From 804a12f72ff6725f7d8c304bfc8a52a53f60d11a Mon Sep 17 00:00:00 2001
From: CentOS Sources <bugs@centos.org>
Date: Mar 29 2021 07:00:32 +0000
Subject: import flatpak-1.0.9-11.el7_9


---

diff --git a/SOURCES/flatpak-1.0.9-fix-CVE-2021-21381.patch b/SOURCES/flatpak-1.0.9-fix-CVE-2021-21381.patch
new file mode 100644
index 0000000..0d118f1
--- /dev/null
+++ b/SOURCES/flatpak-1.0.9-fix-CVE-2021-21381.patch
@@ -0,0 +1,86 @@
+From cb6fce9e4122ace2960c437def3b1a197bb49b3a Mon Sep 17 00:00:00 2001
+From: Ryan Gonzalez <rymg19@gmail.com>
+Date: Tue, 2 Mar 2021 13:20:07 -0600
+Subject: [PATCH 1/3] Disallow @@ and @@u usage in desktop files
+
+Fixes #4146.
+---
+ common/flatpak-dir.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/common/flatpak-dir.c b/common/flatpak-dir.c
+index e6e4d6fb3..7d3374dad 100644
+--- a/common/flatpak-dir.c
++++ b/common/flatpak-dir.c
+@@ -7139,6 +7139,8 @@ export_desktop_file (const char         *app,
+                 g_string_append_printf (new_exec, " @@ %s @@", arg);
+               else if (strcasecmp (arg, "%u") == 0)
+                 g_string_append_printf (new_exec, " @@u %s @@", arg);
++              else if (strcmp (arg, "@@") == 0 || strcmp (arg, "@@u") == 0)
++                g_print (_("Skipping invalid Exec argument %s\n"), arg);
+               else
+                 g_string_append_printf (new_exec, " %s", arg);
+             }
+
+From 0bdcb88b2d0013aa435dc03950fb42cef2cbd359 Mon Sep 17 00:00:00 2001
+From: Simon McVittie <smcv@collabora.com>
+Date: Fri, 5 Mar 2021 13:49:36 +0000
+Subject: [PATCH 2/3] dir: Reserve the whole @@ prefix
+
+If we add new features analogous to file forwarding later, we might
+find that we need a different magic token. Let's reserve the whole
+@@* namespace so we can call it @@something-else.
+
+Signed-off-by: Simon McVittie <smcv@collabora.com>
+---
+ common/flatpak-dir.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/common/flatpak-dir.c b/common/flatpak-dir.c
+index 7d3374dad..facfab37a 100644
+--- a/common/flatpak-dir.c
++++ b/common/flatpak-dir.c
+@@ -7139,7 +7139,7 @@ export_desktop_file (const char         *app,
+                 g_string_append_printf (new_exec, " @@ %s @@", arg);
+               else if (strcasecmp (arg, "%u") == 0)
+                 g_string_append_printf (new_exec, " @@u %s @@", arg);
+-              else if (strcmp (arg, "@@") == 0 || strcmp (arg, "@@u") == 0)
++              else if (g_str_has_prefix (arg, "@@"))
+                 g_print (_("Skipping invalid Exec argument %s\n"), arg);
+               else
+                 g_string_append_printf (new_exec, " %s", arg);
+
+From 230f4c3521cd0dffa446ab9b70e958cdd9241bbe Mon Sep 17 00:00:00 2001
+From: Simon McVittie <smcv@collabora.com>
+Date: Fri, 5 Mar 2021 13:51:33 +0000
+Subject: [PATCH 3/3] dir: Refuse to export .desktop files with suspicious uses
+ of @@ tokens
+
+This is either a malicious/compromised app trying to do an attack, or
+a mistake that will break handling of %f, %u and so on. Either way,
+if we refuse to export the .desktop file, resulting in installation
+failing, then it makes the rejection more obvious than quietly
+removing the magic tokens.
+
+Signed-off-by: Simon McVittie <smcv@collabora.com>
+---
+ common/flatpak-dir.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/common/flatpak-dir.c b/common/flatpak-dir.c
+index facfab37a..c5edf346f 100644
+--- a/common/flatpak-dir.c
++++ b/common/flatpak-dir.c
+@@ -7140,7 +7140,11 @@ export_desktop_file (const char         *app,
+               else if (strcasecmp (arg, "%u") == 0)
+                 g_string_append_printf (new_exec, " @@u %s @@", arg);
+               else if (g_str_has_prefix (arg, "@@"))
+-                g_print (_("Skipping invalid Exec argument %s\n"), arg);
++                {
++                  flatpak_fail_error (error, FLATPAK_ERROR_EXPORT_FAILED,
++                                     _("Invalid Exec argument %s"), arg);
++                  goto out;
++                }
+               else
+                 g_string_append_printf (new_exec, " %s", arg);
+             }
diff --git a/SPECS/flatpak.spec b/SPECS/flatpak.spec
index 27072ef..fca2aff 100644
--- a/SPECS/flatpak.spec
+++ b/SPECS/flatpak.spec
@@ -4,7 +4,7 @@
 
 Name:           flatpak
 Version:        %{flatpak_version}
-Release:        10%{?dist}
+Release:        11%{?dist}
 Summary:        Application deployment framework for desktop apps
 
 License:        LGPLv2+
@@ -25,6 +25,8 @@ Patch3:         0001-oci-Handle-cancellations-for-appstream.patch
 Patch4:         0003-update-Fix-OCI-updates-in-the-system-repo.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=1918771
 Patch5:         flatpak-1.0.9-fix-CVE-2021-21261.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=1938059
+Patch6:         flatpak-1.0.9-fix-CVE-2021-21381.patch
 
 BuildRequires:  pkgconfig(appstream-glib)
 BuildRequires:  pkgconfig(fuse)
@@ -139,6 +141,7 @@ This package contains libflatpak.
 %patch3 -p1
 %patch4 -p1
 %patch5 -p1
+%patch6 -p1
 
 
 %build
@@ -295,6 +298,9 @@ flatpak remote-list --system &> /dev/null || :
 
 
 %changelog
+* Mon Mar 22 2021 David King <dking@redhat.com> - 1.0.9-11
+- Fix CVE-2021-21381 (#1938059)
+
 * Tue Jan 26 2021 David King <dking@redhat.com> - 1.0.9-10
 - Fix CVE-2021-21261 (#1918771)