diff --git a/.flatpak.metadata b/.flatpak.metadata index 1e9c6aa..3346bf3 100644 --- a/.flatpak.metadata +++ b/.flatpak.metadata @@ -1 +1 @@ -1cd25f8577ba55d1370652e9bd24e8a2d254143a SOURCES/flatpak-1.10.2.tar.xz +d4d771e7bfa4ab275845cf7259f9b25784ccc095 SOURCES/flatpak-1.10.5.tar.xz diff --git a/.gitignore b/.gitignore index 081b118..97dea87 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/flatpak-1.10.2.tar.xz +SOURCES/flatpak-1.10.5.tar.xz diff --git a/SOURCES/0001-Fix-handling-of-syscalls-only-allowed-by-devel.patch b/SOURCES/0001-Fix-handling-of-syscalls-only-allowed-by-devel.patch new file mode 100644 index 0000000..cf7f463 --- /dev/null +++ b/SOURCES/0001-Fix-handling-of-syscalls-only-allowed-by-devel.patch @@ -0,0 +1,31 @@ +From 24485224223b8ed41976ead5801cb04c4d961f93 Mon Sep 17 00:00:00 2001 +From: Simon McVittie +Date: Fri, 8 Oct 2021 19:00:13 +0100 +Subject: [PATCH] Fix handling of syscalls only allowed by --devel + +This was incorrectly looking at errno instead of -r. + +Fixes: 0b38b0f0 "run: Handle unknown syscalls as intended" +Signed-off-by: Simon McVittie +(cherry picked from commit 3fc8c672676ae016f8e7cc90481b2feecbad9861) +(cherry picked from commit 97e128c2c1520202486b5e165e1734cbb421568a) +--- + common/flatpak-run.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/common/flatpak-run.c b/common/flatpak-run.c +index 6142daafa56d..4048476bf455 100644 +--- a/common/flatpak-run.c ++++ b/common/flatpak-run.c +@@ -2992,7 +2992,7 @@ setup_seccomp (FlatpakBwrap *bwrap, + r = seccomp_rule_add (seccomp, SCMP_ACT_ERRNO (errnum), scall, 0); + + /* See above for the meaning of EFAULT. */ +- if (errno == EFAULT) ++ if (r == -EFAULT) + flatpak_debug2 ("Unable to block syscall %d: syscall not known to libseccomp?", + scall); + else if (r < 0) +-- +2.31.1 + diff --git a/SOURCES/0001-OCI-Switch-to-pax-format-for-tar-archives.patch b/SOURCES/0001-OCI-Switch-to-pax-format-for-tar-archives.patch deleted file mode 100644 index a95238a..0000000 --- a/SOURCES/0001-OCI-Switch-to-pax-format-for-tar-archives.patch +++ /dev/null @@ -1,34 +0,0 @@ -From adbd286cef9a4c4bed76eb95337d5d6f5e42dd45 Mon Sep 17 00:00:00 2001 -From: Kalev Lember -Date: Mon, 5 Apr 2021 10:40:26 +0200 -Subject: [PATCH] OCI: Switch to pax format for tar archives - -For reasons unknown, libarchive appears to generate broken gnutar format -tar archives when the archive contains files that are larger than 2 GB. -This commit switches to the pax format to work this around. - -This should be a better default as it also removes 256 char filename -length limitation and matches what other libraries are doing, e.g. -Python 3.8 switched to the pax format by default as well. - -See https://pagure.io/fedora-infrastructure/issue/9840 ---- - common/flatpak-oci-registry.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/common/flatpak-oci-registry.c b/common/flatpak-oci-registry.c -index 6aa68c27..2a7f3ba1 100644 ---- a/common/flatpak-oci-registry.c -+++ b/common/flatpak-oci-registry.c -@@ -1476,7 +1476,7 @@ flatpak_oci_registry_write_layer (FlatpakOciRegistry *self, - } - - a = archive_write_new (); -- if (archive_write_set_format_gnutar (a) != ARCHIVE_OK || -+ if (archive_write_set_format_pax (a) != ARCHIVE_OK || - archive_write_add_filter_none (a) != ARCHIVE_OK) - { - propagate_libarchive_error (error, a); --- -2.30.2 - diff --git a/SOURCES/flatpak-1.10.2-system-helper-fix.patch b/SOURCES/flatpak-1.10.2-system-helper-fix.patch deleted file mode 100644 index 37ac4f6..0000000 --- a/SOURCES/flatpak-1.10.2-system-helper-fix.patch +++ /dev/null @@ -1,126 +0,0 @@ -From 49e8bfcea516e96eb950109d0fa45811a352a517 Mon Sep 17 00:00:00 2001 -From: Alexander Larsson -Date: Wed, 17 Mar 2021 17:12:32 +0100 -Subject: [PATCH] system-helper: Fix deploys of local remotes - -For updates in remotes with a local (file:) uri we just do a deploy -with a LOCAL_PULL flag set and an empty arg_repo_path. However, our -arg_repo_path checking at some point seemed to stop properly handling -the case where it is empty. I got it to report "No such file" wich -broke the tests. ---- - system-helper/flatpak-system-helper.c | 89 ++++++++++++++------------- - 1 file changed, 46 insertions(+), 43 deletions(-) - -diff --git a/system-helper/flatpak-system-helper.c b/system-helper/flatpak-system-helper.c -index b202c94105..adcfe61a86 100644 ---- a/system-helper/flatpak-system-helper.c -+++ b/system-helper/flatpak-system-helper.c -@@ -410,61 +410,64 @@ handle_deploy (FlatpakSystemHelper *object, - return G_DBUS_METHOD_INVOCATION_HANDLED; - } - -- src_dir = g_path_get_dirname (arg_repo_path); -- ongoing_pull = take_ongoing_pull_by_dir (src_dir); -- if (ongoing_pull != NULL) -+ if ((arg_flags & ~FLATPAK_HELPER_DEPLOY_FLAGS_ALL) != 0) - { -- g_autoptr(GError) local_error = NULL; -- uid_t uid; -+ g_dbus_method_invocation_return_error (invocation, G_DBUS_ERROR, G_DBUS_ERROR_INVALID_ARGS, -+ "Unsupported flags enabled: 0x%x", (arg_flags & ~FLATPAK_HELPER_DEPLOY_FLAGS_ALL)); -+ return G_DBUS_METHOD_INVOCATION_HANDLED; -+ } - -- /* Ensure that pull's uid is same as the caller's uid */ -- if (!get_connection_uid (invocation, &uid, &local_error)) -+ if (strlen (arg_repo_path) > 0) -+ { -+ if (!g_file_query_exists (repo_file, NULL)) - { -- g_dbus_method_invocation_return_gerror (invocation, local_error); -+ g_dbus_method_invocation_return_error (invocation, G_DBUS_ERROR, G_DBUS_ERROR_INVALID_ARGS, -+ "Path does not exist"); - return G_DBUS_METHOD_INVOCATION_HANDLED; - } -- else -+ -+ src_dir = g_path_get_dirname (arg_repo_path); -+ ongoing_pull = take_ongoing_pull_by_dir (src_dir); -+ if (ongoing_pull != NULL) - { -- if (ongoing_pull->uid != uid) -+ g_autoptr(GError) local_error = NULL; -+ uid_t uid; -+ -+ /* Ensure that pull's uid is same as the caller's uid */ -+ if (!get_connection_uid (invocation, &uid, &local_error)) - { -- g_dbus_method_invocation_return_error (invocation, G_DBUS_ERROR, G_DBUS_ERROR_FAILED, -- "Ongoing pull's uid(%d) does not match with peer uid(%d)", -- ongoing_pull->uid, uid); -+ g_dbus_method_invocation_return_gerror (invocation, local_error); - return G_DBUS_METHOD_INVOCATION_HANDLED; - } -- } -- -- terminate_revokefs_backend (ongoing_pull); -- -- if (!flatpak_canonicalize_permissions (AT_FDCWD, -- arg_repo_path, -- getuid() == 0 ? 0 : -1, -- getuid() == 0 ? 0 : -1, -- &local_error)) -- { -- g_dbus_method_invocation_return_error (invocation, G_DBUS_ERROR, G_DBUS_ERROR_FAILED, -- "Failed to canonicalize permissions of repo %s: %s", -- arg_repo_path, local_error->message); -- return G_DBUS_METHOD_INVOCATION_HANDLED; -- } -+ else -+ { -+ if (ongoing_pull->uid != uid) -+ { -+ g_dbus_method_invocation_return_error (invocation, G_DBUS_ERROR, G_DBUS_ERROR_FAILED, -+ "Ongoing pull's uid(%d) does not match with peer uid(%d)", -+ ongoing_pull->uid, uid); -+ return G_DBUS_METHOD_INVOCATION_HANDLED; -+ } -+ } - -- /* At this point, the cache-dir's repo is owned by root. Hence, any failure -- * from here on, should always cleanup the cache-dir and not preserve it to be re-used. */ -- ongoing_pull->preserve_pull = FALSE; -- } -+ terminate_revokefs_backend (ongoing_pull); - -- if ((arg_flags & ~FLATPAK_HELPER_DEPLOY_FLAGS_ALL) != 0) -- { -- g_dbus_method_invocation_return_error (invocation, G_DBUS_ERROR, G_DBUS_ERROR_INVALID_ARGS, -- "Unsupported flags enabled: 0x%x", (arg_flags & ~FLATPAK_HELPER_DEPLOY_FLAGS_ALL)); -- return G_DBUS_METHOD_INVOCATION_HANDLED; -- } -+ if (!flatpak_canonicalize_permissions (AT_FDCWD, -+ arg_repo_path, -+ getuid() == 0 ? 0 : -1, -+ getuid() == 0 ? 0 : -1, -+ &local_error)) -+ { -+ g_dbus_method_invocation_return_error (invocation, G_DBUS_ERROR, G_DBUS_ERROR_FAILED, -+ "Failed to canonicalize permissions of repo %s: %s", -+ arg_repo_path, local_error->message); -+ return G_DBUS_METHOD_INVOCATION_HANDLED; -+ } - -- if (!g_file_query_exists (repo_file, NULL)) -- { -- g_dbus_method_invocation_return_error (invocation, G_DBUS_ERROR, G_DBUS_ERROR_INVALID_ARGS, -- "Path does not exist"); -- return G_DBUS_METHOD_INVOCATION_HANDLED; -+ /* At this point, the cache-dir's repo is owned by root. Hence, any failure -+ * from here on, should always cleanup the cache-dir and not preserve it to be re-used. */ -+ ongoing_pull->preserve_pull = FALSE; -+ } - } - - ref = flatpak_decomposed_new_from_ref (arg_ref, &error); diff --git a/SPECS/flatpak.spec b/SPECS/flatpak.spec index 4ef09ec..fc032ac 100644 --- a/SPECS/flatpak.spec +++ b/SPECS/flatpak.spec @@ -2,8 +2,8 @@ %global ostree_version 2020.8 Name: flatpak -Version: 1.10.2 -Release: 6%{?dist} +Version: 1.10.5 +Release: 1%{?dist} Summary: Application deployment framework for desktop apps License: LGPLv2+ @@ -12,11 +12,8 @@ Source0: https://github.com/flatpak/flatpak/releases/download/%{version}/ # Add Fedora flatpak repositories Source1: flatpak-add-fedora-repos.service -# https://github.com/flatpak/flatpak/pull/4210 -# https://pagure.io/fedora-infrastructure/issue/9840 -Patch0: 0001-OCI-Switch-to-pax-format-for-tar-archives.patch -# https://bugzilla.redhat.com/show_bug.cgi?id=1982304 -Patch1: flatpak-1.10.2-system-helper-fix.patch +# https://github.com/flatpak/flatpak/pull/4473 +Patch0: 0001-Fix-handling-of-syscalls-only-allowed-by-devel.patch BuildRequires: pkgconfig(appstream-glib) BuildRequires: pkgconfig(dconf) @@ -270,6 +267,14 @@ fi %changelog +* Tue Oct 26 2021 Debarshi Ray - 1.10.5-1 +- Update to 1.10.5 (CVE-2021-41133) +Resolves: #2012862 + +* Wed Sep 22 2021 Debarshi Ray - 1.10.3-1 +- Update to 1.10.3 +Resolves: #2006554 + * Sat Aug 28 2021 Debarshi Ray - 1.10.2-6 - Fix local deploys using system helper Resolves: #1982304