rpms / flatpak

Clone
Source Code
GIT

Blame SOURCES/flatpak-CVE-2024-32462.patch

c7 c7-alt c7-beta c8 c8-beta c8s c9 c9-beta
  1.   c7
  2.   SOURCES
  3.   flatpak-CVE-2024-32462.patch
Blob History Raw
01d78b 
From aabfdbde8e30e2d0413f5368c34c7f32ee1c3b1a Mon Sep 17 00:00:00 2001
01d78b 
From: Alexander Larsson <alexl@redhat.com>
01d78b 
Date: Mon, 15 Apr 2024 16:10:36 +0200
01d78b 
Subject: [PATCH 1/2] When starting non-static command using bwrap use "--"
01d78b
01d78b 
This ensures that the command is not taken to be a bwrap option.
01d78b
01d78b 
Resolves: CVE-2024-32462
01d78b 
Resolves: GHSA-phv6-cpc2-2fgj
01d78b 
Signed-off-by: Alexander Larsson <alexl@redhat.com>
01d78b 
[smcv: Fix DISABLE_SANDBOXED_TRIGGERS code path]
01d78b 
[smcv: Make flatpak_run_maybe_start_dbus_proxy() more obviously correct]
01d78b 
Signed-off-by: Simon McVittie <smcv@collabora.com>
01d78b 
---
01d78b 
 app/flatpak-builtins-build.c | 3 ++-
01d78b 
 common/flatpak-dir.c         | 1 +
01d78b 
 common/flatpak-run.c         | 5 ++++-
01d78b 
 3 files changed, 7 insertions(+), 2 deletions(-)
01d78b
01d78b 
diff --git a/app/flatpak-builtins-build.c b/app/flatpak-builtins-build.c
01d78b 
index ce9ff7ea..039c4668 100644
01d78b 
--- a/app/flatpak-builtins-build.c
01d78b 
+++ b/app/flatpak-builtins-build.c
01d78b 
@@ -569,7 +569,8 @@ flatpak_builtin_build (int argc, char **argv, GCancellable *cancellable, GError
01d78b 
   if (!flatpak_bwrap_bundle_args (bwrap, 1, -1, FALSE, error))
01d78b 
     return FALSE;
01d78b
01d78b 
-  flatpak_bwrap_add_args (bwrap, command, NULL);
01d78b 
+  flatpak_bwrap_add_args (bwrap, "--", command, NULL);
01d78b 
+
01d78b 
   flatpak_bwrap_append_argsv (bwrap,
01d78b 
                               &argv[rest_argv_start + 2],
01d78b 
                               rest_argc - 2);
01d78b 
diff --git a/common/flatpak-dir.c b/common/flatpak-dir.c
01d78b 
index 1c1a48eb..57292aa6 100644
01d78b 
--- a/common/flatpak-dir.c
01d78b 
+++ b/common/flatpak-dir.c
01d78b 
@@ -5393,6 +5393,7 @@ flatpak_dir_run_triggers (FlatpakDir   *self,
01d78b 
           g_ptr_array_add (argv_array, g_strdup ("--bind"));
01d78b 
           g_ptr_array_add (argv_array, g_strdup (basedir));
01d78b 
           g_ptr_array_add (argv_array, g_strdup (basedir));
01d78b 
+          g_ptr_array_add (argv_array, g_strdup ("--"));
01d78b 
 #endif
01d78b 
           g_ptr_array_add (argv_array, g_file_get_path (child));
01d78b 
           g_ptr_array_add (argv_array, g_strdup (basedir));
01d78b 
diff --git a/common/flatpak-run.c b/common/flatpak-run.c
01d78b 
index 08bfe54a..4c7f94f3 100644
01d78b 
--- a/common/flatpak-run.c
01d78b 
+++ b/common/flatpak-run.c
01d78b 
@@ -752,6 +752,9 @@ add_bwrap_wrapper (FlatpakBwrap *bwrap,
01d78b 
   if (!flatpak_bwrap_bundle_args (bwrap, 1, -1, FALSE, error))
01d78b 
     return FALSE;
01d78b
01d78b 
+  /* End of options: the next argument will be the executable name */
01d78b 
+  flatpak_bwrap_add_arg (bwrap, "--");
01d78b 
+
01d78b 
   return TRUE;
01d78b 
 }
01d78b
01d78b 
@@ -3142,7 +3145,7 @@ flatpak_run_app (const char     *app_ref,
01d78b 
   if (!flatpak_bwrap_bundle_args (bwrap, 1, -1, FALSE, error))
01d78b 
     return FALSE;
01d78b
01d78b 
-  flatpak_bwrap_add_arg (bwrap, command);
01d78b 
+  flatpak_bwrap_add_args (bwrap, "--", command, NULL);
01d78b
01d78b 
   if (!add_rest_args (bwrap, app_ref_parts[1],
01d78b 
                       exports, (flags & FLATPAK_RUN_FLAG_FILE_FORWARDING) != 0,
01d78b 
--
01d78b 
2.44.0
01d78b
01d78b
01d78b 
From b758670addf94e4255deff8e77ba82d7328933a6 Mon Sep 17 00:00:00 2001
01d78b 
From: Simon McVittie <smcv@collabora.com>
01d78b 
Date: Tue, 16 Apr 2024 10:50:00 +0100
01d78b 
Subject: [PATCH 2/2] test-run: Add a reproducer for CVE-2024-32462
01d78b
01d78b 
Signed-off-by: Simon McVittie <smcv@collabora.com>
01d78b 
---
01d78b 
 tests/test-run.sh | 11 ++++++++++-
01d78b 
 1 file changed, 10 insertions(+), 1 deletion(-)
01d78b
01d78b 
diff --git a/tests/test-run.sh b/tests/test-run.sh
01d78b 
index 9d83d82e..ab2c0089 100755
01d78b 
--- a/tests/test-run.sh
01d78b 
+++ b/tests/test-run.sh
01d78b 
@@ -23,7 +23,7 @@ set -euo pipefail
01d78b
01d78b 
 skip_without_bwrap
01d78b
01d78b 
-echo "1..12"
01d78b 
+echo "1..13"
01d78b
01d78b 
 setup_repo
01d78b 
 install_repo
01d78b 
@@ -69,6 +69,15 @@ assert_file_has_content hello_out '^Hello world, from a sandbox$'
01d78b
01d78b 
 echo "ok hello"
01d78b
01d78b 
+# This should try and fail to run e.g. /usr/bin/--tmpfs, which will
01d78b 
+# exit with status 127 because there is no such executable.
01d78b 
+# It should not pass "--tmpfs /blah hello.sh" as bwrap options.
01d78b 
+exit_status=0
01d78b 
+run --command=--tmpfs org.test.Hello /blah hello.sh >&2 || exit_status=$?
01d78b 
+assert_not_streq "$exit_status" 0
01d78b 
+
01d78b 
+echo "ok avoided CVE-2024-32462"
01d78b 
+
01d78b 
 run_sh cat /run/user/`id -u`/flatpak-info > fpi
01d78b 
 assert_file_has_content fpi '^name=org.test.Hello$'
01d78b
01d78b 
--
01d78b 
2.44.0
01d78b

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation