diff --git a/SOURCES/flatpak-1.0.2-CVE-2019-10063.patch b/SOURCES/flatpak-1.0.2-CVE-2019-10063.patch new file mode 100644 index 0000000..6a9d751 --- /dev/null +++ b/SOURCES/flatpak-1.0.2-CVE-2019-10063.patch @@ -0,0 +1,29 @@ +From 9686b3007afb15162cb2b5ca3219d906cc849a60 Mon Sep 17 00:00:00 2001 +From: Ryan Gonzalez +Date: Mon, 25 Mar 2019 13:00:15 -0500 +Subject: [PATCH] run: Only compare the lowest 32 ioctl arg bits for TIOCSTI + +Closes #2782. + +Closes: #2783 +Approved by: alexlarsson +--- + common/flatpak-run.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/common/flatpak-run.c b/common/flatpak-run.c +index b4f2c475..0e6b3141 100644 +--- a/common/flatpak-run.c ++++ b/common/flatpak-run.c +@@ -2122,7 +2122,7 @@ setup_seccomp (FlatpakBwrap *bwrap, + {SCMP_SYS (clone), &SCMP_A0 (SCMP_CMP_MASKED_EQ, CLONE_NEWUSER, CLONE_NEWUSER)}, + + /* Don't allow faking input to the controlling tty (CVE-2017-5226) */ +- {SCMP_SYS (ioctl), &SCMP_A1 (SCMP_CMP_EQ, (int) TIOCSTI)}, ++ {SCMP_SYS (ioctl), &SCMP_A1 (SCMP_CMP_MASKED_EQ, 0xFFFFFFFFu, (int) TIOCSTI)}, + }; + + struct +-- +2.21.0 + diff --git a/SPECS/flatpak.spec b/SPECS/flatpak.spec index fd8c0cb..17550b4 100644 --- a/SPECS/flatpak.spec +++ b/SPECS/flatpak.spec @@ -4,7 +4,7 @@ Name: flatpak Version: %{flatpak_version} -Release: 4%{?dist} +Release: 5%{?dist} Summary: Application deployment framework for desktop apps License: LGPLv2+ @@ -21,6 +21,8 @@ Patch0: no-user-systemd.patch Patch1: flatpak-ostree-bundle.patch # https://bugzilla.redhat.com/show_bug.cgi?id=1675433 Patch2: flatpak-1.0.2-CVE-2019-5736.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=1700651 +Patch3: flatpak-1.0.2-CVE-2019-10063.patch BuildRequires: pkgconfig(appstream-glib) BuildRequires: pkgconfig(fuse) @@ -132,6 +134,7 @@ This package contains libflatpak. %patch0 -p1 %patch1 -p1 %patch2 -p1 +%patch3 -p1 %build @@ -288,6 +291,9 @@ flatpak remote-list --system &> /dev/null || : %changelog +* Mon Apr 29 2019 David King - 1.0.2-5 +- Fix IOCSTI sandbox bypass (#1700651) + * Fri Feb 15 2019 David King - 1.0.2-4 - Tweak /proc sandbox patch (#1675433)