rpms
/
flatpak-builder
20
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: rpms:c8
Branches Tags
rpms:i10c-beta
rpms:c10-beta
rpms:i10cs
rpms:cs10
rpms:i8c-beta
rpms:c8-beta
rpms:i9c-beta
rpms:c9-beta
rpms:i8c
rpms:c8
rpms:i9c
rpms:c9
..
compare: rpms:c9
Branches Tags
rpms:i10c-beta
rpms:c10-beta
rpms:i10cs
rpms:cs10
rpms:i8c-beta
rpms:c8-beta
rpms:i9c-beta
rpms:c9-beta
rpms:i8c
rpms:c8
rpms:i9c
rpms:c9

No commits in common. 'c8' and 'c9' have entirely different histories.
c8 ... c9

5 changed files with 236 additions and 206 deletions
Show Stats

2
.flatpak-builder.metadata
Unescape View File

@ -1 +1 @@
e201b45463be6dda24bcc38cd52abe537190a0ec SOURCES/flatpak-builder-1.0.14.tar.xz
59c5dcd6363c3b6bdc0be773d41d1038a92a80d1 SOURCES/flatpak-builder-1.2.2.tar.xz

2
.gitignore vendored
Unescape View File

@ -1 +1 @@
SOURCES/flatpak-builder-1.0.14.tar.xz
SOURCES/flatpak-builder-1.2.2.tar.xz

172
SOURCES/flatpak-builder-CVE-2022-21682.patch
Unescape View File

@ -1,172 +0,0 @@
From dd05ea86a4701a33cc4d271edf0a36b5c972e2e1 Mon Sep 17 00:00:00 2001
From: Simon McVittie <smcv@collabora.com>
Date: Mon, 17 Jan 2022 21:59:02 +0000
Subject: [PATCH 1/2] Disable filesystem access with --nofilesystem=host:reset
This requires <https://github.com/flatpak/flatpak/pull/4678>.
In addition to counteracting an earlier --filesystem=host, in Flatpak
versions that support it, the new --nofilesystem=host:reset removes all
filesystem access that might have been inherited from the app manifest
or overrides. This prevents CVE-2022-21682, while avoiding behaviour
changes in Flatpak for non-builder use cases.
In older Flatpak versions, this option acts as --filesystem=host with an
unknown mode suffix, which is ignored (with a warning, which is harmless
but will hopefully nudge people towards upgrading Flatpak to a version
that enables CVE-2022-21682 to be avoided). flatpak-builder will still
be vulnerable to CVE-2022-21682 in this case.
Signed-off-by: Simon McVittie <smcv@collabora.com>
(cherry picked from commit 2d1b6799e782d5e5577072aa7bbfed00ddf0b087)
---
src/builder-main.c | 2 +-
src/builder-manifest.c | 4 ++--
src/builder-module.c | 2 +-
src/builder-source-shell.c | 2 +-
4 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/src/builder-main.c b/src/builder-main.c
index a177f4b0c8b6..dc6f3e97603a 100644
--- a/src/builder-main.c
+++ b/src/builder-main.c
@@ -942,7 +942,7 @@ main (int argc,
"flatpak",
"build",
"--die-with-parent",
- "--nofilesystem=host",
+ "--nofilesystem=host:reset",
fs_app_dir,
fs_cache,
"--share=network",
diff --git a/src/builder-manifest.c b/src/builder-manifest.c
index 62e7096674fa..ae83e493db52 100644
--- a/src/builder-manifest.c
+++ b/src/builder-manifest.c
@@ -2124,7 +2124,7 @@ command (GFile *app_dir,
g_ptr_array_add (args, g_strdup ("build"));
g_ptr_array_add (args, g_strdup ("--die-with-parent"));
- g_ptr_array_add (args, g_strdup ("--nofilesystem=host"));
+ g_ptr_array_add (args, g_strdup ("--nofilesystem=host:reset"));
if (extra_args)
{
for (i = 0; extra_args[i] != NULL; i++)
@@ -2304,7 +2304,7 @@ appstream_compose (GFile *app_dir,
g_ptr_array_add (args, g_strdup ("flatpak"));
g_ptr_array_add (args, g_strdup ("build"));
g_ptr_array_add (args, g_strdup ("--die-with-parent"));
- g_ptr_array_add (args, g_strdup ("--nofilesystem=host"));
+ g_ptr_array_add (args, g_strdup ("--nofilesystem=host:reset"));
g_ptr_array_add (args, g_file_get_path (app_dir));
g_ptr_array_add (args, g_strdup ("appstream-compose"));
diff --git a/src/builder-module.c b/src/builder-module.c
index 8d1819a3e530..862c247e2fb2 100644
--- a/src/builder-module.c
+++ b/src/builder-module.c
@@ -1177,7 +1177,7 @@ setup_build_args (GFile *app_dir,
builddir = "/run/build/";
g_ptr_array_add (args, g_strdup_printf ("--env=FLATPAK_BUILDER_BUILDDIR=%s%s", builddir, module_name));
- g_ptr_array_add (args, g_strdup ("--nofilesystem=host"));
+ g_ptr_array_add (args, g_strdup ("--nofilesystem=host:reset"));
/* We mount the canonical location, because bind-mounts of symlinks don't really work */
g_ptr_array_add (args, g_strdup_printf ("--filesystem=%s", source_dir_path_canonical));
diff --git a/src/builder-source-shell.c b/src/builder-source-shell.c
index 152257b12476..8132a5c49d8a 100644
--- a/src/builder-source-shell.c
+++ b/src/builder-source-shell.c
@@ -136,7 +136,7 @@ run_script (BuilderContext *context,
source_dir_path_canonical = realpath (source_dir_path, NULL);
- g_ptr_array_add (args, g_strdup ("--nofilesystem=host"));
+ g_ptr_array_add (args, g_strdup ("--nofilesystem=host:reset"));
g_ptr_array_add (args, g_strdup_printf ("--filesystem=%s", source_dir_path_canonical));
if (env)
--
2.35.1
From 26cab8d7aae2146fa95cf5ad28e286f8034d97dc Mon Sep 17 00:00:00 2001
From: Alexander Larsson <alexl@redhat.com>
Date: Tue, 18 Jan 2022 09:58:29 +0100
Subject: [PATCH 2/2] Allow --nofilesystem=host:reset in flatpak-builder --run
This adds support for the new host:reset mode. We don't verify
that the argument is used as carefully as flatpak does, but any
issue will be reported later when passed to flatpak.
Co-authored-by: Simon McVittie <smcv@collabora.com>
(cherry picked from commit 27aa2f5e4508d03178bf905ee7099d6d69a79aa4)
---
src/builder-flatpak-utils.c | 23 +++++++++++++++++++++--
1 file changed, 21 insertions(+), 2 deletions(-)
diff --git a/src/builder-flatpak-utils.c b/src/builder-flatpak-utils.c
index 53191016047f..89352cdc2fd5 100644
--- a/src/builder-flatpak-utils.c
+++ b/src/builder-flatpak-utils.c
@@ -1196,6 +1196,7 @@ typedef enum {
/* In numerical order of more privs */
typedef enum {
+ FLATPAK_FILESYSTEM_MODE_NONE = 0,
FLATPAK_FILESYSTEM_MODE_READ_ONLY = 1,
FLATPAK_FILESYSTEM_MODE_READ_WRITE = 2,
FLATPAK_FILESYSTEM_MODE_CREATE = 3,
@@ -1770,6 +1771,13 @@ parse_filesystem_flags (const char *filesystem, FlatpakFilesystemMode *mode)
if (mode)
*mode = FLATPAK_FILESYSTEM_MODE_CREATE;
}
+ else if (g_str_equal (filesystem, "host:reset"))
+ {
+ filesystem = "host-reset";
+
+ if (mode)
+ *mode = FLATPAK_FILESYSTEM_MODE_NONE;
+ }
return g_strndup (filesystem, len);
}
@@ -1810,9 +1818,12 @@ static void
flatpak_context_remove_filesystem (FlatpakContext *context,
const char *what)
{
+ FlatpakFilesystemMode mode;
+ g_autofree char *fs = parse_filesystem_flags (what, &mode);
+
g_hash_table_insert (context->filesystems,
- parse_filesystem_flags (what, NULL),
- NULL);
+ g_steal_pointer (&fs),
+ GINT_TO_POINTER (mode));
}
static gboolean
@@ -2222,11 +2233,19 @@ flatpak_context_to_args (FlatpakContext *context,
g_ptr_array_add (args, g_strdup_printf ("--system-%s-name=%s", flatpak_policy_to_string (policy), name));
}
+ if (g_hash_table_lookup_extended (context->filesystems, "host-reset", NULL, NULL))
+ {
+ g_ptr_array_add (args, g_strdup ("--nofilesystem=host:reset"));
+ }
+
g_hash_table_iter_init (&iter, context->filesystems);
while (g_hash_table_iter_next (&iter, &key, &value))
{
FlatpakFilesystemMode mode = GPOINTER_TO_INT (value);
+ if (g_str_equal (key, "host-reset"))
+ continue;
+
if (mode == FLATPAK_FILESYSTEM_MODE_READ_ONLY)
g_ptr_array_add (args, g_strdup_printf ("--filesystem=%s:ro", (char *)key));
else if (mode == FLATPAK_FILESYSTEM_MODE_READ_WRITE)
--
2.35.1

77
SOURCES/flatpak-builder-source-archive-source-file-Deprecate-MD5-and-SHA1-ha.patch
Unescape View File

@ -0,0 +1,77 @@
From dfcc0717abaf30d1c0ac76becbe7e334b6a31a3e Mon Sep 17 00:00:00 2001
From: Debarshi Ray <debarshir@gnome.org>
Date: Mon, 31 Jan 2022 15:16:12 +0100
Subject: [PATCH] source-archive, source-file: Deprecate MD5 and SHA1 hashes
... because of their weaknesses, and show a warning suggesting SHA256
instead.
The new test cases were removed from this commit to simplify the
downstream build.
https://github.com/flatpak/flatpak-builder/pull/459
https://bugzilla.redhat.com/show_bug.cgi?id=1935509
---
src/builder-source-archive.c | 12 ++++++++++++
src/builder-source-file.c | 12 ++++++++++++
2 files changed, 24 insertions(+)
diff --git a/src/builder-source-archive.c b/src/builder-source-archive.c
index c93f84efc84c..04eafe44cd01 100644
--- a/src/builder-source-archive.c
+++ b/src/builder-source-archive.c
@@ -230,11 +230,23 @@ builder_source_archive_set_property (GObject *object,
case PROP_MD5:
g_free (self->md5);
self->md5 = g_value_dup_string (value);
+ if (self->md5 != NULL && self->md5[0] != '\0')
+ {
+ g_printerr ("The \"md5\" source property is deprecated due to the weakness of MD5 hashes.\n");
+ g_printerr ("Use the \"sha256\" property for the more secure SHA256 hash.\n");
+ }
+
break;
case PROP_SHA1:
g_free (self->sha1);
self->sha1 = g_value_dup_string (value);
+ if (self->sha1 != NULL && self->sha1[0] != '\0')
+ {
+ g_printerr ("The \"sha1\" source property is deprecated due to the weakness of SHA1 hashes.\n");
+ g_printerr ("Use the \"sha256\" property for the more secure SHA256 hash.\n");
+ }
+
break;
case PROP_SHA256:
diff --git a/src/builder-source-file.c b/src/builder-source-file.c
index 715803d510bb..8a4077246cda 100644
--- a/src/builder-source-file.c
+++ b/src/builder-source-file.c
@@ -154,11 +154,23 @@ builder_source_file_set_property (GObject *object,
case PROP_MD5:
g_free (self->md5);
self->md5 = g_value_dup_string (value);
+ if (self->md5 != NULL && self->md5[0] != '\0')
+ {
+ g_printerr ("The \"md5\" source property is deprecated due to the weakness of MD5 hashes.\n");
+ g_printerr ("Use the \"sha256\" property for the more secure SHA256 hash.\n");
+ }
+
break;
case PROP_SHA1:
g_free (self->sha1);
self->sha1 = g_value_dup_string (value);
+ if (self->sha1 != NULL && self->sha1[0] != '\0')
+ {
+ g_printerr ("The \"sha1\" source property is deprecated due to the weakness of SHA1 hashes.\n");
+ g_printerr ("Use the \"sha256\" property for the more secure SHA256 hash.\n");
+ }
+
break;
case PROP_SHA256:
--
2.34.1

189
SPECS/flatpak-builder.spec
Unescape View File

@ -1,10 +1,11 @@
%global debugedit_version 5.0
%global glib2_version 2.44
%global ostree_version 2017.14
%global flatpak_version 0.99.1
Name: flatpak-builder
Version: 1.0.14
Release: 2%{?dist}
Version: 1.2.2
Release: 1%{?dist}
Summary: Tool to build flatpaks from source
# src/builder-utils.c has portions derived from GPLv2+ code,
@ -13,16 +14,16 @@ License: LGPLv2+ and GPLv2+
URL: http://flatpak.org/
Source0: https://github.com/flatpak/flatpak-builder/releases/download/%{version}/%{name}-%{version}.tar.xz
# https://github.com/flatpak/flatpak-builder/pull/464
# https://bugzilla.redhat.com/show_bug.cgi?id=2042007
Patch0: flatpak-builder-CVE-2022-21682.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=1935509
Patch0: flatpak-builder-source-archive-source-file-Deprecate-MD5-and-SHA1-ha.patch
BuildRequires: gettext
BuildRequires: debugedit >= %{debugedit_version}
BuildRequires: docbook-dtds
BuildRequires: docbook-style-xsl
BuildRequires: flatpak >= %{flatpak_version}
BuildRequires: elfutils-devel
BuildRequires: libcap-devel
BuildRequires: make
BuildRequires: pkgconfig(glib-2.0) >= %{glib2_version}
BuildRequires: pkgconfig(gobject-introspection-1.0)
BuildRequires: pkgconfig(json-glib-1.0)
@ -34,22 +35,27 @@ BuildRequires: pkgconfig(yaml-0.1)
BuildRequires: /usr/bin/xmlto
BuildRequires: /usr/bin/xsltproc
Requires: debugedit >= %{debugedit_version}
Requires: flatpak%{?_isa} >= %{flatpak_version}
Requires: glib2%{?_isa} >= %{glib2_version}
Requires: ostree-libs%{?_isa} >= %{ostree_version}
Requires: /usr/bin/bzip2
%if ! 0%{?rhel} > 7
# No bzr in latest RHEL
Recommends: /usr/bin/bzr
%endif
Requires: /usr/bin/eu-strip
Requires: /usr/bin/git
Requires: /usr/bin/patch
Requires: /usr/bin/rofiles-fuse
Requires: /usr/bin/strip
Recommends: /usr/bin/svn
Requires: /usr/bin/tar
Requires: /usr/bin/unzip
# Recommend various things that may or may not be needed depending on the code being built
Recommends: /usr/bin/bzip2
Recommends: /usr/bin/eu-strip
Recommends: /usr/bin/git
Recommends: /usr/bin/patch
Recommends: /usr/bin/strip
Recommends: /usr/bin/tar
Recommends: /usr/bin/unzip
Recommends: /usr/bin/zstd
Recommends: ccache
# Uncommon enough that we don't want to pull them in by default
#Recommends: /usr/bin/bzr
#Recommends: /usr/bin/lzip
#Recommends: /usr/bin/svn
%description
Flatpak-builder is a tool for building flatpaks from sources.
@ -63,7 +69,9 @@ See http://flatpak.org/ for more information.
%build
%configure \
--enable-docbook-docs
--enable-docbook-docs \
--with-fuse=2 \
--with-system-debugedit
%make_build V=1
@ -81,20 +89,80 @@ See http://flatpak.org/ for more information.
%changelog
* Fri Apr 01 2022 Debarshi Ray <rishi@fedoraproject.org> - 1.0.14-2
- Fix CVE-2022-21682 (#2042007)
* Mon Feb 07 2022 Debarshi Ray <rishi@fedoraproject.org> - 1.2.2-1
- Rebase to 1.2.2
Resolves: #1999742
* Wed Feb 02 2022 Debarshi Ray <rishi@fedoraproject.org> - 1.0.14-2
- Deprecate MD5 and SHA1 hashes
Resolves: #1935509
* Thu Sep 23 2021 Debarshi Ray <rishi@fedoraproject.org> - 1.0.14-1
- Update to 1.0.14
Resolves: #2006557
* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 1.0.12-5
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
Related: rhbz#1991688
<
* Thu Apr 15 2021 Mohan Boddu <mboddu@redhat.com> - 1.0.12-4
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
* Mon Mar 29 2021 Kalev Lember <klember@redhat.com> - 1.0.12-3
- Remove bzr, lzip and svn recommends as they are not common enough
* Thu Mar 25 2021 Kalev Lember <klember@redhat.com> - 1.0.12-2
- Recommend all the archive handlers etc, instead of hard requiring
* Wed Feb 17 2021 Kalev Lember <klember@redhat.com> - 1.0.12-1
- Update to 1.0.12
* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1.0.10-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
* Tue Dec 08 2020 Bastien Nocera <bnocera@redhat.com> - 1.0.10-3
+ flatpak-builder-1.0.10-3
- Require ccache on Fedora where it is available
* Mon Jul 27 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.0.10-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Wed Mar 09 2022 Debarshi Ray <rishi@fedoraproject.org> - 1.0.14-1
- Update to 1.0.14 (#2047312)
* Fri Mar 20 2020 Kalev Lember <klember@redhat.com> - 1.0.10-1
- Update to 1.0.10
* Tue Feb 25 2020 David King <dking@redhat.com> - 1.0.9-3
- Use elfutils instead of libdwarf (#1613030)
* Tue Feb 25 2020 David King <amigadave@amigadave.com> - 1.0.9-3
- Use elfutils instead of libdwarf
* Fri Nov 08 2019 David King <dking@redhat.com> - 1.0.9-2
- Drop Requires on lzip (#1748290)
* Tue Jan 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.0.9-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
* Fri Nov 08 2019 David King <dking@redhat.com> - 1.0.9-1
- Rebase to 1.0.9 (#1748290)
* Sat Sep 14 2019 David King <amigadave@amigadave.com> - 1.0.9-1
- Update to 1.0.9
* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.0.7-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
* Fri May 10 2019 Kalev Lember <klember@redhat.com> - 1.0.7-1
- Update to 1.0.7
* Fri Feb 08 2019 Kalev Lember <klember@redhat.com> - 1.0.5-1
- Update to 1.0.5
* Tue Feb 05 2019 Kalev Lember <klember@redhat.com> - 1.0.4-1
- Update to 1.0.4
* Thu Jan 31 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.0.3-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
* Wed Jan 30 2019 David King <amigadave@amigadave.com> - 1.0.3-2
- Add dependency on lzip
* Mon Jan 28 2019 David King <amigadave@amigadave.com> - 1.0.3-1
- Update to 1.0.3
* Tue Jan 15 2019 Kalev Lember <klember@redhat.com> - 1.0.2-1
- Update to 1.0.2
- Change bzr requires to recommends
* Tue Oct 16 2018 Kalev Lember <klember@redhat.com> - 1.0.1-2
- Change svn requires to recommends (#1639355)
@ -105,8 +173,65 @@ See http://flatpak.org/ for more information.
* Mon Aug 20 2018 David King <amigadave@amigadave.com> - 1.0.0-1
- Update to 1.0.0
* Mon Aug 13 2018 Kalev Lember <klember@redhat.com> - 0.99.3-2
* Mon Aug 13 2018 Kalev Lember <klember@redhat.com> - 0.99.3-4
- Update license to "LGPLv2+ and GPLv2+"
* Thu Aug 02 2018 David King <dking@redhat.com> - 0.99.3-1
- Import from Fedora
* Tue Jul 31 2018 Florian Weimer <fweimer@redhat.com> - 0.99.3-3
- Rebuild with fixed binutils
* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.99.3-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
* Tue Jul 10 2018 Kalev Lember <klember@redhat.com> - 0.99.3-1
- Update to 0.99.3
* Wed Jun 27 2018 Kalev Lember <klember@redhat.com> - 0.99.2-1
- Update to 0.99.2
* Mon Jun 25 2018 David King <amigadave@amigadave.com> - 0.99.1-1
- Update to 0.99.1
* Fri Apr 27 2018 David King <amigadave@amigadave.com> - 0.10.10-2
- Add some extra dependencies
* Thu Apr 26 2018 Kalev Lember <klember@redhat.com> - 0.10.10-1
- Update to 0.10.10
* Mon Feb 19 2018 David King <amigadave@amigadave.com> - 0.10.9-1
- Update to 0.10.9
* Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.10.6-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
* Fri Dec 15 2017 Kalev Lember <klember@redhat.com> - 0.10.6-1
- Update to 0.10.6
* Tue Nov 28 2017 David King <amigadave@amigadave.com> - 0.10.5-1
- Update to 0.10.5
* Mon Nov 06 2017 Kalev Lember <klember@redhat.com> - 0.10.4-1
- Update to 0.10.4
* Tue Oct 31 2017 David King <amigadave@amigadave.com> - 0.10.3-1
- Update to 0.10.3
* Mon Oct 30 2017 David King <amigadave@amigadave.com> - 0.10.2-1
- Update to 0.10.2
* Fri Oct 27 2017 Kalev Lember <klember@redhat.com> - 0.10.1-1
- Update to 0.10.1
* Thu Oct 26 2017 Kalev Lember <klember@redhat.com> - 0.10.0-1
- Update to 0.10.0
* Mon Oct 09 2017 Kalev Lember <klember@redhat.com> - 0.9.99-1
- Update to 0.9.99
* Mon Sep 25 2017 Kalev Lember <klember@redhat.com> - 0.9.98-1
- Update to 0.9.98
* Wed Sep 13 2017 Kalev Lember <klember@redhat.com> - 0.9.11-1
- Update to 0.9.11
* Mon Sep 04 2017 Kalev Lember <klember@redhat.com> - 0.9.9-1
- Initial flatpak-builder package

Write Preview
Loading…
Cancel
Save