!80 Fix CVE-2024-32462

From: @wk333 Reviewed-by: @lyn1001 Signed-off-by: @lyn1001
2024-04-19 06:48:04 +00:00 · 2024-04-19 06:48:04 +00:00 · de1df69514
commit de1df69514
parent e981cf9ebe 35fd35e02d
2 changed files with 89 additions and 7 deletions
--- a/CVE-2024-32462.patch
+++ b/CVE-2024-32462.patch
@ -0,0 +1,72 @@
+From 72016e3fce8fcbeab707daf4f1a02b931fcc004d Mon Sep 17 00:00:00 2001
+From: Alexander Larsson <alexl@redhat.com>
+Date: Mon, 15 Apr 2024 16:10:36 +0200
+Subject: [PATCH] When starting non-static command using bwrap use "--"
+
+Origin: https://github.com/flatpak/flatpak/commit/72016e3fce8fcbeab707daf4f1a02b931fcc004d
+
+This ensures that the command is not taken to be a bwrap option.
+
+Resolves: CVE-2024-32462
+Resolves: GHSA-phv6-cpc2-2fgj
+Signed-off-by: Alexander Larsson <alexl@redhat.com>
+[smcv: Fix DISABLE_SANDBOXED_TRIGGERS code path]
+[smcv: Make flatpak_run_maybe_start_dbus_proxy() more obviously correct]
+Signed-off-by: Simon McVittie <smcv@collabora.com>
+---
+ app/flatpak-builtins-build.c | 2 +-
+ common/flatpak-dir.c         | 1 +
+ common/flatpak-run.c         | 5 ++++-
+ 3 files changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/app/flatpak-builtins-build.c b/app/flatpak-builtins-build.c
+index ce9ff7e..bb4bd06 100644
+--- a/app/flatpak-builtins-build.c
+++ b/app/flatpak-builtins-build.c
+@@ -569,7 +569,7 @@ flatpak_builtin_build (int argc, char **argv, GCancellable *cancellable, GError
+   if (!flatpak_bwrap_bundle_args (bwrap, 1, -1, FALSE, error))
+     return FALSE;
+ 
+-  flatpak_bwrap_add_args (bwrap, command, NULL);
+  flatpak_bwrap_add_args (bwrap, "--", command, NULL);
+   flatpak_bwrap_append_argsv (bwrap,
+                               &argv[rest_argv_start + 2],
+                               rest_argc - 2);
+diff --git a/common/flatpak-dir.c b/common/flatpak-dir.c
+index f00e6bf..e7bc1f8 100644
+--- a/common/flatpak-dir.c
+++ b/common/flatpak-dir.c
+@@ -5391,6 +5391,7 @@ flatpak_dir_run_triggers (FlatpakDir   *self,
+           g_ptr_array_add (argv_array, g_strdup ("--dev"));
+           g_ptr_array_add (argv_array, g_strdup ("/dev"));
+           g_ptr_array_add (argv_array, g_strdup ("--bind"));
+          g_ptr_array_add (argv_array, g_strdup ("--"));
+           g_ptr_array_add (argv_array, g_strdup (basedir));
+           g_ptr_array_add (argv_array, g_strdup (basedir));
+ #endif
+diff --git a/common/flatpak-run.c b/common/flatpak-run.c
+index d48be1f..0b2bada 100644
+--- a/common/flatpak-run.c
+++ b/common/flatpak-run.c
+@@ -754,6 +754,9 @@ add_bwrap_wrapper (FlatpakBwrap *bwrap,
+   if (!flatpak_bwrap_bundle_args (bwrap, 1, -1, FALSE, error))
+     return FALSE;
+ 
+  /* End of options: the next argument will be the executable name */
+  flatpak_bwrap_add_arg (bwrap, "--");
+
+   return TRUE;
+ }
+ 
+@@ -3176,7 +3179,7 @@ flatpak_run_app (const char     *app_ref,
+   if (!flatpak_bwrap_bundle_args (bwrap, 1, -1, FALSE, error))
+     return FALSE;
+ 
+-  flatpak_bwrap_add_arg (bwrap, command);
+  flatpak_bwrap_add_args (bwrap, "--", command, NULL);
+ 
+   if (!add_rest_args (bwrap, app_ref_parts[1],
+                       exports, (flags & FLATPAK_RUN_FLAG_FILE_FORWARDING) != 0,
+-- 
+2.33.0
+
--- a/flatpak.spec
+++ b/flatpak.spec
@ -1,6 +1,6 @@
 Name:           flatpak
 Version:        1.0.3
-Release:        9
+Release:        12
 Summary:        Application deployment framework for desktop apps
 License:        LGPLv2+
 URL:            http://flatpak.org/
@ -26,16 +26,17 @@ Patch6006:      backport-0007-CVE-2021-41133.patch
 Patch6007:      backport-0008-CVE-2021-41133.patch
 Patch6008:      backport-run-Handle-unknown-syscalls-as-intended.patch
 Patch6009:      backport-Fix-handling-of-syscalls-only-allowed-by-devel.patch
-Patch6010:      backport-0001-CVE-2021-43860.patch
-Patch6011:      backport-0002-CVE-2021-43860.patch
-Patch6012:      backport-0003-CVE-2021-43860.patch
-Patch6013:      backport-0004-CVE-2021-43860.patch
+Patch6010:	backport-0001-CVE-2021-43860.patch
+Patch6011:	backport-0002-CVE-2021-43860.patch
+Patch6012:	backport-0003-CVE-2021-43860.patch
+Patch6013:	backport-0004-CVE-2021-43860.patch
 Patch6014:	backport-0001-CVE-2022-21682.patch
 Patch6015:	backport-0002-CVE-2022-21682.patch
 Patch6016:	backport-0003-CVE-2022-21682.patch
 Patch6017:	backport-0004-CVE-2022-21682.patch
 Patch6018:	backport-0005-CVE-2022-21682.patch
 Patch6019:	backport-0006-CVE-2022-21682.patch
+Patch6020:      CVE-2024-32462.patch

 BuildRequires:  pkgconfig(appstream-glib) pkgconfig(gio-unix-2.0) pkgconfig(gobject-introspection-1.0) >= 1.40.0 pkgconfig(json-glib-1.0) pkgconfig(libarchive) >= 2.8.0
 BuildRequires:  pkgconfig(libsoup-2.4) pkgconfig(libxml-2.0) >= 2.4 pkgconfig(ostree-1) >= 2018.7 pkgconfig(polkit-gobject-1) pkgconfig(libseccomp) pkgconfig(xau)
@ -130,12 +131,21 @@ flatpak remote-list --system &> /dev/null || :
 %{_mandir}/man5/flatpak-remote.5*

 %changelog
-* Tue Feb 15 2022 dongyuzhen <dongyuzhen@h-partners.com> - 1.0.3-9
+* Fri Apr 19 2024 wangkai <13474090681@163.com> - 1.0.3-12
+- Fix CVE-2024-32462
+
+* Tue Feb 15 2022 dongyuzhen <dongyuzhen@h-partners.com> - 1.0.3-11
 - Fix CVE-2022-21682

-* Sat Jan 29 2022 dongyuzhen <dongyuzhen@h-partners.com> - 1.0.3-8
+* Sat Jan 29 2022 dongyuzhen <dongyuzhen@h-partners.com> - 1.0.3-10
 - Fix CVE-2021-43860

+* Tue Jan 25 2022 hanhui <hanhui15@huawei.com> - 1.0.3-9 
+- revert CVE-2022-21682
+
+* Sat Jan 22 2022 wangkerong <wangkerong@huawei.com> - 1.0.3-8
+- Fix CVE-2022-21682
+
 * Wed Oct 20 2021 zhanzhimin <zhanhzimin@huawei.com> - 1.0.3-7
 - Fix CVE-2021-41133