diff --git a/.flatpak.metadata b/.flatpak.metadata index 1450248..319360d 100644 --- a/.flatpak.metadata +++ b/.flatpak.metadata @@ -1,3 +1,3 @@ -2dc9cc0f1d80421ea800be3c005d9b5dd94c8156 SOURCES/flatpak-1.0.2.tar.xz +51317ee7abeb09fc68c924ee74463185be901658 SOURCES/flatpak-1.0.9.tar.xz 5cab51142ec15ee113b4c87a2645b4e1c7179fa7 SOURCES/flatpak-builder-1.0.0.tar.xz c8dabfe09e987a15d99e4723be23f23da9f7bbb3 SOURCES/libostree-2018.8.tar.xz diff --git a/.gitignore b/.gitignore index 48b75c2..7bf1a15 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,3 @@ -SOURCES/flatpak-1.0.2.tar.xz +SOURCES/flatpak-1.0.9.tar.xz SOURCES/flatpak-builder-1.0.0.tar.xz SOURCES/libostree-2018.8.tar.xz diff --git a/SOURCES/0001-oci-Handle-cancellations-for-appstream.patch b/SOURCES/0001-oci-Handle-cancellations-for-appstream.patch new file mode 100644 index 0000000..5c49a07 --- /dev/null +++ b/SOURCES/0001-oci-Handle-cancellations-for-appstream.patch @@ -0,0 +1,37 @@ +From 3ad6fe680cf3804193c8a4fe4f9f6e8840ef3524 Mon Sep 17 00:00:00 2001 +From: Matthias Clasen +Date: Wed, 17 Apr 2019 11:40:26 -0400 +Subject: [PATCH 1/3] oci: Handle cancellations for appstream + +When an appstream update is cancelled while downloading +icons, properly fail. Otherwise, the next update attempt +will see an up-to-date timestamp, think everyhing is ok +and not download the missing icons. + +Closes: https://github.com/flatpak/flatpak/issues/2835 + +Closes: #2836 +Approved by: alexlarsson + +(cherry picked from commit f28e62add1eb508bbfe97aab94743b129d1422ee) +--- + common/flatpak-oci-registry.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/common/flatpak-oci-registry.c b/common/flatpak-oci-registry.c +index fe9afbdd..1a6edb76 100644 +--- a/common/flatpak-oci-registry.c ++++ b/common/flatpak-oci-registry.c +@@ -2473,6 +2473,9 @@ flatpak_oci_index_make_appstream (SoupSession *soup_session, + } + } + ++ if (g_cancellable_set_error_if_cancelled (cancellable, error)) ++ return NULL; ++ + if (!flatpak_appstream_xml_root_to_data (appstream_root, + &bytes, NULL, error)) + return NULL; +-- +2.21.0 + diff --git a/SOURCES/0003-update-Fix-OCI-updates-in-the-system-repo.patch b/SOURCES/0003-update-Fix-OCI-updates-in-the-system-repo.patch new file mode 100644 index 0000000..c91ab00 --- /dev/null +++ b/SOURCES/0003-update-Fix-OCI-updates-in-the-system-repo.patch @@ -0,0 +1,73 @@ +From 962a7f560ee0fa08eb30b0536d4ae9659ceaf163 Mon Sep 17 00:00:00 2001 +From: Alexander Larsson +Date: Wed, 8 May 2019 16:54:55 +0200 +Subject: [PATCH 3/3] update: Fix OCI updates in the system repo + +We need to check whether the remote is gpg verified after handling +the oci case, because OCI is fine to update systemwide without gpg +verification (in fact it doesn't support verification). + +This just reorders the code, matching what is done in the install +case already. + +Closes: #2891 +Approved by: alexlarsson + +(cherry picked from commit 4c4c80b85d629bad1a377524b7787200f1c831a0) +--- + common/flatpak-dir.c | 32 ++++++++++++++++---------------- + 1 file changed, 16 insertions(+), 16 deletions(-) + +diff --git a/common/flatpak-dir.c b/common/flatpak-dir.c +index 79fa361d..1fc6a90c 100644 +--- a/common/flatpak-dir.c ++++ b/common/flatpak-dir.c +@@ -8364,22 +8364,6 @@ flatpak_dir_update (FlatpakDir *self, + if (no_pull) + { + } +- else if ((!gpg_verify_summary && state->collection_id == NULL) || !gpg_verify) +- { +- /* The remote is not gpg verified, so we don't want to allow installation via +- a download in the home directory, as there is no way to verify you're not +- injecting anything into the remote. However, in the case of a remote +- configured to a local filesystem we can just let the system helper do +- the installation, as it can then avoid network i/o and be certain the +- data comes from the right place. +- +- If @collection_id is non-%NULL, we can verify the refs in commit +- metadata, so don’t need to verify the summary. */ +- if (g_str_has_prefix (url, "file:")) +- helper_flags |= FLATPAK_HELPER_DEPLOY_FLAGS_LOCAL_PULL; +- else +- return flatpak_fail_error (error, FLATPAK_ERROR_UNTRUSTED, _("Can't pull from untrusted non-gpg verified remote")); +- } + else if (is_oci) + { + g_autoptr(FlatpakOciRegistry) registry = NULL; +@@ -8396,6 +8380,22 @@ flatpak_dir_update (FlatpakDir *self, + if (!flatpak_dir_mirror_oci (self, registry, state, ref, NULL, progress, cancellable, error)) + return FALSE; + } ++ else if ((!gpg_verify_summary && state->collection_id == NULL) || !gpg_verify) ++ { ++ /* The remote is not gpg verified, so we don't want to allow installation via ++ a download in the home directory, as there is no way to verify you're not ++ injecting anything into the remote. However, in the case of a remote ++ configured to a local filesystem we can just let the system helper do ++ the installation, as it can then avoid network i/o and be certain the ++ data comes from the right place. ++ ++ If @collection_id is non-%NULL, we can verify the refs in commit ++ metadata, so don’t need to verify the summary. */ ++ if (g_str_has_prefix (url, "file:")) ++ helper_flags |= FLATPAK_HELPER_DEPLOY_FLAGS_LOCAL_PULL; ++ else ++ return flatpak_fail_error (error, FLATPAK_ERROR_UNTRUSTED, _("Can't pull from untrusted non-gpg verified remote")); ++ } + else + { + /* We're pulling from a remote source, we do the network mirroring pull as a +-- +2.21.0 + diff --git a/SOURCES/flatpak-1.0.2-CVE-2019-10063.patch b/SOURCES/flatpak-1.0.2-CVE-2019-10063.patch deleted file mode 100644 index 6a9d751..0000000 --- a/SOURCES/flatpak-1.0.2-CVE-2019-10063.patch +++ /dev/null @@ -1,29 +0,0 @@ -From 9686b3007afb15162cb2b5ca3219d906cc849a60 Mon Sep 17 00:00:00 2001 -From: Ryan Gonzalez -Date: Mon, 25 Mar 2019 13:00:15 -0500 -Subject: [PATCH] run: Only compare the lowest 32 ioctl arg bits for TIOCSTI - -Closes #2782. - -Closes: #2783 -Approved by: alexlarsson ---- - common/flatpak-run.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/common/flatpak-run.c b/common/flatpak-run.c -index b4f2c475..0e6b3141 100644 ---- a/common/flatpak-run.c -+++ b/common/flatpak-run.c -@@ -2122,7 +2122,7 @@ setup_seccomp (FlatpakBwrap *bwrap, - {SCMP_SYS (clone), &SCMP_A0 (SCMP_CMP_MASKED_EQ, CLONE_NEWUSER, CLONE_NEWUSER)}, - - /* Don't allow faking input to the controlling tty (CVE-2017-5226) */ -- {SCMP_SYS (ioctl), &SCMP_A1 (SCMP_CMP_EQ, (int) TIOCSTI)}, -+ {SCMP_SYS (ioctl), &SCMP_A1 (SCMP_CMP_MASKED_EQ, 0xFFFFFFFFu, (int) TIOCSTI)}, - }; - - struct --- -2.21.0 - diff --git a/SOURCES/flatpak-1.0.2-CVE-2019-5736.patch b/SOURCES/flatpak-1.0.2-CVE-2019-5736.patch deleted file mode 100644 index 2fa3347..0000000 --- a/SOURCES/flatpak-1.0.2-CVE-2019-5736.patch +++ /dev/null @@ -1,66 +0,0 @@ -From 86d9d711bdaada5677166a99b96b769df2c5e7b6 Mon Sep 17 00:00:00 2001 -From: Alexander Larsson -Date: Sun, 10 Feb 2019 18:23:44 +0100 -Subject: [PATCH] Don't expose /proc when running apply_extra - -As shown by CVE-2019-5736, it is sometimes possible for the sandbox -app to access outside files using /proc/self/exe. This is not -typically an issue for flatpak as the sandbox runs as the user which -has no permissions to e.g. modify the host files. - -However, when installing apps using extra-data into the system repo -we *do* actually run a sandbox as root. So, in this case we disable mounting -/proc in the sandbox, which will neuter attacks like this. ---- - common/flatpak-common-types-private.h | 1 + - common/flatpak-dir.c | 2 +- - common/flatpak-run.c | 6 +++++- - 3 files changed, 7 insertions(+), 2 deletions(-) - -diff --git a/common/flatpak-common-types-private.h b/common/flatpak-common-types-private.h -index 8c40d2e8..1e94bd1c 100644 ---- a/common/flatpak-common-types-private.h -+++ b/common/flatpak-common-types-private.h -@@ -44,6 +44,7 @@ typedef enum { - FLATPAK_RUN_FLAG_SANDBOX = (1 << 14), - FLATPAK_RUN_FLAG_NO_DOCUMENTS_PORTAL = (1 << 15), - FLATPAK_RUN_FLAG_BLUETOOTH = (1 << 16), -+ FLATPAK_RUN_FLAG_NO_PROC = (1 << 19), - } FlatpakRunFlags; - - typedef struct FlatpakDir FlatpakDir; -diff --git a/common/flatpak-dir.c b/common/flatpak-dir.c -index eb69225d..be370d49 100644 ---- a/common/flatpak-dir.c -+++ b/common/flatpak-dir.c -@@ -6509,7 +6509,7 @@ apply_extra_data (FlatpakDir *self, - NULL); - - if (!flatpak_run_setup_base_argv (bwrap, runtime_files, NULL, runtime_ref_parts[2], -- FLATPAK_RUN_FLAG_NO_SESSION_HELPER, -+ FLATPAK_RUN_FLAG_NO_SESSION_HELPER | FLATPAK_RUN_FLAG_NO_PROC, - error)) - return FALSE; - -diff --git a/common/flatpak-run.c b/common/flatpak-run.c -index 6ab466af..b4f2c475 100644 ---- a/common/flatpak-run.c -+++ b/common/flatpak-run.c -@@ -2347,9 +2347,13 @@ flatpak_run_setup_base_argv (FlatpakBwrap *bwrap, - "# Disable user pkcs11 config, because the host modules don't work in the runtime\n" - "user-config: none\n"; - -+ if ((flags & FLATPAK_RUN_FLAG_NO_PROC) == 0) -+ flatpak_bwrap_add_args (bwrap, -+ "--proc", "/proc", -+ NULL); -+ - flatpak_bwrap_add_args (bwrap, - "--unshare-pid", -- "--proc", "/proc", - "--dir", "/tmp", - "--dir", "/var/tmp", - "--dir", "/run/host", --- -2.20.1 - diff --git a/SPECS/flatpak.spec b/SPECS/flatpak.spec index eeba662..366ee6c 100644 --- a/SPECS/flatpak.spec +++ b/SPECS/flatpak.spec @@ -1,10 +1,10 @@ -%global flatpak_version 1.0.2 +%global flatpak_version 1.0.9 %global flatpak_builder_version 1.0.0 %global ostree_version 2018.8 Name: flatpak Version: %{flatpak_version} -Release: 7%{?dist} +Release: 9%{?dist} Summary: Application deployment framework for desktop apps License: LGPLv2+ @@ -21,10 +21,8 @@ Patch0: no-user-systemd.patch Patch1: flatpak-ostree-bundle.patch # https://bugzilla.redhat.com/show_bug.cgi?id=1660137 Patch2: flatpak-1.0.4-oci-fixes.patch -# https://bugzilla.redhat.com/show_bug.cgi?id=1675435 -Patch3: flatpak-1.0.2-CVE-2019-5736.patch -# https://bugzilla.redhat.com/show_bug.cgi?id=1700652 -Patch4: flatpak-1.0.2-CVE-2019-10063.patch +Patch3: 0001-oci-Handle-cancellations-for-appstream.patch +Patch4: 0003-update-Fix-OCI-updates-in-the-system-repo.patch BuildRequires: pkgconfig(appstream-glib) BuildRequires: pkgconfig(fuse) @@ -294,6 +292,13 @@ flatpak remote-list --system &> /dev/null || : %changelog +* Wed Jan 29 2020 Kalev Lember - 1.0.9-9 +- Backport OCI fixes from upstream +- Resolves: #1796340 + +* Fri Sep 20 2019 Kalev Lember - 1.0.9-8 +- Update to 1.0.9 (#1753591) + * Mon Apr 29 2019 David King - 1.0.2-7 - Fix IOCSTI sandbox bypass (#1700652)