diff --git a/SOURCES/flatpak-1.8.5-post-cve-fixes.patch b/SOURCES/flatpak-1.8.5-post-cve-fixes.patch new file mode 100644 index 0000000..a5ee71c --- /dev/null +++ b/SOURCES/flatpak-1.8.5-post-cve-fixes.patch @@ -0,0 +1,73 @@ +From 93ecea3488081a726bcd2ddb04d557decaa87f80 Mon Sep 17 00:00:00 2001 +From: Simon McVittie <smcv@collabora.com> +Date: Mon, 18 Jan 2021 17:52:13 +0000 +Subject: [PATCH] build: Convert environment into a sequence of bwrap arguments + +This means we can systematically pass the environment variables +through bwrap(1), even if it is setuid and thus is filtering out +security-sensitive environment variables. bwrap itself ends up being +run with an empty environment instead. + +This fixes a regression when CVE-2021-21261 was fixed: before the +CVE fixes, LD_LIBRARY_PATH would have been passed through like this +and appeared in the `flatpak build` shell, but during the CVE fixes, +the special case that protected LD_LIBRARY_PATH was removed in favour +of the more general flatpak_bwrap_envp_to_args(). That reasoning only +works if we use flatpak_bwrap_envp_to_args(), consistently, everywhere +that we run the potentially-setuid bwrap. + +Fixes: 6d1773d2 "run: Convert all environment variables into bwrap arguments" +Resolves: https://github.com/flatpak/flatpak/issues/4080 +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=980323 +Signed-off-by: Simon McVittie <smcv@collabora.com> +(cherry picked from commit 9a61d2c44f0a58cebcb9b2787ae88db07ca68bb0) +--- + app/flatpak-builtins-build.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/app/flatpak-builtins-build.c b/app/flatpak-builtins-build.c +index 8da0de814..07ef6fc07 100644 +--- a/app/flatpak-builtins-build.c ++++ b/app/flatpak-builtins-build.c +@@ -569,6 +569,8 @@ flatpak_builtin_build (int argc, char **argv, GCancellable *cancellable, GError + NULL); + } + ++ flatpak_bwrap_envp_to_args (bwrap); ++ + if (!flatpak_bwrap_bundle_args (bwrap, 1, -1, FALSE, error)) + return FALSE; + +From f91857c07ede7ef5150a38d6b8e49ee43d6b3d50 Mon Sep 17 00:00:00 2001 +From: Simon McVittie <smcv@collabora.com> +Date: Mon, 18 Jan 2021 18:07:38 +0000 +Subject: [PATCH] dir: Pass environment via bwrap --setenv when running + apply_extra + +This means we can systematically pass the environment variables +through bwrap(1), even if it is setuid and thus is filtering out +security-sensitive environment variables. bwrap ends up being +run with an empty environment instead. + +As with the previous commit, this regressed while fixing CVE-2021-21261. + +Fixes: 6d1773d2 "run: Convert all environment variables into bwrap arguments" +Signed-off-by: Simon McVittie <smcv@collabora.com> +(cherry picked from commit fb473cad801c6b61706353256cab32330557374a) +--- + common/flatpak-dir.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/common/flatpak-dir.c b/common/flatpak-dir.c +index ed1248e74..40767fa77 100644 +--- a/common/flatpak-dir.c ++++ b/common/flatpak-dir.c +@@ -7426,6 +7426,8 @@ apply_extra_data (FlatpakDir *self, + app_context, NULL, NULL, NULL, cancellable, error)) + return FALSE; + ++ flatpak_bwrap_envp_to_args (bwrap); ++ + flatpak_bwrap_add_arg (bwrap, "/app/bin/apply_extra"); + + flatpak_bwrap_finish (bwrap); diff --git a/SPECS/flatpak.spec b/SPECS/flatpak.spec index 6142b28..a97870b 100644 --- a/SPECS/flatpak.spec +++ b/SPECS/flatpak.spec @@ -3,12 +3,14 @@ Name: flatpak Version: 1.8.5 -Release: 1%{?dist} +Release: 2%{?dist} Summary: Application deployment framework for desktop apps License: LGPLv2+ URL: http://flatpak.org/ Source0: https://github.com/flatpak/flatpak/releases/download/%{version}/%{name}-%{version}.tar.xz +# https://bugzilla.redhat.com/show_bug.cgi?id=1918776 +Patch0: flatpak-1.8.5-post-cve-fixes.patch BuildRequires: pkgconfig(appstream-glib) BuildRequires: pkgconfig(dconf) @@ -240,6 +242,9 @@ fi %changelog +* Mon Jan 25 2021 David King <dking@redhat.com> - 1.8.5-2 +- Apply post-release CVE fixes (#1918776) + * Thu Jan 14 2021 David King <dking@redhat.com> - 1.8.5-1 - Rebase to 1.8.5 (#1851958)