File flatpak-CVE-2024-32462.patch of Package flatpak.35425

Overview Repositories Revisions Requests Users Attributes Meta

File flatpak-CVE-2024-32462.patch of Package flatpak.35425

commit b7c1a558e58aaeb1d007d29529bbb270dc4ff11e
Author: Alexander Larsson <alexl@redhat.com>
Date:   Mon Apr 15 16:10:36 2024 +0200

When starting non-static command using bwrap use "--"

This ensures that the command is not taken to be a bwrap option.

Resolves: CVE-2024-32462
    Resolves: GHSA-phv6-cpc2-2fgj
    Signed-off-by: Alexander Larsson <alexl@redhat.com>
    [smcv: Fix DISABLE_SANDBOXED_TRIGGERS code path]
    [smcv: Make flatpak_run_maybe_start_dbus_proxy() more obviously correct]
    Signed-off-by: Simon McVittie <smcv@collabora.com>

diff -Nura flatpak-1.12.8/app/flatpak-builtins-build.c flatpak-1.12.8_new/app/flatpak-builtins-build.c
--- flatpak-1.12.8/app/flatpak-builtins-build.c	2021-10-09 23:55:00.000000000 +0800
+++ flatpak-1.12.8_new/app/flatpak-builtins-build.c	2024-04-29 01:13:05.531995481 +0800
@@ -587,7 +587,8 @@
   if (!flatpak_bwrap_bundle_args (bwrap, 1, -1, FALSE, error))
     return FALSE;
 
-  flatpak_bwrap_add_args (bwrap, command, NULL);
+  flatpak_bwrap_add_args (bwrap, "--", command, NULL);
+
   flatpak_bwrap_append_argsv (bwrap,
                               &argv[rest_argv_start + 2],
                               rest_argc - 2);
diff -Nura flatpak-1.12.8/common/flatpak-dir.c flatpak-1.12.8_new/common/flatpak-dir.c
--- flatpak-1.12.8/common/flatpak-dir.c	2023-01-05 01:44:49.000000000 +0800
+++ flatpak-1.12.8_new/common/flatpak-dir.c	2024-04-29 01:14:14.077277435 +0800
@@ -6817,6 +6817,7 @@
                                   "--proc", "/proc",
                                   "--dev", "/dev",
                                   "--bind", basedir, basedir,
+                                  "--",
                                   NULL);
 #endif
           flatpak_bwrap_add_args (bwrap,
diff -Nura flatpak-1.12.8/common/flatpak-run.c flatpak-1.12.8_new/common/flatpak-run.c
--- flatpak-1.12.8/common/flatpak-run.c	2023-03-16 17:55:31.000000000 +0800
+++ flatpak-1.12.8_new/common/flatpak-run.c	2024-04-29 01:17:50.174166325 +0800
@@ -1266,6 +1266,9 @@
   if (!flatpak_bwrap_bundle_args (bwrap, 1, -1, FALSE, error))
     return FALSE;
 
+  /* End of options: the next argument will be the executable name */
+  flatpak_bwrap_add_arg (bwrap, "--");
+
   return TRUE;
 }
 
@@ -4635,7 +4638,7 @@
   if (!flatpak_bwrap_bundle_args (bwrap, 1, -1, FALSE, error))
     return FALSE;
 
-  flatpak_bwrap_add_arg (bwrap, command);
+  flatpak_bwrap_add_args (bwrap, "--", command, NULL);
 
   if (!add_rest_args (bwrap, app_id,
                       exports, (flags & FLATPAK_RUN_FLAG_FILE_FORWARDING) != 0,

Places

File flatpak-CVE-2024-32462.patch of Package flatpak.35425

Places