diff --git a/.flatpak.metadata b/.flatpak.metadata index 1450248..319360d 100644 --- a/.flatpak.metadata +++ b/.flatpak.metadata @@ -1,3 +1,3 @@ -2dc9cc0f1d80421ea800be3c005d9b5dd94c8156 SOURCES/flatpak-1.0.2.tar.xz +51317ee7abeb09fc68c924ee74463185be901658 SOURCES/flatpak-1.0.9.tar.xz 5cab51142ec15ee113b4c87a2645b4e1c7179fa7 SOURCES/flatpak-builder-1.0.0.tar.xz c8dabfe09e987a15d99e4723be23f23da9f7bbb3 SOURCES/libostree-2018.8.tar.xz diff --git a/.gitignore b/.gitignore index 48b75c2..7bf1a15 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,3 @@ -SOURCES/flatpak-1.0.2.tar.xz +SOURCES/flatpak-1.0.9.tar.xz SOURCES/flatpak-builder-1.0.0.tar.xz SOURCES/libostree-2018.8.tar.xz diff --git a/SOURCES/flatpak-1.0.2-CVE-2019-10063.patch b/SOURCES/flatpak-1.0.2-CVE-2019-10063.patch deleted file mode 100644 index 6a9d751..0000000 --- a/SOURCES/flatpak-1.0.2-CVE-2019-10063.patch +++ /dev/null @@ -1,29 +0,0 @@ -From 9686b3007afb15162cb2b5ca3219d906cc849a60 Mon Sep 17 00:00:00 2001 -From: Ryan Gonzalez -Date: Mon, 25 Mar 2019 13:00:15 -0500 -Subject: [PATCH] run: Only compare the lowest 32 ioctl arg bits for TIOCSTI - -Closes #2782. - -Closes: #2783 -Approved by: alexlarsson ---- - common/flatpak-run.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/common/flatpak-run.c b/common/flatpak-run.c -index b4f2c475..0e6b3141 100644 ---- a/common/flatpak-run.c -+++ b/common/flatpak-run.c -@@ -2122,7 +2122,7 @@ setup_seccomp (FlatpakBwrap *bwrap, - {SCMP_SYS (clone), &SCMP_A0 (SCMP_CMP_MASKED_EQ, CLONE_NEWUSER, CLONE_NEWUSER)}, - - /* Don't allow faking input to the controlling tty (CVE-2017-5226) */ -- {SCMP_SYS (ioctl), &SCMP_A1 (SCMP_CMP_EQ, (int) TIOCSTI)}, -+ {SCMP_SYS (ioctl), &SCMP_A1 (SCMP_CMP_MASKED_EQ, 0xFFFFFFFFu, (int) TIOCSTI)}, - }; - - struct --- -2.21.0 - diff --git a/SOURCES/flatpak-1.0.2-CVE-2019-5736.patch b/SOURCES/flatpak-1.0.2-CVE-2019-5736.patch deleted file mode 100644 index 2fa3347..0000000 --- a/SOURCES/flatpak-1.0.2-CVE-2019-5736.patch +++ /dev/null @@ -1,66 +0,0 @@ -From 86d9d711bdaada5677166a99b96b769df2c5e7b6 Mon Sep 17 00:00:00 2001 -From: Alexander Larsson -Date: Sun, 10 Feb 2019 18:23:44 +0100 -Subject: [PATCH] Don't expose /proc when running apply_extra - -As shown by CVE-2019-5736, it is sometimes possible for the sandbox -app to access outside files using /proc/self/exe. This is not -typically an issue for flatpak as the sandbox runs as the user which -has no permissions to e.g. modify the host files. - -However, when installing apps using extra-data into the system repo -we *do* actually run a sandbox as root. So, in this case we disable mounting -/proc in the sandbox, which will neuter attacks like this. ---- - common/flatpak-common-types-private.h | 1 + - common/flatpak-dir.c | 2 +- - common/flatpak-run.c | 6 +++++- - 3 files changed, 7 insertions(+), 2 deletions(-) - -diff --git a/common/flatpak-common-types-private.h b/common/flatpak-common-types-private.h -index 8c40d2e8..1e94bd1c 100644 ---- a/common/flatpak-common-types-private.h -+++ b/common/flatpak-common-types-private.h -@@ -44,6 +44,7 @@ typedef enum { - FLATPAK_RUN_FLAG_SANDBOX = (1 << 14), - FLATPAK_RUN_FLAG_NO_DOCUMENTS_PORTAL = (1 << 15), - FLATPAK_RUN_FLAG_BLUETOOTH = (1 << 16), -+ FLATPAK_RUN_FLAG_NO_PROC = (1 << 19), - } FlatpakRunFlags; - - typedef struct FlatpakDir FlatpakDir; -diff --git a/common/flatpak-dir.c b/common/flatpak-dir.c -index eb69225d..be370d49 100644 ---- a/common/flatpak-dir.c -+++ b/common/flatpak-dir.c -@@ -6509,7 +6509,7 @@ apply_extra_data (FlatpakDir *self, - NULL); - - if (!flatpak_run_setup_base_argv (bwrap, runtime_files, NULL, runtime_ref_parts[2], -- FLATPAK_RUN_FLAG_NO_SESSION_HELPER, -+ FLATPAK_RUN_FLAG_NO_SESSION_HELPER | FLATPAK_RUN_FLAG_NO_PROC, - error)) - return FALSE; - -diff --git a/common/flatpak-run.c b/common/flatpak-run.c -index 6ab466af..b4f2c475 100644 ---- a/common/flatpak-run.c -+++ b/common/flatpak-run.c -@@ -2347,9 +2347,13 @@ flatpak_run_setup_base_argv (FlatpakBwrap *bwrap, - "# Disable user pkcs11 config, because the host modules don't work in the runtime\n" - "user-config: none\n"; - -+ if ((flags & FLATPAK_RUN_FLAG_NO_PROC) == 0) -+ flatpak_bwrap_add_args (bwrap, -+ "--proc", "/proc", -+ NULL); -+ - flatpak_bwrap_add_args (bwrap, - "--unshare-pid", -- "--proc", "/proc", - "--dir", "/tmp", - "--dir", "/var/tmp", - "--dir", "/run/host", --- -2.20.1 - diff --git a/SPECS/flatpak.spec b/SPECS/flatpak.spec index eeba662..3a689f4 100644 --- a/SPECS/flatpak.spec +++ b/SPECS/flatpak.spec @@ -1,10 +1,10 @@ -%global flatpak_version 1.0.2 +%global flatpak_version 1.0.9 %global flatpak_builder_version 1.0.0 %global ostree_version 2018.8 Name: flatpak Version: %{flatpak_version} -Release: 7%{?dist} +Release: 8%{?dist} Summary: Application deployment framework for desktop apps License: LGPLv2+ @@ -21,10 +21,6 @@ Patch0: no-user-systemd.patch Patch1: flatpak-ostree-bundle.patch # https://bugzilla.redhat.com/show_bug.cgi?id=1660137 Patch2: flatpak-1.0.4-oci-fixes.patch -# https://bugzilla.redhat.com/show_bug.cgi?id=1675435 -Patch3: flatpak-1.0.2-CVE-2019-5736.patch -# https://bugzilla.redhat.com/show_bug.cgi?id=1700652 -Patch4: flatpak-1.0.2-CVE-2019-10063.patch BuildRequires: pkgconfig(appstream-glib) BuildRequires: pkgconfig(fuse) @@ -136,8 +132,6 @@ This package contains libflatpak. %patch0 -p1 %patch1 -p1 %patch2 -p1 -%patch3 -p1 -%patch4 -p1 %build @@ -294,6 +288,9 @@ flatpak remote-list --system &> /dev/null || : %changelog +* Fri Sep 20 2019 Kalev Lember - 1.0.9-8 +- Update to 1.0.9 (#1753591) + * Mon Apr 29 2019 David King - 1.0.2-7 - Fix IOCSTI sandbox bypass (#1700652)