Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
home:dirkmueller:acdc:as_python3_module
flatpak
flatpak-CVE-2024-42472-part02-2cdd1e1e.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File flatpak-CVE-2024-42472-part02-2cdd1e1e.patch of Package flatpak
From 2cdd1e1e5ae90d7c3a4b60ce2e36e4d609e44e72 From: Alexander Larsson <alexl@redhat.com> Date: Mon, 3 Jun 2024 12:59:05 +0200 Subject: [PATCH] Add test coverage for --persist References: CVE-2024-42472 References: bsc#1229157 Upstream: Backport from upstream This adds three "positive" tests: the common case --persist=.persist, the deprecated spelling --persist=/.persist, and the less common special case --persist=. as used by Steam. It also adds "negative" tests for CVE-2024-42472: if the --persist directory is a symbolic link or contains path segment "..", we want that to be rejected. Reproduces: CVE-2024-42472, GHSA-7hgv-f2j8-xw87 [smcv: Add "positive" tests] [smcv: Exercise --persist=..] [smcv: Assert that --persist with a symlink produces expected message] Co-authored-by: Simon McVittie <smcv@collabora.com> Signed-off-by: Simon McVittie <smcv@collabora.com> --- tests/test-run.sh | 41 ++++++++++++++++++++++++++++++++++++++++- 1 file changed, 40 insertions(+), 1 deletion(-) --- flatpak-1.12.8/tests/test-run.sh +++ flatpak-1.12.8_new/tests/test-run.sh @@ -503,3 +503,42 @@ assert_file_has_content out "^sdk=org\.test\.Sdk/$(flatpak --default-arch)/stable$" ok "--sdk option" + +rm -fr "$HOME/.var/app/org.test.Hello" +mkdir -p "$HOME/.var/app/org.test.Hello" +run --command=sh --persist=.persist org.test.Hello -c 'echo can-persist > .persist/rc' +sed -e 's,^,#--persist=.persist# ,g' < "$HOME/.var/app/org.test.Hello/.persist/rc" >&2 +assert_file_has_content "$HOME/.var/app/org.test.Hello/.persist/rc" "can-persist" + +ok "--persist=.persist persists a directory" + +rm -fr "$HOME/.var/app/org.test.Hello" +mkdir -p "$HOME/.var/app/org.test.Hello" +# G_DEBUG= to avoid the deprecation warning being fatal +G_DEBUG= run --command=sh --persist=/.persist org.test.Hello -c 'echo can-persist > .persist/rc' +sed -e 's,^,#--persist=/.persist# ,g' < "$HOME/.var/app/org.test.Hello/.persist/rc" >&2 +assert_file_has_content "$HOME/.var/app/org.test.Hello/.persist/rc" "can-persist" + +ok "--persist=/.persist is a deprecated form of --persist=.persist" + +rm -fr "$HOME/.var/app/org.test.Hello" +mkdir -p "$HOME/.var/app/org.test.Hello" +run --command=sh --persist=. org.test.Hello -c 'echo can-persist > .persistrc' +sed -e 's,^,#--persist=.# ,g' < "$HOME/.var/app/org.test.Hello/.persistrc" >&2 +assert_file_has_content "$HOME/.var/app/org.test.Hello/.persistrc" "can-persist" + +ok "--persist=. persists all files" + +mkdir "${TEST_DATA_DIR}/inaccessible" +echo FOO > ${TEST_DATA_DIR}/inaccessible/secret-file +rm -fr "$HOME/.var/app/org.test.Hello" +mkdir -p "$HOME/.var/app/org.test.Hello" +ln -fns "${TEST_DATA_DIR}/inaccessible" "$HOME/.var/app/org.test.Hello/persist" +# G_DEBUG= to avoid the warnings being fatal when we reject a --persist option. +# LC_ALL=C so we get the expected non-localized string. +LC_ALL=C G_DEBUG= run --command=ls --persist=persist --persist=relative/../escape org.test.Hello -la ~/persist &> hello_out || true +sed -e 's,^,#--persist=symlink# ,g' < hello_out >&2 +assert_file_has_content hello_out "not allowed to avoid sandbox escape" +assert_not_file_has_content hello_out "secret-file" + +ok "--persist doesn't allow sandbox escape via a symlink (CVE-2024-42472)"
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor
