Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-15-SP5:Update
flatpak
flatpak-CVE-2024-42472-part03-6bd603f6.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File flatpak-CVE-2024-42472-part03-6bd603f6.patch of Package flatpak
From 6bd603f6836e9b38b9b937d3b78f3fbf36e7ff75 From: Alexander Larsson <alexl@redhat.com> Date: Tue, 18 Jun 2024 11:31:05 +0200 Subject: [PATCH] persist directories: Pass using new bwrap --bind-fd option References: CVE-2024-42472 References: bsc#1229157 Upstream: Backport from upstream Instead of passing a /proc/self/fd bind mount we use --bind-fd, which has two advantages: * bwrap closes the fd when used, so it doesn't leak into the started app * bwrap ensures that what was mounted was the passed in fd (same dev/ino), as there is a small (required) gap between symlink resolve and mount where the target path could be replaced. Please note that this change requires an updated version of bubblewrap. Resolves: CVE-2024-42472, GHSA-7hgv-f2j8-xw87 [smcv: Make whitespace consistent] Co-authored-by: Simon McVittie <smcv@collabora.com> Signed-off-by: Simon McVittie <smcv@collabora.com> --- common/flatpak-context.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) --- flatpak-1.14.5/common/flatpak-context.c +++ flatpak-1.14.5_new/common/flatpak-context.c @@ -2961,10 +2961,10 @@ continue; } - g_autofree char *src_via_proc = g_strdup_printf ("/proc/self/fd/%d", src_fd); + g_autofree char *src_via_proc = g_strdup_printf ("%d", src_fd); flatpak_bwrap_add_fd (bwrap, g_steal_fd (&src_fd)); - flatpak_bwrap_add_bind_arg (bwrap, "--bind", src_via_proc, dest); + flatpak_bwrap_add_bind_arg (bwrap, "--bind-fd", src_via_proc, dest); } }
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor