Overview
Request 1169128 revoked
Update to 1.15.8: as the CVE looks quite problematic I thought I would try and
help to speed up the update. Please have a close look if this seems okay.
Somewhat unsure about the meson options
old: GNOME:Factory/flatpak
new: home:rfrohl:branches:GNOME:Factory/flatpak rev None
Index: flatpak.changes
===================================================================
--- flatpak.changes (revision 192)
+++ flatpak.changes (revision 26)
@@ -1,4 +1,52 @@
-------------------------------------------------------------------
+Fri Apr 19 08:05:28 UTC 2024 - Robert Frohl
+
+- Update to version 1.15.8:
+ + Security fixes:
+ - Don't allow an executable name to be misinterpreted as a command-line
+ option for bwrap(1). This prevents a sandbox escape where a malicious
+ or compromised app could ask xdg-desktop-portal to generate a .desktop
+ file with access to files outside the sandbox. (CVE-2024-32462, boo#1223110)
+ + Other bug fixes:
+ - Pass the -export-dynamic linker option as -Wl,-export-dynamic,
+ fixing build failures with clang 18 and lld 18
+ - Fix a double-free when installation is cancelled
+ - Fix installed-tests failure with "FUSERMOUNT: unbound variable"
+ - Translation updates: pt_BR, tr
+
+- Update to version 1.15.7:
+ + New features:
+ - Automatically remove obsolete driver versions and other autopruned refs
+ - --socket=inherit-wayland-socket
+ - Automatically reload D-Bus session bus configuration after installing
+ or upgrading apps, to pick up any exported D-Bus services
+ + Bug fixes:
+ - Don't parse as the application name
+ - Don't refuse to start apps when there is no D-Bus system bus available
+ - Don't try to repeat migration of apps whose data was migrated to a new
+ name and then deleted
+ - Improve handling of mixed locales on systems with systemd-localed
+ - Improve display of ellipsized columns in wide terminals
+ - Make flatpak info -e look for extensions in all installations
+ - Fix warnings from newer GLib versions
+ - Always set the container environment variable
+ - Always let the app inherit redirected file descriptors
+ - In flatpak ps, add xdg-desktop-portal-gnome to the list of backends
+ we'll use to learn which apps are running in the background
+ - Don't use WAYLAND_SOCKET unless given --socket=inherit-wayland-socket
+ - Use fusermount3 if compiled with FUSE 3, overridable with -Dsystem_fusermount compile-time option
+ - Avoid leaking a temporary variable from /etc/profile.d/flatpak.sh into the shell environment
+ - Improve async-signal safety
+ - Fix various memory leaks
+ - Avoid undefined behaviour of signed left-shift when storing object IDs in a hash table
+ - Detect the correct gtk-doc when cross-compiling
+ - Detect the correct wayland-scanner when cross-compiling
+ - Documentation improvements
+ - Skip more tests when FUSE isn't available
+ - Translation updates
+- add libglnx.patch to fix meson function detection
+
+-------------------------------------------------------------------
Tue Mar 19 08:06:34 UTC 2024 - Antonio Larrosa
- Make flatpak-remote-flathub only supplement flatpak in TW
Index: flatpak.spec
===================================================================
--- flatpak.spec (revision 192)
+++ flatpak.spec (revision 26)
@@ -35,7 +35,7 @@
%define support_environment_generators 1
%endif
Name: flatpak
-Version: 1.15.6
+Version: 1.15.8
Release: 0
Summary: OSTree based application bundles management
License: LGPL-2.1-or-later
@@ -49,9 +49,12 @@
Source5: https://flathub.org/repo/flathub.flatpakrepo
# PATCH-FEATURE-OPENSUSE polkit_rules_usability.patch -- Make the rules comply with openSUSE expectations
Patch0: polkit_rules_usability.patch
+# PATCH-FIX-UPSTREAM libglnx.patch https://gitlab.gnome.org/GNOME/libglnx/-/merge_requests/57
+Patch1: libglnx.patch
BuildRequires: bison
BuildRequires: bubblewrap >= %{bubblewrap_version}
+BuildRequires: cmake
BuildRequires: docbook-xsl-stylesheets
BuildRequires: gtk-doc
BuildRequires: intltool >= 0.35.0
@@ -59,9 +62,12 @@
BuildRequires: libgpg-error-devel
BuildRequires: libgpgme-devel >= 1.1.8
BuildRequires: libtool
+BuildRequires: malcontent-devel
+BuildRequires: meson
BuildRequires: pkgconfig
BuildRequires: python3-pyparsing
BuildRequires: selinux-policy-devel
+BuildRequires: socat
BuildRequires: systemd-rpm-macros
BuildRequires: sysuser-tools
BuildRequires: xdg-dbus-proxy >= %{xdg_dbus_proxy_version}
@@ -163,8 +169,8 @@
Summary: Add Flathub repository to system flatpak
Group: System/Packages
Requires: flatpak
-Requires(postun): flatpak
-Requires(postun): sed
+Requires(postun):flatpak
+Requires(postun):sed
%if 0%{?suse_version} > 1600
Supplements: flatpak
%endif
@@ -204,27 +210,23 @@
sed -i -e '1s,#!%{_bindir}/env python3,#!%{_bindir}/python3,' scripts/flatpak-*
%build
-./autogen.sh
-%configure \
- --disable-silent-rules \
- --with-system-bubblewrap \
- --with-curl \
- --with-priv-mode=none \
- --with-dbus-config-dir=%{_dbusconfigdir} \
- --with-system-dbus-proxy=%{_bindir}/xdg-dbus-proxy \
+%meson \
+ -Dsystem_bubblewrap=bwrap \
+ -Dhttp_backend=curl \
+ -Ddbus_config_dir=%{_dbusconfigdir} \
+ -Dsystem_dbus_proxy=%{_bindir}/xdg-dbus-proxy \
%if !%{support_environment_generators}
- --enable-gdm-env-file \
+ -Dgdm_env_file=enabled \
%endif
- --enable-documentation \
- --enable-gtk-doc \
- --with-wayland-security-context=yes \
- --with-selinux_module=yes \
- %{nil}
-%make_build
+ -Dgtkdoc=enabled \
+ -Dwayland_security_context=enabled \
+ -Dselinux_module=enabled \
+ %{nil}
+%meson_build
%sysusers_generate_pre system-helper/flatpak.conf system-user-flatpak flatpak.conf
%install
-%make_install
+%meson_install
find %{buildroot} -type f -name "*.la" -delete -print
mkdir -p %{buildroot}%{_sbindir}
ln -s service %{buildroot}%{_sbindir}/rcflatpak-system-helper
@@ -331,7 +333,9 @@
%{_mandir}/man1/%{name}*.1%{?ext_man}
%{_mandir}/man5/flatpak-metadata.5%{?ext_man}
%{_mandir}/man5/flatpak-flatpakref.5%{?ext_man}
+%{_mandir}/man5/flatpakref.5%{?ext_man}
%{_mandir}/man5/flatpak-flatpakrepo.5%{?ext_man}
+%{_mandir}/man5/flatpakrepo.5%{?ext_man}
%{_mandir}/man5/flatpak-installation.5%{?ext_man}
%{_mandir}/man5/flatpak-remote.5%{?ext_man}
%{_datadir}/%{name}/
Index: flatpak-1.15.8.tar.xz
===================================================================
Binary file flatpak-1.15.8.tar.xz (revision 26) added
Index: libglnx.patch
===================================================================
--- libglnx.patch (added)
+++ libglnx.patch (revision 26)
@@ -0,0 +1,13 @@
+Index: flatpak-1.15.8/subprojects/libglnx/meson.build
+===================================================================
+--- flatpak-1.15.8.orig/subprojects/libglnx/meson.build
++++ flatpak-1.15.8/subprojects/libglnx/meson.build
+@@ -40,7 +40,7 @@ foreach check_function : check_functions
+ #include
+ #include
+
+- int func (void) {
++ void func (void) {
+ (void) ''' + check_function + ''';
+ }
+ ''',
Index: flatpak-1.15.6.tar.xz
===================================================================
Binary file flatpak-1.15.6.tar.xz (revision 192) deleted
- Created by rfrohl
- In state revoked
-
Open review for
gnome-maintainers
Request History
rfrohl created request
Update to 1.15.8: as the CVE looks quite problematic I thought I would try and
help to speed up the update. Please have a close look if this seems okay.
Somewhat unsure about the meson options
old: GNOME:Factory/flatpak
new: home:rfrohl:branches:GNOME:Factory/flatpak rev None
Index: flatpak.changes
===================================================================
--- flatpak.changes (revision 192)
+++ flatpak.changes (revision 26)
@@ -1,4 +1,52 @@
-------------------------------------------------------------------
+Fri Apr 19 08:05:28 UTC 2024 - Robert Frohl
+
+- Update to version 1.15.8:
+ + Security fixes:
+ - Don't allow an executable name to be misinterpreted as a command-line
+ option for bwrap(1). This prevents a sandbox escape where a malicious
+ or compromised app could ask xdg-desktop-portal to generate a .desktop
+ file with access to files outside the sandbox. (CVE-2024-32462, boo#1223110)
+ + Other bug fixes:
+ - Pass the -export-dynamic linker option as -Wl,-export-dynamic,
+ fixing build failures with clang 18 and lld 18
+ - Fix a double-free when installation is cancelled
+ - Fix installed-tests failure with "FUSERMOUNT: unbound variable"
+ - Translation updates: pt_BR, tr
+
+- Update to version 1.15.7:
+ + New features:
+ - Automatically remove obsolete driver versions and other autopruned refs
+ - --socket=inherit-wayland-socket
+ - Automatically reload D-Bus session bus configuration after installing
+ or upgrading apps, to pick up any exported D-Bus services
+ + Bug fixes:
+ - Don't parse as the application name
+ - Don't refuse to start apps when there is no D-Bus system bus available
+ - Don't try to repeat migration of apps whose data was migrated to a new
+ name and then deleted
+ - Improve handling of mixed locales on systems with systemd-localed
+ - Improve display of ellipsized columns in wide terminals
+ - Make flatpak info -e look for extensions in all installations
+ - Fix warnings from newer GLib versions
+ - Always set the container environment variable
+ - Always let the app inherit redirected file descriptors
+ - In flatpak ps, add xdg-desktop-portal-gnome to the list of backends
+ we'll use to learn which apps are running in the background
+ - Don't use WAYLAND_SOCKET unless given --socket=inherit-wayland-socket
+ - Use fusermount3 if compiled with FUSE 3, overridable with -Dsystem_fusermount compile-time option
+ - Avoid leaking a temporary variable from /etc/profile.d/flatpak.sh into the shell environment
+ - Improve async-signal safety
+ - Fix various memory leaks
+ - Avoid undefined behaviour of signed left-shift when storing object IDs in a hash table
+ - Detect the correct gtk-doc when cross-compiling
+ - Detect the correct wayland-scanner when cross-compiling
+ - Documentation improvements
+ - Skip more tests when FUSE isn't available
+ - Translation updates
+- add libglnx.patch to fix meson function detection
+
+-------------------------------------------------------------------
Tue Mar 19 08:06:34 UTC 2024 - Antonio Larrosa
- Make flatpak-remote-flathub only supplement flatpak in TW
Index: flatpak.spec
===================================================================
--- flatpak.spec (revision 192)
+++ flatpak.spec (revision 26)
@@ -35,7 +35,7 @@
%define support_environment_generators 1
%endif
Name: flatpak
-Version: 1.15.6
+Version: 1.15.8
Release: 0
Summary: OSTree based application bundles management
License: LGPL-2.1-or-later
@@ -49,9 +49,12 @@
Source5: https://flathub.org/repo/flathub.flatpakrepo
# PATCH-FEATURE-OPENSUSE polkit_rules_usability.patch -- Make the rules comply with openSUSE expectations
Patch0: polkit_rules_usability.patch
+# PATCH-FIX-UPSTREAM libglnx.patch https://gitlab.gnome.org/GNOME/libglnx/-/merge_requests/57
+Patch1: libglnx.patch
BuildRequires: bison
BuildRequires: bubblewrap >= %{bubblewrap_version}
+BuildRequires: cmake
BuildRequires: docbook-xsl-stylesheets
BuildRequires: gtk-doc
BuildRequires: intltool >= 0.35.0
@@ -59,9 +62,12 @@
BuildRequires: libgpg-error-devel
BuildRequires: libgpgme-devel >= 1.1.8
BuildRequires: libtool
+BuildRequires: malcontent-devel
+BuildRequires: meson
BuildRequires: pkgconfig
BuildRequires: python3-pyparsing
BuildRequires: selinux-policy-devel
+BuildRequires: socat
BuildRequires: systemd-rpm-macros
BuildRequires: sysuser-tools
BuildRequires: xdg-dbus-proxy >= %{xdg_dbus_proxy_version}
@@ -163,8 +169,8 @@
Summary: Add Flathub repository to system flatpak
Group: System/Packages
Requires: flatpak
-Requires(postun): flatpak
-Requires(postun): sed
+Requires(postun):flatpak
+Requires(postun):sed
%if 0%{?suse_version} > 1600
Supplements: flatpak
%endif
@@ -204,27 +210,23 @@
sed -i -e '1s,#!%{_bindir}/env python3,#!%{_bindir}/python3,' scripts/flatpak-*
%build
-./autogen.sh
-%configure \
- --disable-silent-rules \
- --with-system-bubblewrap \
- --with-curl \
- --with-priv-mode=none \
- --with-dbus-config-dir=%{_dbusconfigdir} \
- --with-system-dbus-proxy=%{_bindir}/xdg-dbus-proxy \
+%meson \
+ -Dsystem_bubblewrap=bwrap \
+ -Dhttp_backend=curl \
+ -Ddbus_config_dir=%{_dbusconfigdir} \
+ -Dsystem_dbus_proxy=%{_bindir}/xdg-dbus-proxy \
%if !%{support_environment_generators}
- --enable-gdm-env-file \
+ -Dgdm_env_file=enabled \
%endif
- --enable-documentation \
- --enable-gtk-doc \
- --with-wayland-security-context=yes \
- --with-selinux_module=yes \
- %{nil}
-%make_build
+ -Dgtkdoc=enabled \
+ -Dwayland_security_context=enabled \
+ -Dselinux_module=enabled \
+ %{nil}
+%meson_build
%sysusers_generate_pre system-helper/flatpak.conf system-user-flatpak flatpak.conf
%install
-%make_install
+%meson_install
find %{buildroot} -type f -name "*.la" -delete -print
mkdir -p %{buildroot}%{_sbindir}
ln -s service %{buildroot}%{_sbindir}/rcflatpak-system-helper
@@ -331,7 +333,9 @@
%{_mandir}/man1/%{name}*.1%{?ext_man}
%{_mandir}/man5/flatpak-metadata.5%{?ext_man}
%{_mandir}/man5/flatpak-flatpakref.5%{?ext_man}
+%{_mandir}/man5/flatpakref.5%{?ext_man}
%{_mandir}/man5/flatpak-flatpakrepo.5%{?ext_man}
+%{_mandir}/man5/flatpakrepo.5%{?ext_man}
%{_mandir}/man5/flatpak-installation.5%{?ext_man}
%{_mandir}/man5/flatpak-remote.5%{?ext_man}
%{_datadir}/%{name}/
Index: flatpak-1.15.8.tar.xz
===================================================================
Binary file flatpak-1.15.8.tar.xz (revision 26) added
Index: libglnx.patch
===================================================================
--- libglnx.patch (added)
+++ libglnx.patch (revision 26)
@@ -0,0 +1,13 @@
+Index: flatpak-1.15.8/subprojects/libglnx/meson.build
+===================================================================
+--- flatpak-1.15.8.orig/subprojects/libglnx/meson.build
++++ flatpak-1.15.8/subprojects/libglnx/meson.build
+@@ -40,7 +40,7 @@ foreach check_function : check_functions
+ #include
+ #include
+
+- int func (void) {
++ void func (void) {
+ (void) ''' + check_function + ''';
+ }
+ ''',
Index: flatpak-1.15.6.tar.xz
===================================================================
Binary file flatpak-1.15.6.tar.xz (revision 192) deleted
gnome-review-bot accepted review
Check script succeeded
rfrohl revoked request
message to long
