From aabfdbde8e30e2d0413f5368c34c7f32ee1c3b1a Mon Sep 17 00:00:00 2001
From: Alexander Larsson <alexl@redhat.com>
Date: Mon, 15 Apr 2024 16:10:36 +0200
Subject: [PATCH 1/2] When starting non-static command using bwrap use "--"
This ensures that the command is not taken to be a bwrap option.
Resolves: CVE-2024-32462
Resolves: GHSA-phv6-cpc2-2fgj
Signed-off-by: Alexander Larsson <alexl@redhat.com>
[smcv: Fix DISABLE_SANDBOXED_TRIGGERS code path]
[smcv: Make flatpak_run_maybe_start_dbus_proxy() more obviously correct]
Signed-off-by: Simon McVittie <smcv@collabora.com>
---
app/flatpak-builtins-build.c | 3 ++-
common/flatpak-dir.c | 1 +
common/flatpak-run.c | 5 ++++-
3 files changed, 7 insertions(+), 2 deletions(-)
diff --git a/app/flatpak-builtins-build.c b/app/flatpak-builtins-build.c
index ce9ff7ea..039c4668 100644
--- a/app/flatpak-builtins-build.c
+++ b/app/flatpak-builtins-build.c
@@ -569,7 +569,8 @@ flatpak_builtin_build (int argc, char **argv, GCancellable *cancellable, GError
if (!flatpak_bwrap_bundle_args (bwrap, 1, -1, FALSE, error))
return FALSE;
- flatpak_bwrap_add_args (bwrap, command, NULL);
+ flatpak_bwrap_add_args (bwrap, "--", command, NULL);
+
flatpak_bwrap_append_argsv (bwrap,
&argv[rest_argv_start + 2],
rest_argc - 2);
diff --git a/common/flatpak-dir.c b/common/flatpak-dir.c
index 1c1a48eb..57292aa6 100644
--- a/common/flatpak-dir.c
+++ b/common/flatpak-dir.c
@@ -5393,6 +5393,7 @@ flatpak_dir_run_triggers (FlatpakDir *self,
g_ptr_array_add (argv_array, g_strdup ("--bind"));
g_ptr_array_add (argv_array, g_strdup (basedir));
g_ptr_array_add (argv_array, g_strdup (basedir));
+ g_ptr_array_add (argv_array, g_strdup ("--"));
#endif
g_ptr_array_add (argv_array, g_file_get_path (child));
g_ptr_array_add (argv_array, g_strdup (basedir));
diff --git a/common/flatpak-run.c b/common/flatpak-run.c
index 08bfe54a..4c7f94f3 100644
--- a/common/flatpak-run.c
+++ b/common/flatpak-run.c
@@ -752,6 +752,9 @@ add_bwrap_wrapper (FlatpakBwrap *bwrap,
if (!flatpak_bwrap_bundle_args (bwrap, 1, -1, FALSE, error))
return FALSE;
+ /* End of options: the next argument will be the executable name */
+ flatpak_bwrap_add_arg (bwrap, "--");
+
return TRUE;
}
@@ -3142,7 +3145,7 @@ flatpak_run_app (const char *app_ref,
if (!flatpak_bwrap_bundle_args (bwrap, 1, -1, FALSE, error))
return FALSE;
- flatpak_bwrap_add_arg (bwrap, command);
+ flatpak_bwrap_add_args (bwrap, "--", command, NULL);
if (!add_rest_args (bwrap, app_ref_parts[1],
exports, (flags & FLATPAK_RUN_FLAG_FILE_FORWARDING) != 0,
--
2.44.0
From b758670addf94e4255deff8e77ba82d7328933a6 Mon Sep 17 00:00:00 2001
From: Simon McVittie <smcv@collabora.com>
Date: Tue, 16 Apr 2024 10:50:00 +0100
Subject: [PATCH 2/2] test-run: Add a reproducer for CVE-2024-32462
Signed-off-by: Simon McVittie <smcv@collabora.com>
---
tests/test-run.sh | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)
diff --git a/tests/test-run.sh b/tests/test-run.sh
index 9d83d82e..ab2c0089 100755
--- a/tests/test-run.sh
+++ b/tests/test-run.sh
@@ -23,7 +23,7 @@ set -euo pipefail
skip_without_bwrap
-echo "1..12"
+echo "1..13"
setup_repo
install_repo
@@ -69,6 +69,15 @@ assert_file_has_content hello_out '^Hello world, from a sandbox$'
echo "ok hello"
+# This should try and fail to run e.g. /usr/bin/--tmpfs, which will
+# exit with status 127 because there is no such executable.
+# It should not pass "--tmpfs /blah hello.sh" as bwrap options.
+exit_status=0
+run --command=--tmpfs org.test.Hello /blah hello.sh >&2 || exit_status=$?
+assert_not_streq "$exit_status" 0
+
+echo "ok avoided CVE-2024-32462"
+
run_sh cat /run/user/`id -u`/flatpak-info > fpi
assert_file_has_content fpi '^name=org.test.Hello$'
--
2.44.0