packages/flatpak-builder
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!7 fix CVE-2022-21682

Browse Source 
From: @hundred-ci 
Reviewed-by: @dwl301 
Signed-off-by: @dwl301
This commit is contained in:
openeuler-ci-bot 2022-07-06 03:01:21 +00:00 committed by Gitee
commit ea91c1d6a5
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
2 changed files with 123 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

117
CVE-2022-21682.patch Normal file
View File

@ -0,0 +1,117 @@
diff -Naru flatpak-builder-1.0.14/src/builder-flatpak-utils.c flatpak-builder-1.0.14-new/src/builder-flatpak-utils.c
--- flatpak-builder-1.0.14/src/builder-flatpak-utils.c 2021-06-08 19:49:23.000000000 +0800
+++ flatpak-builder-1.0.14-new/src/builder-flatpak-utils.c 2022-07-05 14:04:40.697530000 +0800
@@ -1196,6 +1196,7 @@
/* In numerical order of more privs */
typedef enum {
+ FLATPAK_FILESYSTEM_MODE_NONE = 0,
FLATPAK_FILESYSTEM_MODE_READ_ONLY = 1,
FLATPAK_FILESYSTEM_MODE_READ_WRITE = 2,
FLATPAK_FILESYSTEM_MODE_CREATE = 3,
@@ -1770,6 +1771,13 @@
if (mode)
*mode = FLATPAK_FILESYSTEM_MODE_CREATE;
}
+ else if (g_str_equal (filesystem, "host:reset"))
+ {
+ filesystem = "host-reset";
+
+ if (mode)
+ *mode = FLATPAK_FILESYSTEM_MODE_NONE;
+ }
return g_strndup (filesystem, len);
}
@@ -1810,9 +1818,12 @@
flatpak_context_remove_filesystem (FlatpakContext *context,
const char *what)
{
+ FlatpakFilesystemMode mode;
+ g_autofree char *fs = parse_filesystem_flags (what, &mode);
+
g_hash_table_insert (context->filesystems,
- parse_filesystem_flags (what, NULL),
- NULL);
+ g_steal_pointer (&fs),
+ GINT_TO_POINTER (mode));
}
static gboolean
@@ -2222,11 +2233,19 @@
g_ptr_array_add (args, g_strdup_printf ("--system-%s-name=%s", flatpak_policy_to_string (policy), name));
}
+ if (g_hash_table_lookup_extended (context->filesystems, "host-reset", NULL, NULL))
+ {
+ g_ptr_array_add (args, g_strdup ("--nofilesystem=host:reset"));
+ }
+
g_hash_table_iter_init (&iter, context->filesystems);
while (g_hash_table_iter_next (&iter, &key, &value))
{
FlatpakFilesystemMode mode = GPOINTER_TO_INT (value);
+ if (g_str_equal (key, "host-reset"))
+ continue;
+
if (mode == FLATPAK_FILESYSTEM_MODE_READ_ONLY)
g_ptr_array_add (args, g_strdup_printf ("--filesystem=%s:ro", (char *)key));
else if (mode == FLATPAK_FILESYSTEM_MODE_READ_WRITE)
diff -Naru flatpak-builder-1.0.14/src/builder-main.c flatpak-builder-1.0.14-new/src/builder-main.c
--- flatpak-builder-1.0.14/src/builder-main.c 2021-06-08 16:18:15.000000000 +0800
+++ flatpak-builder-1.0.14-new/src/builder-main.c 2022-07-05 11:31:57.369694000 +0800
@@ -942,7 +942,7 @@
"flatpak",
"build",
"--die-with-parent",
- "--nofilesystem=host",
+ "--nofilesystem=host:reset",
fs_app_dir,
fs_cache,
"--share=network",
diff -Naru flatpak-builder-1.0.14/src/builder-manifest.c flatpak-builder-1.0.14-new/src/builder-manifest.c
--- flatpak-builder-1.0.14/src/builder-manifest.c 2021-02-17 18:00:31.000000000 +0800
+++ flatpak-builder-1.0.14-new/src/builder-manifest.c 2022-07-05 11:31:56.359694000 +0800
@@ -2124,7 +2124,7 @@
g_ptr_array_add (args, g_strdup ("build"));
g_ptr_array_add (args, g_strdup ("--die-with-parent"));
- g_ptr_array_add (args, g_strdup ("--nofilesystem=host"));
+ g_ptr_array_add (args, g_strdup ("--nofilesystem=host:reset"));
if (extra_args)
{
for (i = 0; extra_args[i] != NULL; i++)
@@ -2304,7 +2304,7 @@
g_ptr_array_add (args, g_strdup ("flatpak"));
g_ptr_array_add (args, g_strdup ("build"));
g_ptr_array_add (args, g_strdup ("--die-with-parent"));
- g_ptr_array_add (args, g_strdup ("--nofilesystem=host"));
+ g_ptr_array_add (args, g_strdup ("--nofilesystem=host:reset"));
g_ptr_array_add (args, g_file_get_path (app_dir));
g_ptr_array_add (args, g_strdup ("appstream-compose"));
diff -Naru flatpak-builder-1.0.14/src/builder-module.c flatpak-builder-1.0.14-new/src/builder-module.c
--- flatpak-builder-1.0.14/src/builder-module.c 2019-09-13 21:46:32.000000000 +0800
+++ flatpak-builder-1.0.14-new/src/builder-module.c 2022-07-05 11:31:55.139694000 +0800
@@ -1176,7 +1176,7 @@
builddir = "/run/build/";
g_ptr_array_add (args, g_strdup_printf ("--env=FLATPAK_BUILDER_BUILDDIR=%s%s", builddir, module_name));
- g_ptr_array_add (args, g_strdup ("--nofilesystem=host"));
+ g_ptr_array_add (args, g_strdup ("--nofilesystem=host:reset"));
/* We mount the canonical location, because bind-mounts of symlinks don't really work */
g_ptr_array_add (args, g_strdup_printf ("--filesystem=%s", source_dir_path_canonical));
diff -Naru flatpak-builder-1.0.14/src/builder-source-shell.c flatpak-builder-1.0.14-new/src/builder-source-shell.c
--- flatpak-builder-1.0.14/src/builder-source-shell.c 2021-06-08 19:49:23.000000000 +0800
+++ flatpak-builder-1.0.14-new/src/builder-source-shell.c 2022-07-05 11:31:53.989694000 +0800
@@ -136,7 +136,7 @@
source_dir_path_canonical = realpath (source_dir_path, NULL);
- g_ptr_array_add (args, g_strdup ("--nofilesystem=host"));
+ g_ptr_array_add (args, g_strdup ("--nofilesystem=host:reset"));
g_ptr_array_add (args, g_strdup_printf ("--filesystem=%s", source_dir_path_canonical));
if (env)

7
flatpak-builder.spec
View File

@ -1,11 +1,13 @@
Name: flatpak-builder
Version: 1.0.14
Release: 1
Release: 2
Summary: A tool to build flatpaks from source
License: LGPLv2+ and GPLv2+
URL: http://flatpak.org/
Source0: https://github.com/flatpak/flatpak-builder/releases/download/%{version}/%{name}-%{version}.tar.xz
Patch01: CVE-2022-21682.patch
BuildRequires: make flatpak pkgconfig(glib-2.0) >= 2.44 pkgconfig(gio-2.0) pkgconfig(gio-unix-2.0)
BuildRequires: pkgconfig(libsoup-2.4) pkgconfig(ostree-1) >= 2017.14 pkgconfig(json-glib-1.0)
BuildRequires: pkgconfig(libxml-2.0) >= 2.4 pkgconfig(libcurl) pkgconfig(libelf) libxslt
@ -36,5 +38,8 @@ Flatpak-builder is a tool for building flatpaks from sources.
%{_mandir}/man5/flatpak-manifest.5*
%changelog
* Tue Jul 05 2022 weichao.zhang <weichao.zhang@epro.com.cn> - 1.0.14-2
- Fix CVE-2022-21682
* Thu Aug 05 2021 weijin deng <weijin.deng@turbolinux.com.cn> - 1.0.14-1
- Package init with 1.0.14