From aabfdbde8e30e2d0413f5368c34c7f32ee1c3b1a Mon Sep 17 00:00:00 2001 From: Alexander Larsson Date: Mon, 15 Apr 2024 16:10:36 +0200 Subject: [PATCH 1/2] When starting non-static command using bwrap use "--" This ensures that the command is not taken to be a bwrap option. Resolves: CVE-2024-32462 Resolves: GHSA-phv6-cpc2-2fgj Signed-off-by: Alexander Larsson [smcv: Fix DISABLE_SANDBOXED_TRIGGERS code path] [smcv: Make flatpak_run_maybe_start_dbus_proxy() more obviously correct] Signed-off-by: Simon McVittie --- app/flatpak-builtins-build.c | 3 ++- common/flatpak-dir.c | 1 + common/flatpak-run.c | 5 ++++- 3 files changed, 7 insertions(+), 2 deletions(-) diff --git a/app/flatpak-builtins-build.c b/app/flatpak-builtins-build.c index ce9ff7ea..039c4668 100644 --- a/app/flatpak-builtins-build.c +++ b/app/flatpak-builtins-build.c @@ -569,7 +569,8 @@ flatpak_builtin_build (int argc, char **argv, GCancellable *cancellable, GError if (!flatpak_bwrap_bundle_args (bwrap, 1, -1, FALSE, error)) return FALSE; - flatpak_bwrap_add_args (bwrap, command, NULL); + flatpak_bwrap_add_args (bwrap, "--", command, NULL); + flatpak_bwrap_append_argsv (bwrap, &argv[rest_argv_start + 2], rest_argc - 2); diff --git a/common/flatpak-dir.c b/common/flatpak-dir.c index 1c1a48eb..57292aa6 100644 --- a/common/flatpak-dir.c +++ b/common/flatpak-dir.c @@ -5393,6 +5393,7 @@ flatpak_dir_run_triggers (FlatpakDir *self, g_ptr_array_add (argv_array, g_strdup ("--bind")); g_ptr_array_add (argv_array, g_strdup (basedir)); g_ptr_array_add (argv_array, g_strdup (basedir)); + g_ptr_array_add (argv_array, g_strdup ("--")); #endif g_ptr_array_add (argv_array, g_file_get_path (child)); g_ptr_array_add (argv_array, g_strdup (basedir)); diff --git a/common/flatpak-run.c b/common/flatpak-run.c index 08bfe54a..4c7f94f3 100644 --- a/common/flatpak-run.c +++ b/common/flatpak-run.c @@ -752,6 +752,9 @@ add_bwrap_wrapper (FlatpakBwrap *bwrap, if (!flatpak_bwrap_bundle_args (bwrap, 1, -1, FALSE, error)) return FALSE; + /* End of options: the next argument will be the executable name */ + flatpak_bwrap_add_arg (bwrap, "--"); + return TRUE; } @@ -3142,7 +3145,7 @@ flatpak_run_app (const char *app_ref, if (!flatpak_bwrap_bundle_args (bwrap, 1, -1, FALSE, error)) return FALSE; - flatpak_bwrap_add_arg (bwrap, command); + flatpak_bwrap_add_args (bwrap, "--", command, NULL); if (!add_rest_args (bwrap, app_ref_parts[1], exports, (flags & FLATPAK_RUN_FLAG_FILE_FORWARDING) != 0, -- 2.44.0 From b758670addf94e4255deff8e77ba82d7328933a6 Mon Sep 17 00:00:00 2001 From: Simon McVittie Date: Tue, 16 Apr 2024 10:50:00 +0100 Subject: [PATCH 2/2] test-run: Add a reproducer for CVE-2024-32462 Signed-off-by: Simon McVittie --- tests/test-run.sh | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/tests/test-run.sh b/tests/test-run.sh index 9d83d82e..ab2c0089 100755 --- a/tests/test-run.sh +++ b/tests/test-run.sh @@ -23,7 +23,7 @@ set -euo pipefail skip_without_bwrap -echo "1..12" +echo "1..13" setup_repo install_repo @@ -69,6 +69,15 @@ assert_file_has_content hello_out '^Hello world, from a sandbox$' echo "ok hello" +# This should try and fail to run e.g. /usr/bin/--tmpfs, which will +# exit with status 127 because there is no such executable. +# It should not pass "--tmpfs /blah hello.sh" as bwrap options. +exit_status=0 +run --command=--tmpfs org.test.Hello /blah hello.sh >&2 || exit_status=$? +assert_not_streq "$exit_status" 0 + +echo "ok avoided CVE-2024-32462" + run_sh cat /run/user/`id -u`/flatpak-info > fpi assert_file_has_content fpi '^name=org.test.Hello$' -- 2.44.0