Bug#984972: unblock: flatpak/1.10.2-1
On Thu, 11 Mar 2021 at 11:50:28 +0000, Simon McVittie wrote:
> [x] attach debdiff against the package in testing
> (note that because several changes have gone from debian/patches/
> to being incorporated in upstream source, this is a diff between
> the patched trees - I hope that's OK)
Sorry, really attached now.
smcv
git diff \
--irreversible-delete \
archive/debian/1.10.1-4..archive/debian/1.10.2-1 \
| filterdiff \
-p1 \
--exclude=Makefile.in \
--exclude=configure \
--exclude='po/*.po' \
--exclude='po/*.pot'
diff --git a/NEWS b/NEWS
index 4fdc070e..06f6a260 100644
--- a/NEWS
+++ b/NEWS
@@ -1,6 +1,23 @@
+Changes in 1.10.2
+~~~~~~~~~~~~~~~~~
+Released: 2021-03-10
+
+This is a security update which fixes a potential attack where
+a flatpak application could use custom formated .desktop files to
+gain access to files on the host system.
+
+Other changes:
+
+* Fix memory leaks
+* Some test fixes
+* Documentation updates
+* G_BEGIN/END_DECLS added to library headders for c++ use
+* Fix for X11 cookies on OpenSUSE
+* Spawn portal better handles non-utf8 filenames
+
Changes in 1.10.1
~~~~~~~~~~~~~~~~~
-Released: 2020-01-21
+Released: 2021-01-21
* Fix flatpak build on systems with setuid bwrap
* Fix some compiler warnings
@@ -10,7 +27,7 @@ Released: 2020-01-21
Changes in 1.10.0
~~~~~~~~~~~~~~~~~
-Released: 2020-01-14
+Released: 2021-01-14
This is the first stable release after the 1.9.x unstable series.
The major new feature in this series compared to 1.8 is the support
diff --git a/common/flatpak-context.c b/common/flatpak-context.c
index 4f8a3380..abeda358 100644
--- a/common/flatpak-context.c
+++ b/common/flatpak-context.c
@@ -1391,8 +1391,8 @@ static GOptionEntry context_options[] = {
{ "nodevice", 0, G_OPTION_FLAG_IN_MAIN, G_OPTION_ARG_CALLBACK, &option_nodevice_cb, N_("Don't expose device to app"), N_("DEVICE") },
{ "allow", 0, G_OPTION_FLAG_IN_MAIN, G_OPTION_ARG_CALLBACK, &option_allow_cb, N_("Allow feature"), N_("FEATURE") },
{ "disallow", 0, G_OPTION_FLAG_IN_MAIN, G_OPTION_ARG_CALLBACK, &option_disallow_cb, N_("Don't allow feature"), N_("FEATURE") },
- { "filesystem", 0, G_OPTION_FLAG_IN_MAIN, G_OPTION_ARG_CALLBACK, &option_filesystem_cb, N_("Expose filesystem to app (:ro for read-only)"), N_("FILESYSTEM[:ro]") },
- { "nofilesystem", 0, G_OPTION_FLAG_IN_MAIN, G_OPTION_ARG_CALLBACK, &option_nofilesystem_cb, N_("Don't expose filesystem to app"), N_("FILESYSTEM") },
+ { "filesystem", 0, G_OPTION_FLAG_IN_MAIN | G_OPTION_FLAG_FILENAME, G_OPTION_ARG_CALLBACK, &option_filesystem_cb, N_("Expose filesystem to app (:ro for read-only)"), N_("FILESYSTEM[:ro]") },
+ { "nofilesystem", 0, G_OPTION_FLAG_IN_MAIN | G_OPTION_FLAG_FILENAME, G_OPTION_ARG_CALLBACK, &option_nofilesystem_cb, N_("Don't expose filesystem to app"), N_("FILESYSTEM") },
{ "env", 0, G_OPTION_FLAG_IN_MAIN, G_OPTION_ARG_CALLBACK, &option_env_cb, N_("Set environment variable"), N_("VAR=VALUE") },
{ "env-fd", 0, G_OPTION_FLAG_IN_MAIN, G_OPTION_ARG_CALLBACK, &option_env_fd_cb, N_("Read environment variables in env -0 format from FD"), N_("FD") },
{ "unset-env", 0, G_OPTION_FLAG_IN_MAIN, G_OPTION_ARG_CALLBACK, &option_unset_env_cb, N_("Remove variable from environment"), N_("VAR") },
diff --git a/common/flatpak-dir.c b/common/flatpak-dir.c
index 82f2ce68..94a86f4a 100644
--- a/common/flatpak-dir.c
+++ b/common/flatpak-dir.c
@@ -7139,8 +7139,12 @@ export_desktop_file (const char *app,
g_string_append_printf (new_exec, " @@ %s @@", arg);
else if (strcasecmp (arg, "%u") == 0)
g_string_append_printf (new_exec, " @@u %s @@", arg);
- else if (strcmp (arg, "@@") == 0 || strcmp (arg, "@@u") == 0)
- g_print (_("Skipping invalid Exec argument %s\n"), arg);
+ else if (g_str_has_prefix (arg, "@@"))
+ {
+ flatpak_fail_error (error, FLATPAK_ERROR_EXPORT_FAILED,
+ _("Invalid Exec argument %s"), arg);
+ goto out;
+ }
else
g_string_append_printf (new_exec, " %s", arg);
}
diff --git a/common/flatpak-error.h b/common/flatpak-error.h
index 5ef23378..d343f90b 100644
--- a/common/flatpak-error.h
+++ b/common/flatpak-error.h
@@ -33,7 +33,7 @@ G_BEGIN_DECLS
/* NOTE: If you add an error code below, also update the list in common/flatpak-utils.c */
/**
* FlatpakError:
- * @FLATPAK_ERROR_ALREADY_INSTALLED: App/runtime is already installed
+ * @FLATPAK_ERROR_ALREADY_INSTALLED: App/runtime/remote is already installed
* @FLATPAK_ERROR_NOT_INSTALLED: App/runtime is not installed
* @FLATPAK_ERROR_ONLY_PULLED: App/runtime was only pulled into the local
* repository but not installed.
diff --git a/common/flatpak-installation.c b/common/flatpak-installation.c
index 68c9936d..0c7559ad 100644
--- a/common/flatpak-installation.c
+++ b/common/flatpak-installation.c
@@ -736,6 +736,7 @@ get_ref (FlatpakDir *dir,
g_autoptr(GBytes) deploy_data = NULL;
g_autofree const char **subpaths = NULL;
g_autofree char *collection_id = NULL;
+ g_autoptr(GHashTable) content_rating = NULL;
gboolean is_current = FALSE;
guint64 installed_size = 0;
@@ -764,6 +765,7 @@ get_ref (FlatpakDir *dir,
latest_commit = flatpak_dir_read_latest (dir, origin, flatpak_decomposed_get_ref (ref), &latest_alt_id, NULL, NULL);
collection_id = flatpak_dir_get_remote_collection_id (dir, origin);
+ content_rating = flatpak_deploy_data_get_appdata_content_rating (deploy_data);
return flatpak_installed_ref_new (ref,
alt_id ? alt_id : commit,
@@ -779,7 +781,7 @@ get_ref (FlatpakDir *dir,
flatpak_deploy_data_get_appdata_version (deploy_data),
flatpak_deploy_data_get_appdata_license (deploy_data),
flatpak_deploy_data_get_appdata_content_rating_type (deploy_data),
- flatpak_deploy_data_get_appdata_content_rating (deploy_data));
+ content_rating);
}
/**
diff --git a/common/flatpak-ref.c b/common/flatpak-ref.c
index 5ac46087..84773548 100644
--- a/common/flatpak-ref.c
+++ b/common/flatpak-ref.c
@@ -39,6 +39,13 @@
* flatpak_ref_parse() and flatpak_ref_format_ref() can be used to convert
* FlatpakRef objects into this string representation and back.
*
+ * Note that the identifiers must be unique within a repo (e.g. Flathub) based
+ * only on the name, arch, and branch 3-tuple, without regard to the kind. In
+ * other words if app/org.gnome.evince/x86_64/master exists,
+ * runtime/org.gnome.evince/x86_64/master must not exist. This requirement is
+ * not enforced by libflatpak but is enforced by GNOME Software's use of
+ * libappstream, since Appstream IDs are assumed to be unique.
+ *
* FlatpakRef objects are immutable and can be passed freely between threads.
*
* To uniquely identify a particular version of an application or runtime, you
diff --git a/common/flatpak-run.c b/common/flatpak-run.c
index 4eeac123..f48f402a 100644
--- a/common/flatpak-run.c
+++ b/common/flatpak-run.c
@@ -118,7 +118,24 @@ xauth_entry_should_propagate (Xauth *xa,
/* ensure entry is for this machine */
if (xa->family == FamilyLocal && !auth_streq (hostname, xa->address, xa->address_length))
- return FALSE;
+ {
+ /* OpenSUSE inherits the hostname value from DHCP without updating
+ * its X11 authentication cookie. The old hostname value can still
+ * be found in the environment variable XAUTHLOCALHOSTNAME.
+ * For reference:
+ * https://bugzilla.opensuse.org/show_bug.cgi?id=262309
+ * For this reason if we have a cookie whose address is equal to the
+ * variable XAUTHLOCALHOSTNAME, we still need to propagate it, but
+ * we also need to change its address to `unames.nodename`.
+ */
+ const char *xauth_local_hostname;
+ xauth_local_hostname = g_getenv ("XAUTHLOCALHOSTNAME");
+ if (xauth_local_hostname == NULL)
+ return FALSE;
+
+ if (!auth_streq ((char *) xauth_local_hostname, xa->address, xa->address_length))
+ return FALSE;
+ }
/* ensure entry is for this session */
if (xa->number != NULL && !auth_streq (number, xa->number, xa->number_length))
@@ -160,6 +177,17 @@ write_xauth (char *number, FILE *output)
local_xa.number_length = 2;
}
+ if (local_xa.family == FamilyLocal &&
+ !auth_streq (unames.nodename, local_xa.address, local_xa.address_length))
+ {
+ /* If we decided to propagate this cookie, but its address
+ * doesn't match `unames.nodename`, we need to change it or
+ * inside the container it will not work.
+ */
+ local_xa.address = unames.nodename;
+ local_xa.address_length = strlen (local_xa.address);
+ }
+
if (!XauWriteAuth (output, &local_xa))
g_warning ("xauth write error");
}
diff --git a/common/flatpak-version-macros.h b/common/flatpak-version-macros.h
index 2d10351b..2971afee 100644
--- a/common/flatpak-version-macros.h
+++ b/common/flatpak-version-macros.h
@@ -45,7 +45,7 @@
*
* The micro version.
*/
-#define FLATPAK_MICRO_VERSION (1)
+#define FLATPAK_MICRO_VERSION (2)
/**
* FLATPAK_CHECK_VERSION:
diff --git a/configure.ac b/configure.ac
index bd650c17..c879e472 100644
--- a/configure.ac
+++ b/configure.ac
@@ -15,7 +15,7 @@ AC_PREREQ([2.63])
m4_define([flatpak_major_version], [1])
m4_define([flatpak_minor_version], [10])
-m4_define([flatpak_micro_version], [1])
+m4_define([flatpak_micro_version], [2])
m4_define([flatpak_extra_version], [])
m4_define([flatpak_interface_age], [0])
m4_define([flatpak_binary_age],
diff --git a/debian/changelog b/debian/changelog
index 9f78161e..e4bb4964 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,8 +1,27 @@
+flatpak (1.10.2-1) unstable; urgency=medium
+
+ * New upstream stable release
+ - Make --filesystem, --nofilesystem accept non-ASCII filenames more
+ reliably
+ - Improve solution for #984859 so it refuses to install apps that
+ appear to be trying to exploit the vulnerability
+ - Fix a memory leak
+ - Improve compatibility with openSUSE's X authentication setup
+ - Use a single version of Docbook for all documentation
+ - This release also incorporates the fixes that were applied in
+ 1.10.1-2 and 1.10.1-3, and part of 1.10.1-4
+ * Drop patches that were applied upstream
+ * d/p/tests-Remove-hard-coded-references-to-x86_64.patch:
+ Mark the remaining patch as applied upstream for 1.11.0
+ * Add reference to #984859 in previous changelog entry
+
+ -- Simon McVittie <smcv@debian.org> Wed, 10 Mar 2021 10:58:32 +0000
+
flatpak (1.10.1-4) unstable; urgency=high
* d/p/Disallow-and-u-usage-in-desktop-files.patch:
Add proposed patch to fix a sandbox escape via crafted .desktop
- files (flatpak#4146). Thanks, Ryan Gonzalez
+ files (flatpak#4146, Closes: #984859). Thanks, Ryan Gonzalez
* d/p/tests-Remove-hard-coded-references-to-x86_64.patch:
Add proposed patch to fix some tests on non-x86_64 machines.
The affected tests were already skipped in schroot/lxc for other
diff --git a/debian/patches/Add-G_BEGIN_DECLS-G_END_DECLS-to-public-headers.patch b/debian/patches/Add-G_BEGIN_DECLS-G_END_DECLS-to-public-headers.patch
deleted file mode 100644
index a159c769..00000000
diff --git a/debian/patches/Disallow-and-u-usage-in-desktop-files.patch b/debian/patches/Disallow-and-u-usage-in-desktop-files.patch
diff --git a/debian/patches/Disallow-and-u-usage-in-desktop-files.patch b/debian/patches/Disallow-and-u-usage-in-desktop-files.patch
deleted file mode 100644
index ac4267e4..00000000
diff --git a/debian/patches/series b/debian/patches/series
diff --git a/debian/patches/series b/debian/patches/series
index 34822091..ee9cda11 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,5 +1 @@
-testlibrary-Fix-memory-leaks.patch
-Add-G_BEGIN_DECLS-G_END_DECLS-to-public-headers.patch
-tests-Disable-revokefs-if-FUSE-doesn-t-work.patch
-Disallow-and-u-usage-in-desktop-files.patch
tests-Remove-hard-coded-references-to-x86_64.patch
diff --git a/debian/patches/testlibrary-Fix-memory-leaks.patch b/debian/patches/testlibrary-Fix-memory-leaks.patch
deleted file mode 100644
index a1a1ae26..00000000
diff --git a/debian/patches/tests-Disable-revokefs-if-FUSE-doesn-t-work.patch b/debian/patches/tests-Disable-revokefs-if-FUSE-doesn-t-work.patch
diff --git a/debian/patches/tests-Disable-revokefs-if-FUSE-doesn-t-work.patch b/debian/patches/tests-Disable-revokefs-if-FUSE-doesn-t-work.patch
deleted file mode 100644
index c81ee5de..00000000
diff --git a/debian/patches/tests-Remove-hard-coded-references-to-x86_64.patch b/debian/patches/tests-Remove-hard-coded-references-to-x86_64.patch
diff --git a/debian/patches/tests-Remove-hard-coded-references-to-x86_64.patch b/debian/patches/tests-Remove-hard-coded-references-to-x86_64.patch
index b1138b7f..9f74db9e 100644
--- a/debian/patches/tests-Remove-hard-coded-references-to-x86_64.patch
+++ b/debian/patches/tests-Remove-hard-coded-references-to-x86_64.patch
@@ -7,6 +7,7 @@ x86_64 to look for in output dooms that to failure.
Signed-off-by: Simon McVittie <smcv@collabora.com>
Forwarded: https://github.com/flatpak/flatpak/pull/4142
+Applied-upstream: 1.11.0, commit:ba381ae9368c0e6e233c52254e698f5f64903036
---
tests/test-oci.sh | 2 +-
tests/test-unused.sh | 2 +-
diff --git a/doc/flatpak-info.xml b/doc/flatpak-info.xml
index 30ceffea..a4448f4d 100644
--- a/doc/flatpak-info.xml
+++ b/doc/flatpak-info.xml
@@ -195,6 +195,16 @@
</para></listitem>
</varlistentry>
+ <varlistentry>
+ <term><option>-l</option></term>
+ <term><option>--show-location</option></term>
+
+ <listitem><para>
+ Show the on-disk location of the app or runtime. See the
+ examples below.
+ </para></listitem>
+ </varlistentry>
+
<varlistentry>
<term><option>-v</option></term>
<term><option>--verbose</option></term>
diff --git a/doc/flatpak-pin.xml b/doc/flatpak-pin.xml
index 9fa8217a..04e5312a 100644
--- a/doc/flatpak-pin.xml
+++ b/doc/flatpak-pin.xml
@@ -1,6 +1,6 @@
<?xml version='1.0'?> <!--*-nxml-*-->
-<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
- "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
+ "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd">
<refentry id="flatpak-pin">
diff --git a/doc/reference/Makefile.am b/doc/reference/Makefile.am
index 88bd31bb..6aaa3451 100644
--- a/doc/reference/Makefile.am
+++ b/doc/reference/Makefile.am
@@ -88,6 +88,10 @@ TESTS = $(GTKDOC_CHECK)
endif
sgml.stamp: $(dbus_stamp_files)
+# gdbus-codegen hardcodes DocBook version
+ $(AM_V_GEN)$(SED) -i \
+ -e 's|http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd|http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd|' \
+ -e 's|-//OASIS//DTD DocBook XML V4.1.2//EN|-//OASIS//DTD DocBook XML V4.5//EN|' $(xml_files)
dbus-%.stamp: $(top_srcdir)/data/%.xml
$(AM_V_GEN)$(GDBUS_CODEGEN) --generate-docbook=dbus $<
diff --git a/doc/reference/Makefile.in b/doc/reference/Makefile.in
index 5f6d9561..816c878f 100644
--- a/doc/reference/Makefile.in
+++ b/doc/reference/Makefile.in
@@ -1308,6 +1308,10 @@ dist-hook: dist-check-gtkdoc all-gtk-doc dist-hook-local
.PHONY : dist-hook-local docs
sgml.stamp: $(dbus_stamp_files)
+# gdbus-codegen hardcodes DocBook version
+ $(AM_V_GEN)$(SED) -i \
+ -e 's|http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd|http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd|' \
+ -e 's|-//OASIS//DTD DocBook XML V4.1.2//EN|-//OASIS//DTD DocBook XML V4.5//EN|' $(xml_files)
dbus-%.stamp: $(top_srcdir)/data/%.xml
$(AM_V_GEN)$(GDBUS_CODEGEN) --generate-docbook=dbus $<
diff --git a/doc/reference/html/FlatpakRef.html b/doc/reference/html/FlatpakRef.html
index 31449adc..cfca17d3 100644
--- a/doc/reference/html/FlatpakRef.html
+++ b/doc/reference/html/FlatpakRef.html
@@ -189,6 +189,12 @@ can refer to either of these.</p>
name, arch and branch, e.g. app/org.gnome.evince/x86_64/master. The functions
<a class="link" href="FlatpakRef.html#flatpak-ref-parse" title="flatpak_ref_parse ()"><code class="function">flatpak_ref_parse()</code></a> and <a class="link" href="FlatpakRef.html#flatpak-ref-format-ref" title="flatpak_ref_format_ref ()"><code class="function">flatpak_ref_format_ref()</code></a> can be used to convert
FlatpakRef objects into this string representation and back.</p>
+<p>Note that the identifiers must be unique within a repo (e.g. Flathub) based
+only on the name, arch, and branch 3-tuple, without regard to the kind. In
+other words if app/org.gnome.evince/x86_64/master exists,
+runtime/org.gnome.evince/x86_64/master must not exist. This requirement is
+not enforced by libflatpak but is enforced by GNOME Software's use of
+libappstream, since Appstream IDs are assumed to be unique.</p>
<p>FlatpakRef objects are immutable and can be passed freely between threads.</p>
<p>To uniquely identify a particular version of an application or runtime, you
need a commit.</p>
diff --git a/doc/reference/html/flatpak-Error-codes.html b/doc/reference/html/flatpak-Error-codes.html
index 9ea7bbc8..61aaac79 100644
--- a/doc/reference/html/flatpak-Error-codes.html
+++ b/doc/reference/html/flatpak-Error-codes.html
@@ -91,7 +91,7 @@ for some common errors.</p>
<tr>
<td class="enum_member_name"><p><a name="FLATPAK-ERROR-ALREADY-INSTALLED:CAPS"></a>FLATPAK_ERROR_ALREADY_INSTALLED</p></td>
<td class="enum_member_description">
-<p>App/runtime is already installed</p>
+<p>App/runtime/remote is already installed</p>
</td>
<td class="enum_member_annotations"> </td>
</tr>
diff --git a/doc/reference/html/flatpak-Version-information.html b/doc/reference/html/flatpak-Version-information.html
index 196567f7..d8ca0a18 100644
--- a/doc/reference/html/flatpak-Version-information.html
+++ b/doc/reference/html/flatpak-Version-information.html
@@ -129,7 +129,7 @@
<hr>
<div class="refsect2">
<a name="FLATPAK-MICRO-VERSION:CAPS"></a><h3>FLATPAK_MICRO_VERSION</h3>
-<pre class="programlisting">#define FLATPAK_MICRO_VERSION (1)
+<pre class="programlisting">#define FLATPAK_MICRO_VERSION (2)
</pre>
<p>The micro version.</p>
</div>
diff --git a/doc/reference/html/index.html b/doc/reference/html/index.html
index c23e53ab..f381bbe3 100644
--- a/doc/reference/html/index.html
+++ b/doc/reference/html/index.html
@@ -15,7 +15,7 @@
<div>
<div><table class="navigation" id="top" width="100%" cellpadding="2" cellspacing="0"><tr><th valign="middle"><p class="title">Flatpak Library Reference Manual</p></th></tr></table></div>
<div><p class="releaseinfo">
- For flatpak 1.10.1
+ For flatpak 1.10.2
</p></div>
</div>
diff --git a/tests/package_version.txt b/tests/package_version.txt
index 4dae2985..5ad2491c 100644
--- a/tests/package_version.txt
+++ b/tests/package_version.txt
@@ -1 +1 @@
-1.10.1
+1.10.2
Reply to: