rpms / flatpak

Clone
Source Code
GIT

Blame SOURCES/flatpak-1.8.5-post-cve-fixes.patch

c7 c7-alt c7-beta c8 c8-beta c8s c9 c9-beta
  1.   496c311635c2cfa93d65796aced7b2b3f403a049
  2.   SOURCES
  3.   flatpak-1.8.5-post-cve-fixes.patch
Blob History Raw
3cfe6d 
From 93ecea3488081a726bcd2ddb04d557decaa87f80 Mon Sep 17 00:00:00 2001
3cfe6d 
From: Simon McVittie <smcv@collabora.com>
3cfe6d 
Date: Mon, 18 Jan 2021 17:52:13 +0000
3cfe6d 
Subject: [PATCH] build: Convert environment into a sequence of bwrap arguments
3cfe6d
3cfe6d 
This means we can systematically pass the environment variables
3cfe6d 
through bwrap(1), even if it is setuid and thus is filtering out
3cfe6d 
security-sensitive environment variables. bwrap itself ends up being
3cfe6d 
run with an empty environment instead.
3cfe6d
3cfe6d 
This fixes a regression when CVE-2021-21261 was fixed: before the
3cfe6d 
CVE fixes, LD_LIBRARY_PATH would have been passed through like this
3cfe6d 
and appeared in the `flatpak build` shell, but during the CVE fixes,
3cfe6d 
the special case that protected LD_LIBRARY_PATH was removed in favour
3cfe6d 
of the more general flatpak_bwrap_envp_to_args(). That reasoning only
3cfe6d 
works if we use flatpak_bwrap_envp_to_args(), consistently, everywhere
3cfe6d 
that we run the potentially-setuid bwrap.
3cfe6d
3cfe6d 
Fixes: 6d1773d2 "run: Convert all environment variables into bwrap arguments"
3cfe6d 
Resolves: https://github.com/flatpak/flatpak/issues/4080
3cfe6d 
Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=980323
3cfe6d 
Signed-off-by: Simon McVittie <smcv@collabora.com>
3cfe6d 
(cherry picked from commit 9a61d2c44f0a58cebcb9b2787ae88db07ca68bb0)
3cfe6d 
---
3cfe6d 
 app/flatpak-builtins-build.c | 2 ++
3cfe6d 
 1 file changed, 2 insertions(+)
3cfe6d
3cfe6d 
diff --git a/app/flatpak-builtins-build.c b/app/flatpak-builtins-build.c
3cfe6d 
index 8da0de814..07ef6fc07 100644
3cfe6d 
--- a/app/flatpak-builtins-build.c
3cfe6d 
+++ b/app/flatpak-builtins-build.c
3cfe6d 
@@ -569,6 +569,8 @@ flatpak_builtin_build (int argc, char **argv, GCancellable *cancellable, GError
3cfe6d 
                               NULL);
3cfe6d 
     }
3cfe6d
3cfe6d 
+  flatpak_bwrap_envp_to_args (bwrap);
3cfe6d 
+
3cfe6d 
   if (!flatpak_bwrap_bundle_args (bwrap, 1, -1, FALSE, error))
3cfe6d 
     return FALSE;
3cfe6d
3cfe6d 
From f91857c07ede7ef5150a38d6b8e49ee43d6b3d50 Mon Sep 17 00:00:00 2001
3cfe6d 
From: Simon McVittie <smcv@collabora.com>
3cfe6d 
Date: Mon, 18 Jan 2021 18:07:38 +0000
3cfe6d 
Subject: [PATCH] dir: Pass environment via bwrap --setenv when running
3cfe6d 
 apply_extra
3cfe6d
3cfe6d 
This means we can systematically pass the environment variables
3cfe6d 
through bwrap(1), even if it is setuid and thus is filtering out
3cfe6d 
security-sensitive environment variables. bwrap ends up being
3cfe6d 
run with an empty environment instead.
3cfe6d
3cfe6d 
As with the previous commit, this regressed while fixing CVE-2021-21261.
3cfe6d
3cfe6d 
Fixes: 6d1773d2 "run: Convert all environment variables into bwrap arguments"
3cfe6d 
Signed-off-by: Simon McVittie <smcv@collabora.com>
3cfe6d 
(cherry picked from commit fb473cad801c6b61706353256cab32330557374a)
3cfe6d 
---
3cfe6d 
 common/flatpak-dir.c | 2 ++
3cfe6d 
 1 file changed, 2 insertions(+)
3cfe6d
3cfe6d 
diff --git a/common/flatpak-dir.c b/common/flatpak-dir.c
3cfe6d 
index ed1248e74..40767fa77 100644
3cfe6d 
--- a/common/flatpak-dir.c
3cfe6d 
+++ b/common/flatpak-dir.c
3cfe6d 
@@ -7426,6 +7426,8 @@ apply_extra_data (FlatpakDir   *self,
3cfe6d 
                                          app_context, NULL, NULL, NULL, cancellable, error))
3cfe6d 
     return FALSE;
3cfe6d
3cfe6d 
+  flatpak_bwrap_envp_to_args (bwrap);
3cfe6d 
+
3cfe6d 
   flatpak_bwrap_add_arg (bwrap, "/app/bin/apply_extra");
3cfe6d
3cfe6d 
   flatpak_bwrap_finish (bwrap);

Powered by Pagure 5.13.3

SSH Hostkey/Fingerprint | Documentation