diff --git a/SOURCES/flatpak-1.0.4-oci-fixes.patch b/SOURCES/flatpak-1.0.4-oci-fixes.patch new file mode 100644 index 0000000..663d389 --- /dev/null +++ b/SOURCES/flatpak-1.0.4-oci-fixes.patch @@ -0,0 +1,346 @@ +From 3f5235e925ba6555cd9c639684660356867c952f Mon Sep 17 00:00:00 2001 +From: "Owen W. Taylor" +Date: Fri, 30 Nov 2018 16:11:06 -0500 +Subject: [PATCH 1/3] flatpak_cache_http_uri: save downloaded files with + permission 0644 + +Previously, downloaded files were being saved with 0600 permissions, +which prevented OCI icons downloaded by the system helper at appstream +creation time from being read by users. + +Closes: #2362 +Approved by: matthiasclasen +--- + common/flatpak-utils-http.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/common/flatpak-utils-http.c b/common/flatpak-utils-http.c +index 53074162..997c9db8 100644 +--- a/common/flatpak-utils-http.c ++++ b/common/flatpak-utils-http.c +@@ -645,6 +645,9 @@ sync_and_rename_tmpfile (GLnxTmpfile *tmpfile, + if (fdatasync (tmpfile->fd) != 0) + return glnx_throw_errno_prefix (error, "fdatasync"); + ++ if (fchmod (tmpfile->fd, 0644) != 0) ++ return glnx_throw_errno_prefix (error, "fchmod"); ++ + if (!glnx_link_tmpfile_at (tmpfile, + GLNX_LINK_TMPFILE_REPLACE, + tmpfile->src_dfd, dest_name, error)) +-- +2.19.2 + + +From 3263827dbbd4d84919899e91ca066d2d3cf338bc Mon Sep 17 00:00:00 2001 +From: Alexander Larsson +Date: Fri, 30 Nov 2018 10:30:20 +0100 +Subject: [PATCH 2/3] OCI: Use system helper to generate summary for OCI + remotes + +The OCI support relies on downloading a json index and converting it +to a ostree-style summary, which we the use in all sorts of operations +in the client code. Currently this happens in the user code, which means +that it will fail (due to permissions) in the system installation case. + +We could do the conversion as the user, but when eventually installing +something the system-helper will anyway do this download and +conversion, so that would only double the work and risk things going out +of sync. Also, the OCI index is not gpg signed, so we can't realy on +downloads done as the user. + +So, the solution done here is to add a GenerateOciSummary +system-helper call which we use instead of directly generating the +oci summary. + +This fixes https://github.com/flatpak/flatpak/issues/2350 + +Closes: #2363 +Approved by: matthiasclasen +--- + common/flatpak-dir-private.h | 5 ++ + common/flatpak-dir.c | 94 +++++++++++++++++++-------- + data/org.freedesktop.Flatpak.xml | 5 ++ + system-helper/flatpak-system-helper.c | 52 ++++++++++++++- + 4 files changed, 129 insertions(+), 27 deletions(-) + +diff --git a/common/flatpak-dir-private.h b/common/flatpak-dir-private.h +index 64a72758..f6126056 100644 +--- a/common/flatpak-dir-private.h ++++ b/common/flatpak-dir-private.h +@@ -718,6 +718,11 @@ FlatpakRemoteState * flatpak_dir_get_remote_state_for_summary (FlatpakDir *sel + GBytes *opt_summary_sig, + GCancellable *cancellable, + GError **error); ++gboolean flatpak_dir_remote_make_oci_summary (FlatpakDir *self, ++ const char *remote, ++ GBytes **out_summary, ++ GCancellable *cancellable, ++ GError **error); + FlatpakRemoteState * flatpak_dir_get_remote_state_optional (FlatpakDir *self, + const char *remote, + GCancellable *cancellable, +diff --git a/common/flatpak-dir.c b/common/flatpak-dir.c +index 828945ca..7853b74a 100644 +--- a/common/flatpak-dir.c ++++ b/common/flatpak-dir.c +@@ -1385,6 +1385,22 @@ flatpak_dir_system_helper_call_update_summary (FlatpakDir *self, + return ret != NULL; + } + ++static gboolean ++flatpak_dir_system_helper_call_generate_oci_summary (FlatpakDir *self, ++ const gchar *arg_origin, ++ const gchar *arg_installation, ++ GCancellable *cancellable, ++ GError **error) ++{ ++ g_autoptr(GVariant) ret = ++ flatpak_dir_system_helper_call (self, "GenerateOciSummary", ++ g_variant_new ("(ss)", ++ arg_origin, ++ arg_installation), ++ cancellable, error); ++ return ret != NULL; ++} ++ + static OstreeRepo * + system_ostree_repo_new (GFile *repodir) + { +@@ -9088,7 +9104,7 @@ flatpak_dir_cache_summary (FlatpakDir *self, + G_UNLOCK (cache); + } + +-static gboolean ++gboolean + flatpak_dir_remote_make_oci_summary (FlatpakDir *self, + const char *remote, + GBytes **out_summary, +@@ -9103,42 +9119,68 @@ flatpak_dir_remote_make_oci_summary (FlatpakDir *self, + g_autoptr(GError) local_error = NULL; + g_autoptr(GMappedFile) mfile = NULL; + g_autoptr(GBytes) cache_bytes = NULL; ++ g_autoptr(GBytes) summary_bytes = NULL; + +- self_name = flatpak_dir_get_name (self); +- +- index_cache = flatpak_dir_update_oci_index (self, remote, &index_uri, cancellable, error); +- if (index_cache == NULL) +- return FALSE; ++ if (flatpak_dir_use_system_helper (self, NULL)) ++ { ++ const char *installation = flatpak_dir_get_id (self); + +- summary_cache = flatpak_dir_get_oci_summary_location (self, remote, error); +- if (summary_cache == NULL) +- return FALSE; ++ if (!flatpak_dir_system_helper_call_generate_oci_summary (self, remote, ++ installation ? installation : "", ++ cancellable, error)) ++ return FALSE; + +- if (check_destination_mtime (index_cache, summary_cache, cancellable)) ++ summary_cache = flatpak_dir_get_oci_summary_location (self, remote, error); ++ if (summary_cache == NULL) ++ return FALSE; ++ } ++ else + { +- mfile = g_mapped_file_new (flatpak_file_get_path_cached (summary_cache), FALSE, NULL); +- if (mfile) ++ self_name = flatpak_dir_get_name (self); ++ ++ index_cache = flatpak_dir_update_oci_index (self, remote, &index_uri, cancellable, error); ++ if (index_cache == NULL) ++ return FALSE; ++ ++ summary_cache = flatpak_dir_get_oci_summary_location (self, remote, error); ++ if (summary_cache == NULL) ++ return FALSE; ++ ++ if (!check_destination_mtime (index_cache, summary_cache, cancellable)) + { +- cache_bytes = g_mapped_file_get_bytes (mfile); +- *out_summary = g_steal_pointer (&cache_bytes); ++ summary = flatpak_oci_index_make_summary (index_cache, index_uri, cancellable, &local_error); ++ if (summary == NULL) ++ { ++ g_propagate_error (error, g_steal_pointer (&local_error)); ++ return FALSE; ++ } ++ ++ summary_bytes = g_variant_get_data_as_bytes (summary); ++ ++ if (!g_file_replace_contents (summary_cache, ++ g_bytes_get_data (summary_bytes, NULL), ++ g_bytes_get_size (summary_bytes), ++ NULL, FALSE, 0, NULL, cancellable, error)) ++ { ++ g_prefix_error (error, _("Failed to write summary cache: ")); ++ return FALSE; ++ } ++ ++ if (out_summary) ++ *out_summary = g_steal_pointer (&summary_bytes); + return TRUE; + } + } + +- summary = flatpak_oci_index_make_summary (index_cache, index_uri, cancellable, &local_error); +- if (summary == NULL) ++ if (out_summary) + { +- g_propagate_error (error, g_steal_pointer (&local_error)); +- return FALSE; +- } +- +- *out_summary = g_variant_get_data_as_bytes (summary); ++ mfile = g_mapped_file_new (flatpak_file_get_path_cached (summary_cache), FALSE, error); ++ if (mfile == NULL) ++ return FALSE; + +- if (!g_file_replace_contents (summary_cache, +- g_bytes_get_data (*out_summary, NULL), +- g_bytes_get_size (*out_summary), +- NULL, FALSE, 0, NULL, cancellable, NULL)) +- g_warning ("Failed to write summary cache"); ++ cache_bytes = g_mapped_file_get_bytes (mfile); ++ *out_summary = g_steal_pointer (&cache_bytes); ++ } + + return TRUE; + } +diff --git a/data/org.freedesktop.Flatpak.xml b/data/org.freedesktop.Flatpak.xml +index 25dc8a02..8b1606c6 100644 +--- a/data/org.freedesktop.Flatpak.xml ++++ b/data/org.freedesktop.Flatpak.xml +@@ -144,6 +144,11 @@ + + + ++ ++ ++ ++ ++ + + + +diff --git a/system-helper/flatpak-system-helper.c b/system-helper/flatpak-system-helper.c +index ce647b6e..29a2d3e1 100644 +--- a/system-helper/flatpak-system-helper.c ++++ b/system-helper/flatpak-system-helper.c +@@ -1122,6 +1122,54 @@ handle_update_summary (FlatpakSystemHelper *object, + return TRUE; + } + ++static gboolean ++handle_generate_oci_summary (FlatpakSystemHelper *object, ++ GDBusMethodInvocation *invocation, ++ const gchar *arg_origin, ++ const gchar *arg_installation) ++{ ++ g_autoptr(FlatpakDir) system = NULL; ++ g_autoptr(GError) error = NULL; ++ gboolean is_oci; ++ ++ g_debug ("GenerateOciSummary %s %s", arg_origin, arg_installation); ++ ++ system = dir_get_system (arg_installation, &error); ++ if (system == NULL) ++ { ++ g_dbus_method_invocation_return_gerror (invocation, error); ++ return TRUE; ++ } ++ ++ if (!flatpak_dir_ensure_repo (system, NULL, &error)) ++ { ++ g_dbus_method_invocation_return_error (invocation, G_DBUS_ERROR, G_DBUS_ERROR_FAILED, ++ "Can't open system repo %s", error->message); ++ return TRUE; ++ } ++ ++ is_oci = flatpak_dir_get_remote_oci (system, arg_origin); ++ if (!is_oci) ++ { ++ g_dbus_method_invocation_return_error (invocation, G_DBUS_ERROR, G_DBUS_ERROR_INVALID_ARGS, ++ "%s is not a OCI remote", arg_origin); ++ return TRUE; ++ } ++ ++ if (!flatpak_dir_remote_make_oci_summary (system, arg_origin, NULL, NULL, &error)) ++ { ++ g_dbus_method_invocation_return_error (invocation, G_DBUS_ERROR, G_DBUS_ERROR_FAILED, ++ "Failed to update OCI summary: %s", error->message); ++ return TRUE; ++ } ++ ++ ++ flatpak_system_helper_complete_generate_oci_summary (object, invocation); ++ ++ return TRUE; ++} ++ ++ + static gboolean + flatpak_authorize_method_handler (GDBusInterfaceSkeleton *interface, + GDBusMethodInvocation *invocation, +@@ -1250,7 +1298,8 @@ flatpak_authorize_method_handler (GDBusInterfaceSkeleton *interface, + g_strcmp0 (method_name, "PruneLocalRepo") == 0 || + g_strcmp0 (method_name, "EnsureRepo") == 0 || + g_strcmp0 (method_name, "RunTriggers") == 0 || +- g_strcmp0 (method_name, "UpdateSummary") == 0) ++ g_strcmp0 (method_name, "UpdateSummary") == 0 || ++ g_strcmp0 (method_name, "GenerateOciSummary") == 0) + { + const char *remote; + +@@ -1321,6 +1370,7 @@ on_bus_acquired (GDBusConnection *connection, + g_signal_connect (helper, "handle-ensure-repo", G_CALLBACK (handle_ensure_repo), NULL); + g_signal_connect (helper, "handle-run-triggers", G_CALLBACK (handle_run_triggers), NULL); + g_signal_connect (helper, "handle-update-summary", G_CALLBACK (handle_update_summary), NULL); ++ g_signal_connect (helper, "handle-generate-oci-summary", G_CALLBACK (handle_generate_oci_summary), NULL); + + g_signal_connect (helper, "g-authorize-method", + G_CALLBACK (flatpak_authorize_method_handler), +-- +2.19.2 + + +From b7f1d5118fc4e1df472f7108472f122e279fe2b9 Mon Sep 17 00:00:00 2001 +From: Matthias Clasen +Date: Fri, 7 Dec 2018 14:39:06 -0500 +Subject: [PATCH 3/3] Fix oci pull progress reporting + +Comparing the code in flatpak-utils.c:progress_cb, +we need to set bytes-transferred for the total amount +of data that has been transferred so far. The value +we were setting so far, fetched-delta-part-size, refers +to the size of the objects we already have locally, and +is subtracted from the total, which explains oci progress +running backwards. + +Closes: #2392 + +Closes: #2400 +Approved by: matthiasclasen +--- + common/flatpak-dir.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/common/flatpak-dir.c b/common/flatpak-dir.c +index 7853b74a..51cd1e66 100644 +--- a/common/flatpak-dir.c ++++ b/common/flatpak-dir.c +@@ -4154,7 +4154,7 @@ oci_pull_progress_cb (guint64 total_size, guint64 pulled_size, + "total-delta-parts", "u", n_layers, + "fetched-delta-fallbacks", "u", 0, + "total-delta-fallbacks", "u", 0, +- "fetched-delta-part-size", "t", pulled_size, ++ "bytes-transferred", "t", pulled_size, + "total-delta-part-size", "t", total_size, + "total-delta-part-usize", "t", total_size, + "total-delta-superblocks", "u", 0, +-- +2.19.2 + diff --git a/SPECS/flatpak.spec b/SPECS/flatpak.spec index 17550b4..eeba662 100644 --- a/SPECS/flatpak.spec +++ b/SPECS/flatpak.spec @@ -4,7 +4,7 @@ Name: flatpak Version: %{flatpak_version} -Release: 5%{?dist} +Release: 7%{?dist} Summary: Application deployment framework for desktop apps License: LGPLv2+ @@ -19,10 +19,12 @@ Patch0: no-user-systemd.patch # Make sure our resulting binaries always have the rpath set to the bundled # ostree directory Patch1: flatpak-ostree-bundle.patch -# https://bugzilla.redhat.com/show_bug.cgi?id=1675433 -Patch2: flatpak-1.0.2-CVE-2019-5736.patch -# https://bugzilla.redhat.com/show_bug.cgi?id=1700651 -Patch3: flatpak-1.0.2-CVE-2019-10063.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=1660137 +Patch2: flatpak-1.0.4-oci-fixes.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=1675435 +Patch3: flatpak-1.0.2-CVE-2019-5736.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=1700652 +Patch4: flatpak-1.0.2-CVE-2019-10063.patch BuildRequires: pkgconfig(appstream-glib) BuildRequires: pkgconfig(fuse) @@ -135,6 +137,7 @@ This package contains libflatpak. %patch1 -p1 %patch2 -p1 %patch3 -p1 +%patch4 -p1 %build @@ -291,14 +294,20 @@ flatpak remote-list --system &> /dev/null || : %changelog -* Mon Apr 29 2019 David King - 1.0.2-5 -- Fix IOCSTI sandbox bypass (#1700651) +* Mon Apr 29 2019 David King - 1.0.2-7 +- Fix IOCSTI sandbox bypass (#1700652) -* Fri Feb 15 2019 David King - 1.0.2-4 -- Tweak /proc sandbox patch (#1675433) +* Fri Feb 15 2019 David King - 1.0.2-6 +- Tweak /proc sandbox patch (#1675435) -* Wed Feb 13 2019 David King - 1.0.2-3 -- Do not mount /proc in root sandbox (#1675433) +* Wed Feb 13 2019 David King - 1.0.2-5 +- Do not mount /proc in root sandbox (#1675435) + +* Mon Jan 14 2019 David King - 1.0.2-4 +- Apply the OCI support patch (#1660137) + +* Mon Jan 07 2019 David King - 1.0.2-3 +- Backport patches to improve OCI support (#1660137) * Thu Sep 13 2018 Kalev Lember - 1.0.2-2 - Update to 1.0.2 (#1570030)