpak-utils.c | 23 +++++++++++++++++++++-- + 1 file changed, 21 insertions(+), 2 deletions(-) + +diff --git a/src/builder-flatpak-utils.c b/src/builder-flatpak-utils.c +index 53191016047f..89352cdc2fd5 100644 +--- a/src/builder-flatpak-utils.c ++++ b/src/builder-flatpak-utils.c +@@ -1196,6 +1196,7 @@ typedef enum { + + /* In numerical order of more privs */ + typedef enum { ++ FLATPAK_FILESYSTEM_MODE_NONE = 0, + FLATPAK_FILESYSTEM_MODE_READ_ONLY = 1, + FLATPAK_FILESYSTEM_MODE_READ_WRITE = 2, + FLATPAK_FILESYSTEM_MODE_CREATE = 3, +@@ -1770,6 +1771,13 @@ parse_filesystem_flags (const char *filesystem, FlatpakFilesystemMode *mode) + if (mode) + *mode = FLATPAK_FILESYSTEM_MODE_CREATE; + } ++ else if (g_str_equal (filesystem, "host:reset")) ++ { ++ filesystem = "host-reset"; ++ ++ if (mode) ++ *mode = FLATPAK_FILESYSTEM_MODE_NONE; ++ } + + return g_strndup (filesystem, len); + } +@@ -1810,9 +1818,12 @@ static void + flatpak_context_remove_filesystem (FlatpakContext *context, + const char *what) + { ++ FlatpakFilesystemMode mode; ++ g_autofree char *fs = parse_filesystem_flags (what, &mode); ++ + g_hash_table_insert (context->filesystems, +- parse_filesystem_flags (what, NULL), +- NULL); ++ g_steal_pointer (&fs), ++ GINT_TO_POINTER (mode)); + } + + static gboolean +@@ -2222,11 +2233,19 @@ flatpak_context_to_args (FlatpakContext *context, + g_ptr_array_add (args, g_strdup_printf ("--system-%s-name=%s", flatpak_policy_to_string (policy), name)); + } + ++ if (g_hash_table_lookup_extended (context->filesystems, "host-reset", NULL, NULL)) ++ { ++ g_ptr_array_add (args, g_strdup ("--nofilesystem=host:reset")); ++ } ++ + g_hash_table_iter_init (&iter, context->filesystems); + while (g_hash_table_iter_next (&iter, &key, &value)) + { + FlatpakFilesystemMode mode = GPOINTER_TO_INT (value); + ++ if (g_str_equal (key, "host-reset")) ++ continue; ++ + if (mode == FLATPAK_FILESYSTEM_MODE_READ_ONLY) + g_ptr_array_add (args, g_strdup_printf ("--filesystem=%s:ro", (char *)key)); + else if (mode == FLATPAK_FILESYSTEM_MODE_READ_WRITE) +-- +2.35.1 + diff --git a/SPECS/flatpak-builder.spec b/SPECS/flatpak-builder.spec index 69feae2..acd03ba 100644 --- a/SPECS/flatpak-builder.spec +++ b/SPECS/flatpak-builder.spec @@ -4,7 +4,7 @@ Name: flatpak-builder Version: 1.0.14 -Release: 1%{?dist} +Release: 2%{?dist} Summary: Tool to build flatpaks from source # src/builder-utils.c has portions derived from GPLv2+ code, @@ -13,6 +13,10 @@ License: LGPLv2+ and GPLv2+ URL: http://flatpak.org/ Source0: https://github.com/flatpak/flatpak-builder/releases/download/%{version}/%{name}-%{version}.tar.xz +# https://github.com/flatpak/flatpak-builder/pull/464 +# https://bugzilla.redhat.com/show_bug.cgi?id=2042007 +Patch0: flatpak-builder-CVE-2022-21682.patch + BuildRequires: gettext BuildRequires: docbook-dtds BuildRequires: docbook-style-xsl @@ -77,6 +81,9 @@ See http://flatpak.org/ for more information. %changelog +* Fri Apr 01 2022 Debarshi Ray - 1.0.14-2 +- Fix CVE-2022-21682 (#2042007) + * Wed Mar 09 2022 Debarshi Ray - 1.0.14-1 - Update to 1.0.14 (#2047312)