From 01d78b5883b705c06976136369221d5af1b05c96 Mon Sep 17 00:00:00 2001
From: CentOS Sources <bugs@centos.org>
Date: Jun 18 2024 10:03:18 +0000
Subject: import flatpak-1.0.9-13.el7_9


---

diff --git a/SOURCES/flatpak-CVE-2024-32462.patch b/SOURCES/flatpak-CVE-2024-32462.patch
new file mode 100644
index 0000000..e330f41
--- /dev/null
+++ b/SOURCES/flatpak-CVE-2024-32462.patch
@@ -0,0 +1,114 @@
+From aabfdbde8e30e2d0413f5368c34c7f32ee1c3b1a Mon Sep 17 00:00:00 2001
+From: Alexander Larsson <alexl@redhat.com>
+Date: Mon, 15 Apr 2024 16:10:36 +0200
+Subject: [PATCH 1/2] When starting non-static command using bwrap use "--"
+
+This ensures that the command is not taken to be a bwrap option.
+
+Resolves: CVE-2024-32462
+Resolves: GHSA-phv6-cpc2-2fgj
+Signed-off-by: Alexander Larsson <alexl@redhat.com>
+[smcv: Fix DISABLE_SANDBOXED_TRIGGERS code path]
+[smcv: Make flatpak_run_maybe_start_dbus_proxy() more obviously correct]
+Signed-off-by: Simon McVittie <smcv@collabora.com>
+---
+ app/flatpak-builtins-build.c | 3 ++-
+ common/flatpak-dir.c         | 1 +
+ common/flatpak-run.c         | 5 ++++-
+ 3 files changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/app/flatpak-builtins-build.c b/app/flatpak-builtins-build.c
+index ce9ff7ea..039c4668 100644
+--- a/app/flatpak-builtins-build.c
++++ b/app/flatpak-builtins-build.c
+@@ -569,7 +569,8 @@ flatpak_builtin_build (int argc, char **argv, GCancellable *cancellable, GError
+   if (!flatpak_bwrap_bundle_args (bwrap, 1, -1, FALSE, error))
+     return FALSE;
+ 
+-  flatpak_bwrap_add_args (bwrap, command, NULL);
++  flatpak_bwrap_add_args (bwrap, "--", command, NULL);
++
+   flatpak_bwrap_append_argsv (bwrap,
+                               &argv[rest_argv_start + 2],
+                               rest_argc - 2);
+diff --git a/common/flatpak-dir.c b/common/flatpak-dir.c
+index 1c1a48eb..57292aa6 100644
+--- a/common/flatpak-dir.c
++++ b/common/flatpak-dir.c
+@@ -5393,6 +5393,7 @@ flatpak_dir_run_triggers (FlatpakDir   *self,
+           g_ptr_array_add (argv_array, g_strdup ("--bind"));
+           g_ptr_array_add (argv_array, g_strdup (basedir));
+           g_ptr_array_add (argv_array, g_strdup (basedir));
++          g_ptr_array_add (argv_array, g_strdup ("--"));
+ #endif
+           g_ptr_array_add (argv_array, g_file_get_path (child));
+           g_ptr_array_add (argv_array, g_strdup (basedir));
+diff --git a/common/flatpak-run.c b/common/flatpak-run.c
+index 08bfe54a..4c7f94f3 100644
+--- a/common/flatpak-run.c
++++ b/common/flatpak-run.c
+@@ -752,6 +752,9 @@ add_bwrap_wrapper (FlatpakBwrap *bwrap,
+   if (!flatpak_bwrap_bundle_args (bwrap, 1, -1, FALSE, error))
+     return FALSE;
+ 
++  /* End of options: the next argument will be the executable name */
++  flatpak_bwrap_add_arg (bwrap, "--");
++
+   return TRUE;
+ }
+ 
+@@ -3142,7 +3145,7 @@ flatpak_run_app (const char     *app_ref,
+   if (!flatpak_bwrap_bundle_args (bwrap, 1, -1, FALSE, error))
+     return FALSE;
+ 
+-  flatpak_bwrap_add_arg (bwrap, command);
++  flatpak_bwrap_add_args (bwrap, "--", command, NULL);
+ 
+   if (!add_rest_args (bwrap, app_ref_parts[1],
+                       exports, (flags & FLATPAK_RUN_FLAG_FILE_FORWARDING) != 0,
+-- 
+2.44.0
+
+
+From b758670addf94e4255deff8e77ba82d7328933a6 Mon Sep 17 00:00:00 2001
+From: Simon McVittie <smcv@collabora.com>
+Date: Tue, 16 Apr 2024 10:50:00 +0100
+Subject: [PATCH 2/2] test-run: Add a reproducer for CVE-2024-32462
+
+Signed-off-by: Simon McVittie <smcv@collabora.com>
+---
+ tests/test-run.sh | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+diff --git a/tests/test-run.sh b/tests/test-run.sh
+index 9d83d82e..ab2c0089 100755
+--- a/tests/test-run.sh
++++ b/tests/test-run.sh
+@@ -23,7 +23,7 @@ set -euo pipefail
+ 
+ skip_without_bwrap
+ 
+-echo "1..12"
++echo "1..13"
+ 
+ setup_repo
+ install_repo
+@@ -69,6 +69,15 @@ assert_file_has_content hello_out '^Hello world, from a sandbox$'
+ 
+ echo "ok hello"
+ 
++# This should try and fail to run e.g. /usr/bin/--tmpfs, which will
++# exit with status 127 because there is no such executable.
++# It should not pass "--tmpfs /blah hello.sh" as bwrap options.
++exit_status=0
++run --command=--tmpfs org.test.Hello /blah hello.sh >&2 || exit_status=$?
++assert_not_streq "$exit_status" 0
++
++echo "ok avoided CVE-2024-32462"
++
+ run_sh cat /run/user/`id -u`/flatpak-info > fpi
+ assert_file_has_content fpi '^name=org.test.Hello$'
+ 
+-- 
+2.44.0
+
diff --git a/SPECS/flatpak.spec b/SPECS/flatpak.spec
index 6e5a812..85d1ece 100644
--- a/SPECS/flatpak.spec
+++ b/SPECS/flatpak.spec
@@ -4,7 +4,7 @@
 
 Name:           flatpak
 Version:        %{flatpak_version}
-Release:        12%{?dist}
+Release:        13%{?dist}
 Summary:        Application deployment framework for desktop apps
 
 License:        LGPLv2+
@@ -29,6 +29,8 @@ Patch5:         flatpak-1.0.9-fix-CVE-2021-21261.patch
 Patch6:         flatpak-1.0.9-fix-CVE-2021-21381.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=2012864
 Patch7:         flatpak-1.0.9-fix-CVE-2021-41133.patch
+# Backported CVE-2024-32462 fix from upstream
+Patch8:         flatpak-CVE-2024-32462.patch
 
 BuildRequires:  pkgconfig(appstream-glib)
 BuildRequires:  pkgconfig(fuse)
@@ -145,6 +147,7 @@ This package contains libflatpak.
 %patch5 -p1
 %patch6 -p1
 %patch7 -p1
+%patch8 -p1
 
 
 %build
@@ -301,6 +304,9 @@ flatpak remote-list --system &> /dev/null || :
 
 
 %changelog
+* Fri Jun 07 2024 Kalev Lember <klember@redhat.com> - 1.0.9-13
+- Fix CVE-2024-32462
+
 * Wed Oct 27 2021 Debarshi Ray <rishi@fedoraproject.org> - 1.0.9-12
 - Fix CVE-2021-41133 (#2012864)