diff --git a/.flatpak.metadata b/.flatpak.metadata index 3346bf3..c309987 100644 --- a/.flatpak.metadata +++ b/.flatpak.metadata @@ -1 +1 @@ -d4d771e7bfa4ab275845cf7259f9b25784ccc095 SOURCES/flatpak-1.10.5.tar.xz +7745ab42122080e89fef75a6dc2e7d98703c7b2c SOURCES/flatpak-1.12.4.tar.xz diff --git a/.gitignore b/.gitignore index 97dea87..7c208a9 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/flatpak-1.10.5.tar.xz +SOURCES/flatpak-1.12.4.tar.xz diff --git a/SOURCES/0001-Fix-handling-of-syscalls-only-allowed-by-devel.patch b/SOURCES/0001-Fix-handling-of-syscalls-only-allowed-by-devel.patch deleted file mode 100644 index cf7f463..0000000 --- a/SOURCES/0001-Fix-handling-of-syscalls-only-allowed-by-devel.patch +++ /dev/null @@ -1,31 +0,0 @@ -From 24485224223b8ed41976ead5801cb04c4d961f93 Mon Sep 17 00:00:00 2001 -From: Simon McVittie -Date: Fri, 8 Oct 2021 19:00:13 +0100 -Subject: [PATCH] Fix handling of syscalls only allowed by --devel - -This was incorrectly looking at errno instead of -r. - -Fixes: 0b38b0f0 "run: Handle unknown syscalls as intended" -Signed-off-by: Simon McVittie -(cherry picked from commit 3fc8c672676ae016f8e7cc90481b2feecbad9861) -(cherry picked from commit 97e128c2c1520202486b5e165e1734cbb421568a) ---- - common/flatpak-run.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/common/flatpak-run.c b/common/flatpak-run.c -index 6142daafa56d..4048476bf455 100644 ---- a/common/flatpak-run.c -+++ b/common/flatpak-run.c -@@ -2992,7 +2992,7 @@ setup_seccomp (FlatpakBwrap *bwrap, - r = seccomp_rule_add (seccomp, SCMP_ACT_ERRNO (errnum), scall, 0); - - /* See above for the meaning of EFAULT. */ -- if (errno == EFAULT) -+ if (r == -EFAULT) - flatpak_debug2 ("Unable to block syscall %d: syscall not known to libseccomp?", - scall); - else if (r < 0) --- -2.31.1 - diff --git a/SOURCES/flatpak-add-fedora-repos.service b/SOURCES/flatpak-add-fedora-repos.service deleted file mode 100644 index 56c246b..0000000 --- a/SOURCES/flatpak-add-fedora-repos.service +++ /dev/null @@ -1,14 +0,0 @@ -[Unit] -Description=Add Fedora flatpak repositories -ConditionPathExists=!/var/lib/flatpak/.fedora-initialized -Before=flatpak-system-helper.service - -[Service] -Type=oneshot -RemainAfterExit=yes -ExecStart=/usr/bin/flatpak remote-add --system --if-not-exists --title "Fedora Flatpaks" fedora oci+https://registry.fedoraproject.org -ExecStart=/usr/bin/flatpak remote-add --system --if-not-exists --disable --title "Fedora Flatpaks (testing)" fedora-testing oci+https://registry.fedoraproject.org#testing -ExecStartPost=/usr/bin/touch /var/lib/flatpak/.fedora-initialized - -[Install] -WantedBy=multi-user.target diff --git a/SOURCES/flatpak-dir-Use-SHA256-not-SHA1-to-name-the-cache-for-a-filt.patch b/SOURCES/flatpak-dir-Use-SHA256-not-SHA1-to-name-the-cache-for-a-filt.patch new file mode 100644 index 0000000..7c8c332 --- /dev/null +++ b/SOURCES/flatpak-dir-Use-SHA256-not-SHA1-to-name-the-cache-for-a-filt.patch @@ -0,0 +1,38 @@ +From 7dd160f33054863b1ea6f75ac279a42121a16430 Mon Sep 17 00:00:00 2001 +From: Debarshi Ray +Date: Mon, 31 Jan 2022 21:17:29 +0100 +Subject: [PATCH] dir: Use SHA256, not SHA1, to name the cache for a filtered + remote + +SHA1 hashes are considered weak these days. Some distributions have +static analysis tools to detect the use of such weak hashes, and they +get triggered by flatpak. While this particular use of SHA1 in flatpak +is likely not security sensitive, it's also easy to move to SHA256 to +avoid any debate. + +Here, the SHA1 hash of a named remote's filter file is used to generate +the name of the directory where the refs from that remote are cached. +One can reasonably assume that the cache is frequently invalidated +because the list of refs on the remote changes all the time. Hence, +it's not big problem if it gets invalidated once more because of this +change. +--- + common/flatpak-dir.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/common/flatpak-dir.c b/common/flatpak-dir.c +index 18384bd432fc..c6d08e85b41f 100644 +--- a/common/flatpak-dir.c ++++ b/common/flatpak-dir.c +@@ -10923,7 +10923,7 @@ remote_filter_load (GFile *path, GError **error) + } + + filter = g_new0 (RemoteFilter, 1); +- filter->checksum = g_compute_checksum_for_data (G_CHECKSUM_SHA1, (guchar *)data, data_size); ++ filter->checksum = g_compute_checksum_for_data (G_CHECKSUM_SHA256, (guchar *)data, data_size); + filter->path = g_object_ref (path); + filter->mtime = mtime; + filter->last_mtime_check = g_get_monotonic_time (); +-- +2.34.1 + diff --git a/SPECS/flatpak.spec b/SPECS/flatpak.spec index fc032ac..44eb4ed 100644 --- a/SPECS/flatpak.spec +++ b/SPECS/flatpak.spec @@ -2,18 +2,21 @@ %global ostree_version 2020.8 Name: flatpak -Version: 1.10.5 -Release: 1%{?dist} +Version: 1.12.4 +Release: 2%{?dist} Summary: Application deployment framework for desktop apps License: LGPLv2+ URL: http://flatpak.org/ Source0: https://github.com/flatpak/flatpak/releases/download/%{version}/%{name}-%{version}.tar.xz + +%if 0%{?fedora} # Add Fedora flatpak repositories Source1: flatpak-add-fedora-repos.service +%endif -# https://github.com/flatpak/flatpak/pull/4473 -Patch0: 0001-Fix-handling-of-syscalls-only-allowed-by-devel.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=1935508 +Patch0: flatpak-dir-Use-SHA256-not-SHA1-to-name-the-cache-for-a-filt.patch BuildRequires: pkgconfig(appstream-glib) BuildRequires: pkgconfig(dconf) @@ -44,8 +47,6 @@ BuildRequires: /usr/bin/xdg-dbus-proxy BuildRequires: /usr/bin/xmlto BuildRequires: /usr/bin/xsltproc -%{?systemd_requires} - Requires: bubblewrap >= %{bubblewrap_version} Requires: librsvg2%{?_isa} Requires: ostree-libs%{?_isa} >= %{ostree_version} @@ -151,8 +152,12 @@ install -pm 644 NEWS README.md %{buildroot}/%{_pkgdocdir} # The system repo is not installed by the flatpak build system. install -d %{buildroot}%{_localstatedir}/lib/flatpak install -d %{buildroot}%{_sysconfdir}/flatpak/remotes.d -install -D -t %{buildroot}%{_unitdir} %{SOURCE1} rm -f %{buildroot}%{_libdir}/libflatpak.la + +%if 0%{?fedora} +install -D -t %{buildroot}%{_unitdir} %{SOURCE1} +%endif + %find_lang %{name} # Work around selinux denials, see @@ -169,27 +174,27 @@ getent passwd flatpak >/dev/null || \ exit 0 +%if 0%{?fedora} %post %systemd_post flatpak-add-fedora-repos.service +%endif -if [ $1 -gt 1 ] ; then - # Apply the preset also on package updates to support F29->F31 upgrade - # path. systemd_post macro only handles initial installs and not the - # case when a new .service file appears on a package update. - # Should be fine to drop in F32. - systemctl --no-reload preset flatpak-add-fedora-repos.service >/dev/null 2>&1 || : -fi %post selinux %selinux_modules_install %{_datadir}/selinux/packages/flatpak.pp.bz2 +%if 0%{?fedora} %preun %systemd_preun flatpak-add-fedora-repos.service +%endif +%if 0%{?fedora} %postun %systemd_postun_with_restart flatpak-add-fedora-repos.service +%endif + %postun selinux if [ $1 -eq 0 ]; then @@ -232,12 +237,15 @@ fi %{_sysconfdir}/flatpak/remotes.d %{_sysconfdir}/profile.d/flatpak.sh %{_sysusersdir}/flatpak.conf -%{_unitdir}/flatpak-add-fedora-repos.service %{_unitdir}/flatpak-system-helper.service %{_userunitdir}/flatpak-oci-authenticator.service %{_userunitdir}/flatpak-portal.service %{_systemd_user_env_generator_dir}/60-flatpak +%if 0%{?fedora} +%{_unitdir}/flatpak-add-fedora-repos.service +%endif + %files devel %{_datadir}/gir-1.0/Flatpak-1.0.gir %{_datadir}/gtk-doc/ @@ -267,6 +275,23 @@ fi %changelog +* Tue Feb 08 2022 Debarshi Ray - 1.12.4-2 +- Don't try to add Fedora's OCI Flatpak repository on RHEL +- Remove an obsolete Fedora-specific update path +Resolves: #2051697 + +* Mon Feb 07 2022 Neal Gompa - 1.12.4-1 +- Rebase to 1.12.4 +Resolves: #2050302 + +* Thu Feb 03 2022 Debarshi Ray - 1.10.7-2 +- Use SHA256, not SHA1, to name the cache for a filtered remote +Resolves: #1935508 + +* Wed Feb 02 2022 Debarshi Ray - 1.10.7-1 +- Update to 1.10.7 (CVE-2021-43860) +Resolves: #2041973 + * Tue Oct 26 2021 Debarshi Ray - 1.10.5-1 - Update to 1.10.5 (CVE-2021-41133) Resolves: #2012862