diff --git a/CVE-2022-21682.patch b/CVE-2022-21682.patch new file mode 100644 index 0000000..1063b4b --- /dev/null +++ b/CVE-2022-21682.patch @@ -0,0 +1,117 @@ +diff -Naru flatpak-builder-1.0.14/src/builder-flatpak-utils.c flatpak-builder-1.0.14-new/src/builder-flatpak-utils.c +--- flatpak-builder-1.0.14/src/builder-flatpak-utils.c 2021-06-08 19:49:23.000000000 +0800 ++++ flatpak-builder-1.0.14-new/src/builder-flatpak-utils.c 2022-07-05 14:04:40.697530000 +0800 +@@ -1196,6 +1196,7 @@ + + /* In numerical order of more privs */ + typedef enum { ++ FLATPAK_FILESYSTEM_MODE_NONE = 0, + FLATPAK_FILESYSTEM_MODE_READ_ONLY = 1, + FLATPAK_FILESYSTEM_MODE_READ_WRITE = 2, + FLATPAK_FILESYSTEM_MODE_CREATE = 3, +@@ -1770,6 +1771,13 @@ + if (mode) + *mode = FLATPAK_FILESYSTEM_MODE_CREATE; + } ++ else if (g_str_equal (filesystem, "host:reset")) ++ { ++ filesystem = "host-reset"; ++ ++ if (mode) ++ *mode = FLATPAK_FILESYSTEM_MODE_NONE; ++ } + + return g_strndup (filesystem, len); + } +@@ -1810,9 +1818,12 @@ + flatpak_context_remove_filesystem (FlatpakContext *context, + const char *what) + { ++ FlatpakFilesystemMode mode; ++ g_autofree char *fs = parse_filesystem_flags (what, &mode); ++ + g_hash_table_insert (context->filesystems, +- parse_filesystem_flags (what, NULL), +- NULL); ++ g_steal_pointer (&fs), ++ GINT_TO_POINTER (mode)); + } + + static gboolean +@@ -2222,11 +2233,19 @@ + g_ptr_array_add (args, g_strdup_printf ("--system-%s-name=%s", flatpak_policy_to_string (policy), name)); + } + ++ if (g_hash_table_lookup_extended (context->filesystems, "host-reset", NULL, NULL)) ++ { ++ g_ptr_array_add (args, g_strdup ("--nofilesystem=host:reset")); ++ } ++ + g_hash_table_iter_init (&iter, context->filesystems); + while (g_hash_table_iter_next (&iter, &key, &value)) + { + FlatpakFilesystemMode mode = GPOINTER_TO_INT (value); + ++ if (g_str_equal (key, "host-reset")) ++ continue; ++ + if (mode == FLATPAK_FILESYSTEM_MODE_READ_ONLY) + g_ptr_array_add (args, g_strdup_printf ("--filesystem=%s:ro", (char *)key)); + else if (mode == FLATPAK_FILESYSTEM_MODE_READ_WRITE) +diff -Naru flatpak-builder-1.0.14/src/builder-main.c flatpak-builder-1.0.14-new/src/builder-main.c +--- flatpak-builder-1.0.14/src/builder-main.c 2021-06-08 16:18:15.000000000 +0800 ++++ flatpak-builder-1.0.14-new/src/builder-main.c 2022-07-05 11:31:57.369694000 +0800 +@@ -942,7 +942,7 @@ + "flatpak", + "build", + "--die-with-parent", +- "--nofilesystem=host", ++ "--nofilesystem=host:reset", + fs_app_dir, + fs_cache, + "--share=network", +diff -Naru flatpak-builder-1.0.14/src/builder-manifest.c flatpak-builder-1.0.14-new/src/builder-manifest.c +--- flatpak-builder-1.0.14/src/builder-manifest.c 2021-02-17 18:00:31.000000000 +0800 ++++ flatpak-builder-1.0.14-new/src/builder-manifest.c 2022-07-05 11:31:56.359694000 +0800 +@@ -2124,7 +2124,7 @@ + g_ptr_array_add (args, g_strdup ("build")); + + g_ptr_array_add (args, g_strdup ("--die-with-parent")); +- g_ptr_array_add (args, g_strdup ("--nofilesystem=host")); ++ g_ptr_array_add (args, g_strdup ("--nofilesystem=host:reset")); + if (extra_args) + { + for (i = 0; extra_args[i] != NULL; i++) +@@ -2304,7 +2304,7 @@ + g_ptr_array_add (args, g_strdup ("flatpak")); + g_ptr_array_add (args, g_strdup ("build")); + g_ptr_array_add (args, g_strdup ("--die-with-parent")); +- g_ptr_array_add (args, g_strdup ("--nofilesystem=host")); ++ g_ptr_array_add (args, g_strdup ("--nofilesystem=host:reset")); + g_ptr_array_add (args, g_file_get_path (app_dir)); + g_ptr_array_add (args, g_strdup ("appstream-compose")); + +diff -Naru flatpak-builder-1.0.14/src/builder-module.c flatpak-builder-1.0.14-new/src/builder-module.c +--- flatpak-builder-1.0.14/src/builder-module.c 2019-09-13 21:46:32.000000000 +0800 ++++ flatpak-builder-1.0.14-new/src/builder-module.c 2022-07-05 11:31:55.139694000 +0800 +@@ -1176,7 +1176,7 @@ + builddir = "/run/build/"; + + g_ptr_array_add (args, g_strdup_printf ("--env=FLATPAK_BUILDER_BUILDDIR=%s%s", builddir, module_name)); +- g_ptr_array_add (args, g_strdup ("--nofilesystem=host")); ++ g_ptr_array_add (args, g_strdup ("--nofilesystem=host:reset")); + + /* We mount the canonical location, because bind-mounts of symlinks don't really work */ + g_ptr_array_add (args, g_strdup_printf ("--filesystem=%s", source_dir_path_canonical)); +diff -Naru flatpak-builder-1.0.14/src/builder-source-shell.c flatpak-builder-1.0.14-new/src/builder-source-shell.c +--- flatpak-builder-1.0.14/src/builder-source-shell.c 2021-06-08 19:49:23.000000000 +0800 ++++ flatpak-builder-1.0.14-new/src/builder-source-shell.c 2022-07-05 11:31:53.989694000 +0800 +@@ -136,7 +136,7 @@ + + source_dir_path_canonical = realpath (source_dir_path, NULL); + +- g_ptr_array_add (args, g_strdup ("--nofilesystem=host")); ++ g_ptr_array_add (args, g_strdup ("--nofilesystem=host:reset")); + g_ptr_array_add (args, g_strdup_printf ("--filesystem=%s", source_dir_path_canonical)); + + if (env) diff --git a/flatpak-builder.spec b/flatpak-builder.spec index 417122a..4175b73 100644 --- a/flatpak-builder.spec +++ b/flatpak-builder.spec @@ -1,11 +1,13 @@ Name: flatpak-builder Version: 1.0.14 -Release: 1 +Release: 2 Summary: A tool to build flatpaks from source License: LGPLv2+ and GPLv2+ URL: http://flatpak.org/ Source0: https://github.com/flatpak/flatpak-builder/releases/download/%{version}/%{name}-%{version}.tar.xz +Patch01: CVE-2022-21682.patch + BuildRequires: make flatpak pkgconfig(glib-2.0) >= 2.44 pkgconfig(gio-2.0) pkgconfig(gio-unix-2.0) BuildRequires: pkgconfig(libsoup-2.4) pkgconfig(ostree-1) >= 2017.14 pkgconfig(json-glib-1.0) BuildRequires: pkgconfig(libxml-2.0) >= 2.4 pkgconfig(libcurl) pkgconfig(libelf) libxslt @@ -36,5 +38,8 @@ Flatpak-builder is a tool for building flatpaks from sources. %{_mandir}/man5/flatpak-manifest.5* %changelog +* Tue Jul 05 2022 weichao.zhang - 1.0.14-2 +- Fix CVE-2022-21682 + * Thu Aug 05 2021 weijin deng - 1.0.14-1 - Package init with 1.0.14