diff --git a/SOURCES/flatpak-1.0.2-CVE-2019-5736.patch b/SOURCES/flatpak-1.0.2-CVE-2019-5736.patch new file mode 100644 index 0000000..2fa3347 --- /dev/null +++ b/SOURCES/flatpak-1.0.2-CVE-2019-5736.patch @@ -0,0 +1,66 @@ +From 86d9d711bdaada5677166a99b96b769df2c5e7b6 Mon Sep 17 00:00:00 2001 +From: Alexander Larsson <alexl@redhat.com> +Date: Sun, 10 Feb 2019 18:23:44 +0100 +Subject: [PATCH] Don't expose /proc when running apply_extra + +As shown by CVE-2019-5736, it is sometimes possible for the sandbox +app to access outside files using /proc/self/exe. This is not +typically an issue for flatpak as the sandbox runs as the user which +has no permissions to e.g. modify the host files. + +However, when installing apps using extra-data into the system repo +we *do* actually run a sandbox as root. So, in this case we disable mounting +/proc in the sandbox, which will neuter attacks like this. +--- + common/flatpak-common-types-private.h | 1 + + common/flatpak-dir.c | 2 +- + common/flatpak-run.c | 6 +++++- + 3 files changed, 7 insertions(+), 2 deletions(-) + +diff --git a/common/flatpak-common-types-private.h b/common/flatpak-common-types-private.h +index 8c40d2e8..1e94bd1c 100644 +--- a/common/flatpak-common-types-private.h ++++ b/common/flatpak-common-types-private.h +@@ -44,6 +44,7 @@ typedef enum { + FLATPAK_RUN_FLAG_SANDBOX = (1 << 14), + FLATPAK_RUN_FLAG_NO_DOCUMENTS_PORTAL = (1 << 15), + FLATPAK_RUN_FLAG_BLUETOOTH = (1 << 16), ++ FLATPAK_RUN_FLAG_NO_PROC = (1 << 19), + } FlatpakRunFlags; + + typedef struct FlatpakDir FlatpakDir; +diff --git a/common/flatpak-dir.c b/common/flatpak-dir.c +index eb69225d..be370d49 100644 +--- a/common/flatpak-dir.c ++++ b/common/flatpak-dir.c +@@ -6509,7 +6509,7 @@ apply_extra_data (FlatpakDir *self, + NULL); + + if (!flatpak_run_setup_base_argv (bwrap, runtime_files, NULL, runtime_ref_parts[2], +- FLATPAK_RUN_FLAG_NO_SESSION_HELPER, ++ FLATPAK_RUN_FLAG_NO_SESSION_HELPER | FLATPAK_RUN_FLAG_NO_PROC, + error)) + return FALSE; + +diff --git a/common/flatpak-run.c b/common/flatpak-run.c +index 6ab466af..b4f2c475 100644 +--- a/common/flatpak-run.c ++++ b/common/flatpak-run.c +@@ -2347,9 +2347,13 @@ flatpak_run_setup_base_argv (FlatpakBwrap *bwrap, + "# Disable user pkcs11 config, because the host modules don't work in the runtime\n" + "user-config: none\n"; + ++ if ((flags & FLATPAK_RUN_FLAG_NO_PROC) == 0) ++ flatpak_bwrap_add_args (bwrap, ++ "--proc", "/proc", ++ NULL); ++ + flatpak_bwrap_add_args (bwrap, + "--unshare-pid", +- "--proc", "/proc", + "--dir", "/tmp", + "--dir", "/var/tmp", + "--dir", "/run/host", +-- +2.20.1 + diff --git a/SPECS/flatpak.spec b/SPECS/flatpak.spec index 7fec546..fd8c0cb 100644 --- a/SPECS/flatpak.spec +++ b/SPECS/flatpak.spec @@ -4,7 +4,7 @@ Name: flatpak Version: %{flatpak_version} -Release: 2%{?dist} +Release: 4%{?dist} Summary: Application deployment framework for desktop apps License: LGPLv2+ @@ -19,6 +19,8 @@ Patch0: no-user-systemd.patch # Make sure our resulting binaries always have the rpath set to the bundled # ostree directory Patch1: flatpak-ostree-bundle.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=1675433 +Patch2: flatpak-1.0.2-CVE-2019-5736.patch BuildRequires: pkgconfig(appstream-glib) BuildRequires: pkgconfig(fuse) @@ -129,6 +131,7 @@ This package contains libflatpak. %setup -q -a 1 -a 2 %patch0 -p1 %patch1 -p1 +%patch2 -p1 %build @@ -285,6 +288,12 @@ flatpak remote-list --system &> /dev/null || : %changelog +* Fri Feb 15 2019 David King <dking@redhat.com> - 1.0.2-4 +- Tweak /proc sandbox patch (#1675433) + +* Wed Feb 13 2019 David King <dking@redhat.com> - 1.0.2-3 +- Do not mount /proc in root sandbox (#1675433) + * Thu Sep 13 2018 Kalev Lember <klember@redhat.com> - 1.0.2-2 - Update to 1.0.2 (#1570030)