diff --git a/.flatpak.metadata b/.flatpak.metadata index 3007110..76bd630 100644 --- a/.flatpak.metadata +++ b/.flatpak.metadata @@ -1 +1 @@ -6763d41ca91cb2547456c16ca5f7d53c95d89a14 SOURCES/flatpak-1.6.2.tar.xz +a3dcd13e85090e9d8156f1db2a375074e459aa79 SOURCES/flatpak-1.8.5.tar.xz diff --git a/.gitignore b/.gitignore index 4568fda..27b08dc 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/flatpak-1.6.2.tar.xz +SOURCES/flatpak-1.8.5.tar.xz diff --git a/SOURCES/flatpak-1.6.2-oci-fixes.patch b/SOURCES/flatpak-1.6.2-oci-fixes.patch deleted file mode 100644 index c2c6550..0000000 --- a/SOURCES/flatpak-1.6.2-oci-fixes.patch +++ /dev/null @@ -1,161 +0,0 @@ -diff -urN flatpak-1.6.2/common/flatpak-oci-registry.c flatpak-1.6.2.new/common/flatpak-oci-registry.c ---- flatpak-1.6.2/common/flatpak-oci-registry.c 2019-12-20 09:52:17.000000000 +0000 -+++ flatpak-1.6.2.new/common/flatpak-oci-registry.c 2020-03-20 12:01:39.923000000 +0000 -@@ -901,6 +901,7 @@ - - static char * - get_token_for_www_auth (FlatpakOciRegistry *self, -+ const char *repository, - const char *www_authenticate, - const char *auth, - GCancellable *cancellable, -@@ -911,6 +912,7 @@ - g_autoptr(GHashTable) params = NULL; - g_autoptr(GHashTable) args = NULL; - const char *realm, *service, *scope, *token; -+ g_autofree char *default_scope = NULL; - g_autoptr(SoupURI) auth_uri = NULL; - g_autoptr(GBytes) body = NULL; - g_autoptr(JsonNode) json = NULL; -@@ -941,16 +943,21 @@ - service = g_hash_table_lookup (params, "service"); - if (service) - g_hash_table_insert (args, "service", (char *)service); -+ - scope = g_hash_table_lookup (params, "scope"); -- if (scope) -- g_hash_table_insert (args, "scope", (char *)scope); -+ if (scope == NULL) -+ scope = default_scope = g_strdup_printf("repository:%s:pull", repository); -+ g_hash_table_insert (args, "scope", (char *)scope); - - soup_uri_set_query_from_form (auth_uri, args); - - auth_msg = soup_message_new_from_uri ("GET", auth_uri); - -- g_autofree char *basic_auth = g_strdup_printf ("Basic %s", auth); -- soup_message_headers_replace (auth_msg->request_headers, "Authorization", basic_auth); -+ if (auth) -+ { -+ g_autofree char *basic_auth = g_strdup_printf ("Basic %s", auth); -+ soup_message_headers_replace (auth_msg->request_headers, "Authorization", basic_auth); -+ } - - auth_stream = soup_session_send (self->soup_session, auth_msg, NULL, error); - if (auth_stream == NULL) -@@ -1030,7 +1037,7 @@ - return NULL; - } - -- token = get_token_for_www_auth (self, www_authenticate, basic_auth, cancellable, error); -+ token = get_token_for_www_auth (self, repository, www_authenticate, basic_auth, cancellable, error); - if (token == NULL) - return NULL; - -diff -urN flatpak-1.6.2/oci-authenticator/flatpak-oci-authenticator.c flatpak-1.6.2.new/oci-authenticator/flatpak-oci-authenticator.c ---- flatpak-1.6.2/oci-authenticator/flatpak-oci-authenticator.c 2019-12-19 09:33:40.000000000 +0000 -+++ flatpak-1.6.2.new/oci-authenticator/flatpak-oci-authenticator.c 2020-03-20 12:01:39.936000000 +0000 -@@ -428,10 +428,12 @@ - g_autoptr(GError) error = NULL; - g_autoptr(AutoFlatpakAuthenticatorRequest) request = NULL; - const char *auth = NULL; -+ gboolean have_auth; - const char *oci_registry_uri = NULL; - gsize n_refs, i; - gboolean no_interaction = FALSE; - g_autoptr(FlatpakOciRegistry) registry = NULL; -+ g_autofree char *first_token = NULL; - GVariantBuilder tokens; - GVariantBuilder results; - g_autofree char *sender = g_strdup (g_dbus_method_invocation_get_sender (invocation)); -@@ -439,6 +441,7 @@ - g_debug ("handling Authenticator.RequestRefTokens"); - - g_variant_lookup (arg_authenticator_options, "auth", "&s", &auth); -+ have_auth = auth != NULL; - - if (!g_variant_lookup (arg_options, "xa.oci-registry-uri", "&s", &oci_registry_uri)) - { -@@ -476,18 +479,33 @@ - return error_request (request, sender, error->message); - - -- if (auth == NULL) -+ /* Look up credentials in config files */ -+ if (!have_auth) - { - g_debug ("Looking for %s in auth info", oci_registry_uri); - auth = lookup_auth_from_config (oci_registry_uri); -+ have_auth = auth != NULL; - } - -+ /* Try to see if we can get a token without presenting credentials */ - n_refs = g_variant_n_children (arg_refs); -- if (auth == NULL && n_refs > 0 && -+ if (!have_auth && n_refs > 0) -+ { -+ g_autoptr(GVariant) ref_data = g_variant_get_child_value (arg_refs, 0); -+ -+ first_token = get_token_for_ref (registry, ref_data, NULL, &error); -+ if (first_token != NULL) -+ have_auth = TRUE; -+ else -+ g_clear_error (&error); -+ } -+ -+ /* Prompt the user for credentials */ -+ n_refs = g_variant_n_children (arg_refs); -+ if (!have_auth && n_refs > 0 && - !no_interaction) - { - g_autoptr(GVariant) ref_data = g_variant_get_child_value (arg_refs, 0); -- g_autofree char *token = NULL; - - while (auth == NULL) - { -@@ -498,13 +516,21 @@ - if (test_auth == NULL) - return cancel_request (request, sender); - -- token = get_token_for_ref (registry, ref_data, test_auth, &error); -- if (token != NULL) -- auth = g_steal_pointer (&test_auth); -+ first_token = get_token_for_ref (registry, ref_data, test_auth, &error); -+ if (first_token != NULL) -+ { -+ auth = g_steal_pointer (&test_auth); -+ have_auth = TRUE; -+ } -+ else -+ { -+ g_debug ("Failed to get token: %s", error->message); -+ g_clear_error (&error); -+ } - } - } - -- if (auth == NULL) -+ if (!have_auth) - return error_request (request, sender, "No authentication information available"); - - g_variant_builder_init (&tokens, G_VARIANT_TYPE ("a{sas}")); -@@ -515,9 +541,16 @@ - char *for_refs_strv[2] = { NULL, NULL}; - g_autofree char *token = NULL; - -- token = get_token_for_ref (registry, ref_data, auth, &error); -- if (token == NULL) -- return error_request (request, sender, error->message); -+ if (i == 0 && first_token != NULL) -+ { -+ token = g_steal_pointer (&first_token); -+ } -+ else -+ { -+ token = get_token_for_ref (registry, ref_data, auth, &error); -+ if (token == NULL) -+ return error_request (request, sender, error->message); -+ } - - g_variant_get_child (ref_data, 0, "&s", &for_refs_strv[0]); - g_variant_builder_add (&tokens, "{s^as}", token, for_refs_strv); diff --git a/SOURCES/flatpak-1.6.2-oci-fixes2.patch b/SOURCES/flatpak-1.6.2-oci-fixes2.patch deleted file mode 100644 index fe91e75..0000000 --- a/SOURCES/flatpak-1.6.2-oci-fixes2.patch +++ /dev/null @@ -1,322 +0,0 @@ -From 1b9a64e943e2233e009e01a08191b4c17580b3f6 Mon Sep 17 00:00:00 2001 -From: Alexander Larsson -Date: Mon, 4 May 2020 13:00:35 +0200 -Subject: [PATCH 1/7] oci authenticator: Accept the right docker manifest when - authenticating - -Without this I got for the fedora registry: - -``` -getting token for https://registry.fedoraproject.org/v2/f32/flatpak-runtime/manifests/sha256:bd83b4f6974094848efac22b933419c1dbe11b553def148a82f821faf595de8a -F: Anonymous authentication failed: Unexpected response status 404 from repo -``` - -(cherry picked from commit 1ee132e70e5d0cb5fa0e022c2271f76bcfd03054) ---- - common/flatpak-oci-registry.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/common/flatpak-oci-registry.c b/common/flatpak-oci-registry.c -index 2505771ee..ae363bc1a 100644 ---- a/common/flatpak-oci-registry.c -+++ b/common/flatpak-oci-registry.c -@@ -1015,6 +1015,9 @@ flatpak_oci_registry_get_token (FlatpakOciRegistry *self, - - msg = soup_message_new_from_uri ("HEAD", uri); - -+ soup_message_headers_replace (msg->request_headers, "Accept", -+ FLATPAK_OCI_MEDIA_TYPE_IMAGE_MANIFEST ", " FLATPAK_DOCKER_MEDIA_TYPE_IMAGE_MANIFEST2); -+ - stream = soup_session_send (self->soup_session, msg, NULL, error); - if (stream == NULL) - return NULL; - -From 0d4deebbd5855ceef1cdb5bac3d5c6fb630dc29e Mon Sep 17 00:00:00 2001 -From: Alexander Larsson -Date: Mon, 4 May 2020 12:35:16 +0200 -Subject: [PATCH 2/7] By default, always try to auth to OCI remotes - -This makes for instance docker hub work. - -(cherry picked from commit fdfcae7a91e3af207c4acec918276511f112cafe) ---- - common/flatpak-auth.c | 4 ++++ - common/flatpak-dir.c | 5 +++++ - 2 files changed, 9 insertions(+) - -diff --git a/common/flatpak-auth.c b/common/flatpak-auth.c -index 9d0f689fc..9e45da41e 100644 ---- a/common/flatpak-auth.c -+++ b/common/flatpak-auth.c -@@ -49,6 +49,10 @@ flatpak_auth_new_for_remote (FlatpakDir *dir, - if (!ostree_repo_get_remote_option (repo, remote, FLATPAK_REMOTE_CONFIG_AUTHENTICATOR_NAME, NULL, &name, error)) - return NULL; - } -+ -+ if (name == NULL && flatpak_dir_get_remote_oci (dir, remote)) -+ name = g_strdup ("org.flatpak.Authenticator.Oci"); -+ - if (name == NULL || *name == 0 /* or if no repo */) - { - flatpak_fail (error, _("No authenticator configured for remote `%s`"), remote); -diff --git a/common/flatpak-dir.c b/common/flatpak-dir.c -index 2c8e12eaf..19de4fd38 100644 ---- a/common/flatpak-dir.c -+++ b/common/flatpak-dir.c -@@ -11233,6 +11233,11 @@ _flatpak_dir_get_remote_state (FlatpakDir *self, - } - } - -+ if (flatpak_dir_get_remote_oci (self, remote_or_uri)) -+ { -+ state->default_token_type = 1; -+ } -+ - if (state->collection_id == NULL) - { - if (state->summary != NULL) /* In the optional case we might not have a summary */ - -From 77e4db40f40a92f4f7e0ddb21ae367e9a0af9cb4 Mon Sep 17 00:00:00 2001 -From: Alexander Larsson -Date: Fri, 8 May 2020 15:09:02 +0200 -Subject: [PATCH 3/7] oci: Add flatpak_oci_registry_is_local() - -(cherry picked from commit d4962628aa8db6132e98660fe52aa5a9ac5d3637) ---- - common/flatpak-oci-registry-private.h | 1 + - common/flatpak-oci-registry.c | 6 ++++++ - 2 files changed, 7 insertions(+) - -diff --git a/common/flatpak-oci-registry-private.h b/common/flatpak-oci-registry-private.h -index 1804e43b6..6745c5f65 100644 ---- a/common/flatpak-oci-registry-private.h -+++ b/common/flatpak-oci-registry-private.h -@@ -62,6 +62,7 @@ FlatpakOciRegistry * flatpak_oci_registry_new (const char *uri, - GError **error); - void flatpak_oci_registry_set_token (FlatpakOciRegistry *self, - const char *token); -+gboolean flatpak_oci_registry_is_local (FlatpakOciRegistry *self); - const char * flatpak_oci_registry_get_uri (FlatpakOciRegistry *self); - FlatpakOciIndex * flatpak_oci_registry_load_index (FlatpakOciRegistry *self, - GCancellable *cancellable, -diff --git a/common/flatpak-oci-registry.c b/common/flatpak-oci-registry.c -index ae363bc1a..fdeee56bd 100644 ---- a/common/flatpak-oci-registry.c -+++ b/common/flatpak-oci-registry.c -@@ -205,6 +205,12 @@ flatpak_oci_registry_init (FlatpakOciRegistry *self) - self->tmp_dfd = -1; - } - -+gboolean -+flatpak_oci_registry_is_local (FlatpakOciRegistry *self) -+{ -+ return self->dfd != -1; -+} -+ - const char * - flatpak_oci_registry_get_uri (FlatpakOciRegistry *self) - { - -From 3deeea1ad50b469f7daaca7e2e0d7ba9c5efc26e Mon Sep 17 00:00:00 2001 -From: Alexander Larsson -Date: Fri, 8 May 2020 15:10:38 +0200 -Subject: [PATCH 4/7] oci: Set token on child oci registry and pass to - system-helper - -When we create a system child registry we also set the current token on -it. This is not used directly in the client, however its saved in a -file called .token and re-read in the system-helper, allowing it to -also do the remote registry operations it needs to verify the child -registry. - -(cherry picked from commit 5d8fd2d1be914a26e128ab97be6f00e9c34bfa9d) ---- - common/flatpak-dir.c | 8 ++++++-- - common/flatpak-oci-registry.c | 15 +++++++++++++++ - 2 files changed, 21 insertions(+), 2 deletions(-) - -diff --git a/common/flatpak-dir.c b/common/flatpak-dir.c -index 19de4fd38..25f874ecf 100644 ---- a/common/flatpak-dir.c -+++ b/common/flatpak-dir.c -@@ -92,6 +92,7 @@ G_DEFINE_AUTOPTR_CLEANUP_FUNC (AutoPolkitSubject, g_object_unref) - - static FlatpakOciRegistry *flatpak_dir_create_system_child_oci_registry (FlatpakDir *self, - GLnxLockFile *file_lock, -+ const char *token, - GError **error); - - static OstreeRepo * flatpak_dir_create_child_repo (FlatpakDir *self, -@@ -8602,6 +8603,7 @@ flatpak_dir_deploy_update (FlatpakDir *self, - static FlatpakOciRegistry * - flatpak_dir_create_system_child_oci_registry (FlatpakDir *self, - GLnxLockFile *file_lock, -+ const char *token, - GError **error) - { - g_autoptr(GFile) cache_dir = NULL; -@@ -8636,6 +8638,8 @@ flatpak_dir_create_system_child_oci_registry (FlatpakDir *self, - if (new_registry == NULL) - return NULL; - -+ flatpak_oci_registry_set_token (new_registry, token); -+ - return g_steal_pointer (&new_registry); - } - -@@ -8952,7 +8956,7 @@ flatpak_dir_install (FlatpakDir *self, - g_autoptr(FlatpakOciRegistry) registry = NULL; - g_autoptr(GFile) registry_file = NULL; - -- registry = flatpak_dir_create_system_child_oci_registry (self, &child_repo_lock, error); -+ registry = flatpak_dir_create_system_child_oci_registry (self, &child_repo_lock, token, error); - if (registry == NULL) - return FALSE; - -@@ -9662,7 +9666,7 @@ flatpak_dir_update (FlatpakDir *self, - g_autoptr(FlatpakOciRegistry) registry = NULL; - g_autoptr(GFile) registry_file = NULL; - -- registry = flatpak_dir_create_system_child_oci_registry (self, &child_repo_lock, error); -+ registry = flatpak_dir_create_system_child_oci_registry (self, &child_repo_lock, token, error); - if (registry == NULL) - return FALSE; - -diff --git a/common/flatpak-oci-registry.c b/common/flatpak-oci-registry.c -index fdeee56bd..c3ddb8c2b 100644 ---- a/common/flatpak-oci-registry.c -+++ b/common/flatpak-oci-registry.c -@@ -223,8 +223,15 @@ flatpak_oci_registry_set_token (FlatpakOciRegistry *self, - { - g_free (self->token); - self->token = g_strdup (token); -+ -+ if (self->token) -+ (void)glnx_file_replace_contents_at (self->dfd, ".token", -+ (guchar *)self->token, -+ strlen (self->token), -+ 0, NULL, NULL); - } - -+ - FlatpakOciRegistry * - flatpak_oci_registry_new (const char *uri, - gboolean for_write, -@@ -415,6 +422,7 @@ flatpak_oci_registry_ensure_local (FlatpakOciRegistry *self, - int dfd; - g_autoptr(GError) local_error = NULL; - g_autoptr(GBytes) oci_layout_bytes = NULL; -+ g_autoptr(GBytes) token_bytes = NULL; - gboolean not_json; - - if (self->dfd != -1) -@@ -476,6 +484,13 @@ flatpak_oci_registry_ensure_local (FlatpakOciRegistry *self, - else if (!verify_oci_version (oci_layout_bytes, ¬_json, cancellable, error)) - return FALSE; - -+ if (self->dfd != -1) -+ { -+ token_bytes = local_load_file (self->dfd, ".token", cancellable, NULL); -+ if (token_bytes != NULL) -+ self->token = g_strndup (g_bytes_get_data (token_bytes, NULL), g_bytes_get_size (token_bytes)); -+ } -+ - if (self->dfd == -1 && local_dfd != -1) - self->dfd = glnx_steal_fd (&local_dfd); - - -From 36f87863baa848c8709b75958c85857f45e97e0a Mon Sep 17 00:00:00 2001 -From: Alexander Larsson -Date: Thu, 11 Jun 2020 15:43:16 +0200 -Subject: [PATCH 5/7] OCI: Also look for the docker media type when looking - manifests - -We handle both types, so look for both. - -(cherry picked from commit 0fdec95fe068cd497b1c5a5b60d21103c711d2a4) ---- - common/flatpak-json-oci.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/common/flatpak-json-oci.c b/common/flatpak-json-oci.c -index 6d60279d0..f5b3f0a0c 100644 ---- a/common/flatpak-json-oci.c -+++ b/common/flatpak-json-oci.c -@@ -469,7 +469,8 @@ const char * - flatpak_oci_manifest_descriptor_get_ref (FlatpakOciManifestDescriptor *m) - { - if (m->parent.mediatype == NULL || -- strcmp (m->parent.mediatype, FLATPAK_OCI_MEDIA_TYPE_IMAGE_MANIFEST) != 0) -+ (strcmp (m->parent.mediatype, FLATPAK_OCI_MEDIA_TYPE_IMAGE_MANIFEST) != 0 && -+ strcmp (m->parent.mediatype, FLATPAK_DOCKER_MEDIA_TYPE_IMAGE_MANIFEST2) != 0)) - return NULL; - - if (m->parent.annotations == NULL) - -From 0da4a6c82c16d4560d4931d567e2685efd8dff0d Mon Sep 17 00:00:00 2001 -From: Alexander Larsson -Date: Mon, 4 May 2020 15:51:48 +0200 -Subject: [PATCH 6/7] tests: Make OCI authenticator available - -(cherry picked from commit 4d79110cb682b79819913aa6ce033cb7a7787c86) ---- - tests/Makefile.am.inc | 7 ++++++- - 1 file changed, 6 insertions(+), 1 deletion(-) - -diff --git a/tests/Makefile.am.inc b/tests/Makefile.am.inc -index 7c2e8271f..15f521485 100644 ---- a/tests/Makefile.am.inc -+++ b/tests/Makefile.am.inc -@@ -105,11 +105,15 @@ tests/services/org.flatpak.Authenticator.test.service: tests/org.flatpak.Authent - mkdir -p tests/services - $(AM_V_GEN) $(SED) -e "s|\@libexecdir\@|$(abs_top_builddir)/tests|" $< > $@ - -+tests/services/org.flatpak.Authenticator.Oci.service: oci-authenticator/org.flatpak.Authenticator.Oci.service.in -+ mkdir -p tests/services -+ $(AM_V_GEN) $(SED) -e "s|\@libexecdir\@|$(abs_top_builddir)|" $< > $@ -+ - tests/share/xdg-desktop-portal/portals/test.portal: tests/test.portal.in - mkdir -p tests/share/xdg-desktop-portal/portals - $(AM_V_GEN) install -m644 $< $@ - --tests/libtest.sh: tests/services/org.freedesktop.Flatpak.service tests/services/org.freedesktop.Flatpak.SystemHelper.service tests/services/org.freedesktop.portal.Flatpak.service tests/share/xdg-desktop-portal/portals/test.portal tests/services/org.freedesktop.impl.portal.desktop.test.service tests/services/org.flatpak.Authenticator.test.service -+tests/libtest.sh: tests/services/org.freedesktop.Flatpak.service tests/services/org.freedesktop.Flatpak.SystemHelper.service tests/services/org.freedesktop.portal.Flatpak.service tests/share/xdg-desktop-portal/portals/test.portal tests/services/org.freedesktop.impl.portal.desktop.test.service tests/services/org.flatpak.Authenticator.test.service tests/services/org.flatpak.Authenticator.Oci.service - - install-test-data-hook: - if ENABLE_INSTALLED_TESTS -@@ -223,6 +227,7 @@ DISTCLEANFILES += \ - tests/services/org.freedesktop.portal.Flatpak.service \ - tests/services/org.freedesktop.impl.portal.desktop.test.service \ - tests/services/org.flatpak.Authenticator.test.service \ -+ tests/services/org.flatpak.Authenticator.Oci.service \ - tests/share/xdg-desktop-portal/portals/test.portal \ - tests/package_version.txt \ - $(NULL) - -From 8fb4369439e57cc25c706610c5ce1ee776220278 Mon Sep 17 00:00:00 2001 -From: Alexander Larsson -Date: Mon, 4 May 2020 15:51:59 +0200 -Subject: [PATCH 7/7] Tests: Support HEAD requests in oci-registry-server - -This just does a GET, which is not quite right, but will work. -This is needed for the authenticator. - -(cherry picked from commit 530475b9abff81d990424ca46ec57458e1bb9604) ---- - tests/oci-registry-server.py | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/tests/oci-registry-server.py b/tests/oci-registry-server.py -index 23c2db916..33c3b646b 100755 ---- a/tests/oci-registry-server.py -+++ b/tests/oci-registry-server.py -@@ -135,6 +135,9 @@ def do_GET(self): - else: - self.wfile.write(response_string.encode('utf-8')) - -+ def do_HEAD(self): -+ return self.do_GET() -+ - def do_POST(self): - if self.check_route('/testing/@repo_name/@tag'): - repo_name = self.matches['repo_name'] diff --git a/SOURCES/flatpak-1.8.5-post-cve-fixes.patch b/SOURCES/flatpak-1.8.5-post-cve-fixes.patch new file mode 100644 index 0000000..a5ee71c --- /dev/null +++ b/SOURCES/flatpak-1.8.5-post-cve-fixes.patch @@ -0,0 +1,73 @@ +From 93ecea3488081a726bcd2ddb04d557decaa87f80 Mon Sep 17 00:00:00 2001 +From: Simon McVittie +Date: Mon, 18 Jan 2021 17:52:13 +0000 +Subject: [PATCH] build: Convert environment into a sequence of bwrap arguments + +This means we can systematically pass the environment variables +through bwrap(1), even if it is setuid and thus is filtering out +security-sensitive environment variables. bwrap itself ends up being +run with an empty environment instead. + +This fixes a regression when CVE-2021-21261 was fixed: before the +CVE fixes, LD_LIBRARY_PATH would have been passed through like this +and appeared in the `flatpak build` shell, but during the CVE fixes, +the special case that protected LD_LIBRARY_PATH was removed in favour +of the more general flatpak_bwrap_envp_to_args(). That reasoning only +works if we use flatpak_bwrap_envp_to_args(), consistently, everywhere +that we run the potentially-setuid bwrap. + +Fixes: 6d1773d2 "run: Convert all environment variables into bwrap arguments" +Resolves: https://github.com/flatpak/flatpak/issues/4080 +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=980323 +Signed-off-by: Simon McVittie +(cherry picked from commit 9a61d2c44f0a58cebcb9b2787ae88db07ca68bb0) +--- + app/flatpak-builtins-build.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/app/flatpak-builtins-build.c b/app/flatpak-builtins-build.c +index 8da0de814..07ef6fc07 100644 +--- a/app/flatpak-builtins-build.c ++++ b/app/flatpak-builtins-build.c +@@ -569,6 +569,8 @@ flatpak_builtin_build (int argc, char **argv, GCancellable *cancellable, GError + NULL); + } + ++ flatpak_bwrap_envp_to_args (bwrap); ++ + if (!flatpak_bwrap_bundle_args (bwrap, 1, -1, FALSE, error)) + return FALSE; + +From f91857c07ede7ef5150a38d6b8e49ee43d6b3d50 Mon Sep 17 00:00:00 2001 +From: Simon McVittie +Date: Mon, 18 Jan 2021 18:07:38 +0000 +Subject: [PATCH] dir: Pass environment via bwrap --setenv when running + apply_extra + +This means we can systematically pass the environment variables +through bwrap(1), even if it is setuid and thus is filtering out +security-sensitive environment variables. bwrap ends up being +run with an empty environment instead. + +As with the previous commit, this regressed while fixing CVE-2021-21261. + +Fixes: 6d1773d2 "run: Convert all environment variables into bwrap arguments" +Signed-off-by: Simon McVittie +(cherry picked from commit fb473cad801c6b61706353256cab32330557374a) +--- + common/flatpak-dir.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/common/flatpak-dir.c b/common/flatpak-dir.c +index ed1248e74..40767fa77 100644 +--- a/common/flatpak-dir.c ++++ b/common/flatpak-dir.c +@@ -7426,6 +7426,8 @@ apply_extra_data (FlatpakDir *self, + app_context, NULL, NULL, NULL, cancellable, error)) + return FALSE; + ++ flatpak_bwrap_envp_to_args (bwrap); ++ + flatpak_bwrap_add_arg (bwrap, "/app/bin/apply_extra"); + + flatpak_bwrap_finish (bwrap); diff --git a/SPECS/flatpak.spec b/SPECS/flatpak.spec index fae2728..a97870b 100644 --- a/SPECS/flatpak.spec +++ b/SPECS/flatpak.spec @@ -2,17 +2,15 @@ %global ostree_version 2018.9 Name: flatpak -Version: 1.6.2 -Release: 3%{?dist} +Version: 1.8.5 +Release: 2%{?dist} Summary: Application deployment framework for desktop apps License: LGPLv2+ URL: http://flatpak.org/ Source0: https://github.com/flatpak/flatpak/releases/download/%{version}/%{name}-%{version}.tar.xz -# https://bugzilla.redhat.com/show_bug.cgi?id=1814045 -Patch0: flatpak-1.6.2-oci-fixes.patch -# https://bugzilla.redhat.com/show_bug.cgi?id=1847201 -Patch1: flatpak-1.6.2-oci-fixes2.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=1918776 +Patch0: flatpak-1.8.5-post-cve-fixes.patch BuildRequires: pkgconfig(appstream-glib) BuildRequires: pkgconfig(dconf) @@ -26,6 +24,7 @@ BuildRequires: pkgconfig(libseccomp) BuildRequires: pkgconfig(libsoup-2.4) BuildRequires: pkgconfig(libsystemd) BuildRequires: pkgconfig(libxml-2.0) >= 2.4 +BuildRequires: pkgconfig(libzstd) >= 0.8.1 BuildRequires: pkgconfig(ostree-1) >= %{ostree_version} BuildRequires: pkgconfig(polkit-gobject-1) BuildRequires: pkgconfig(xau) @@ -36,7 +35,9 @@ BuildRequires: docbook-style-xsl BuildRequires: gettext BuildRequires: gpgme-devel BuildRequires: libcap-devel +BuildRequires: python3-pyparsing BuildRequires: systemd +BuildRequires: /usr/bin/python3 BuildRequires: /usr/bin/xmlto BuildRequires: /usr/bin/xsltproc @@ -185,8 +186,7 @@ fi %{_datadir}/dbus-1/services/org.flatpak.Authenticator.Oci.service %{_datadir}/dbus-1/services/org.freedesktop.portal.Flatpak.service %{_datadir}/dbus-1/system-services/org.freedesktop.Flatpak.SystemHelper.service -# Co-own directory. -%{_datadir}/gdm/env.d +%{_datadir}/fish %{_datadir}/%{name} %{_datadir}/polkit-1/actions/org.freedesktop.Flatpak.policy %{_datadir}/polkit-1/rules.d/org.freedesktop.Flatpak.rules @@ -207,6 +207,7 @@ fi %{_sysconfdir}/dbus-1/system.d/org.freedesktop.Flatpak.SystemHelper.conf %{_sysconfdir}/flatpak/remotes.d %{_sysconfdir}/profile.d/flatpak.sh +%{_sysusersdir}/flatpak.conf %{_unitdir}/flatpak-system-helper.service %{_userunitdir}/flatpak-oci-authenticator.service %{_userunitdir}/flatpak-portal.service @@ -241,6 +242,21 @@ fi %changelog +* Mon Jan 25 2021 David King - 1.8.5-2 +- Apply post-release CVE fixes (#1918776) + +* Thu Jan 14 2021 David King - 1.8.5-1 +- Rebase to 1.8.5 (#1851958) + +* Tue Nov 17 2020 David King - 1.8.3-1 +- Rebase to 1.8.3 (#1851958) + +* Mon Oct 05 2020 David King - 1.8.2-1 +- Rebase to 1.8.2 (#1851958) + +* Mon Sep 14 2020 Kalev Lember - 1.6.2-4 +- OCI: extract appstream data for runtimes (#1878231) + * Wed Jun 17 2020 David King - 1.6.2-3 - Further fixes for OCI authenticator (#1847201)