6 changed files with 199 additions and 477 deletions
--- a/.flatpak.metadata
+++ b/.flatpak.metadata
@ -1 +1 @@
-41429400eab33868b6c6045fe235e86e1086a056 SOURCES/flatpak-1.12.9.tar.xz
+b72524c06a83314b975ef618f63ee33506989e39 SOURCES/flatpak-1.15.8.tar.xz
--- a/.gitignore
+++ b/.gitignore
@ -1 +1 @@
-SOURCES/flatpak-1.12.9.tar.xz
+SOURCES/flatpak-1.15.8.tar.xz
--- a/SOURCES/flatpak-1.12.x-CVE-2024-42472.patch
+++ b/SOURCES/flatpak-1.12.x-CVE-2024-42472.patch
@ -1,330 +0,0 @@
 From 8451fa0ae30397b83705a193aa0d3f7752486dda Mon Sep 17 00:00:00 2001
 From: Alexander Larsson <alexl@redhat.com>
 Date: Mon, 3 Jun 2024 12:22:30 +0200
 Subject: [PATCH 1/4] Don't follow symlinks when mounting persisted directories
 These directories are in a location under application control, so we
 can't trust them to not be a symlink outside of the files accessibe to
 the application.
 Continue to treat --persist=/foo as --persist=foo for backwards compat,
 since this is how it (accidentally) worked before, but print a warning.
 Don't allow ".." elements in persist paths: these would not be useful
 anyway, and are unlikely to be in use, however they could potentially
 be used to confuse the persist path handling.
 This partially addresses CVE-2024-42472. If only one instance of the
 malicious or compromised app is run at a time, the vulnerability
 is avoided. If two instances can run concurrently, there is a
 time-of-check/time-of-use issue remaining, which can only be resolved
 with changes to bubblewrap; this will be resolved in a separate commit,
 because the bubblewrap dependency might be more difficult to provide in
 LTS distributions.
 Helps: CVE-2024-42472, GHSA-7hgv-f2j8-xw87
 [smcv: Make whitespace consistent]
 [smcv: Use g_warning() if unable to create --persist paths]
 [smcv: Use stat() to detect symlinks and warn about them]
 [smcv: Use glnx_steal_fd() for portability to older GLib]
 Co-authored-by: Simon McVittie <smcv@collabora.com>
 Signed-off-by: Simon McVittie <smcv@collabora.com>
 ---
 common/flatpak-context.c | 108 +++++++++++++++++++++++++++++++++++++--
 1 file changed, 105 insertions(+), 3 deletions(-)
 diff --git a/common/flatpak-context.c b/common/flatpak-context.c
 index 53b79807..8c784acf 100644
 --- a/common/flatpak-context.c
 +++ b/common/flatpak-context.c
@@ -2686,6 +2686,90 @@ flatpak_context_get_exports_full (FlatpakContext *context,
   return g_steal_pointer (&exports);
 }
 +/* This creates zero or more directories unders base_fd+basedir, each
 + * being guaranteed to either exist and be a directory (no symlinks)
 + * or be created as a directory. The last directory is opened
 + * and the fd is returned.
 + */
 +static gboolean
 +mkdir_p_open_nofollow_at (int          base_fd,
 +                          const char  *basedir,
 +                          int          mode,
 +                          const char  *subdir,
 +                          int         *out_fd,
 +                          GError     **error)
 +{
 +  glnx_autofd int parent_fd = -1;
 +
 +  if (g_path_is_absolute (subdir))
 +    {
 +      const char *skipped_prefix = subdir;
 +
 +      while (*skipped_prefix == '/')
 +        skipped_prefix++;
 +
 +      g_warning ("--persist=\"%s\" is deprecated, treating it as --persist=\"%s\"", subdir, skipped_prefix);
 +      subdir = skipped_prefix;
 +    }
 +
 +  g_autofree char *subdir_dirname = g_path_get_dirname (subdir);
 +
 +  if (strcmp (subdir_dirname, ".") == 0)
 +    {
 +      /* It is ok to open basedir with follow=true */
 +      if (!glnx_opendirat (base_fd, basedir, TRUE, &parent_fd, error))
 +        return FALSE;
 +    }
 +  else if (strcmp (subdir_dirname, "..") == 0)
 +    {
 +      return glnx_throw (error, "'..' not supported in --persist paths");
 +    }
 +  else
 +    {
 +      if (!mkdir_p_open_nofollow_at (base_fd, basedir, mode,
 +                                     subdir_dirname, &parent_fd, error))
 +        return FALSE;
 +    }
 +
 +  g_autofree char *subdir_basename = g_path_get_basename (subdir);
 +
 +  if (strcmp (subdir_basename, ".") == 0)
 +    {
 +      *out_fd = glnx_steal_fd (&parent_fd);
 +      return TRUE;
 +    }
 +  else if (strcmp (subdir_basename, "..") == 0)
 +    {
 +      return glnx_throw (error, "'..' not supported in --persist paths");
 +    }
 +
 +  if (!glnx_shutil_mkdir_p_at (parent_fd, subdir_basename, mode, NULL, error))
 +    return FALSE;
 +
 +  int fd = openat (parent_fd, subdir_basename, O_PATH | O_NONBLOCK | O_DIRECTORY | O_CLOEXEC | O_NOCTTY | O_NOFOLLOW);
 +  if (fd == -1)
 +    {
 +      int saved_errno = errno;
 +      struct stat stat_buf;
 +
 +      /* If it's a symbolic link, that could be a user trying to offload
 +       * large data to another filesystem, but it could equally well be
 +       * a malicious or compromised app trying to exploit GHSA-7hgv-f2j8-xw87.
 +       * Produce a clearer error message in this case.
 +       * Unfortunately the errno we get in this case is ENOTDIR, so we have
 +       * to ask again to find out whether it's really a symlink. */
 +      if (saved_errno == ENOTDIR &&
 +          fstatat (parent_fd, subdir_basename, &stat_buf, AT_SYMLINK_NOFOLLOW) == 0 &&
 +          S_ISLNK (stat_buf.st_mode))
 +        return glnx_throw (error, "Symbolic link \"%s\" not allowed to avoid sandbox escape", subdir_basename);
 +
 +      return glnx_throw_errno_prefix (error, "openat(%s)", subdir_basename);
 +    }
 +
 +  *out_fd = fd;
 +  return TRUE;
 +}
 +
 void
 flatpak_context_append_bwrap_filesystem (FlatpakContext  *context,
                                          FlatpakBwrap    *bwrap,
@@ -2709,12 +2793,30 @@ flatpak_context_append_bwrap_filesystem (FlatpakContext  *context,
       while (g_hash_table_iter_next (&iter, &key, NULL))
         {
           const char *persist = key;
 -          g_autofree char *src = g_build_filename (g_get_home_dir (), ".var/app", app_id, persist, NULL);
 +          g_autofree char *appdir = g_build_filename (g_get_home_dir (), ".var/app", app_id, NULL);
           g_autofree char *dest = g_build_filename (g_get_home_dir (), persist, NULL);
 +          g_autoptr(GError) local_error = NULL;
 +
 +          if (g_mkdir_with_parents (appdir, 0755) != 0)
 +            {
 +              g_warning ("Unable to create directory %s", appdir);
 +              continue;
 +            }
 +
 +          /* Don't follow symlinks from the persist directory, as it is under user control */
 +          glnx_autofd int src_fd = -1;
 +          if (!mkdir_p_open_nofollow_at (AT_FDCWD, appdir, 0755,
 +                                         persist, &src_fd,
 +                                         &local_error))
 +            {
 +              g_warning ("Failed to create persist path %s: %s", persist, local_error->message);
 +              continue;
 +            }
 -          g_mkdir_with_parents (src, 0755);
 +          g_autofree char *src_via_proc = g_strdup_printf ("/proc/self/fd/%d", src_fd);
 -          flatpak_bwrap_add_bind_arg (bwrap, "--bind", src, dest);
 +          flatpak_bwrap_add_fd (bwrap, glnx_steal_fd (&src_fd));
 +          flatpak_bwrap_add_bind_arg (bwrap, "--bind", src_via_proc, dest);
         }
     }
 -- 
 2.46.0
 From 5462c9b1e1a34b1104c8a0843a10382e90c9bb6b Mon Sep 17 00:00:00 2001
 From: Alexander Larsson <alexl@redhat.com>
 Date: Mon, 3 Jun 2024 12:59:05 +0200
 Subject: [PATCH 2/4] Add test coverage for --persist
 This adds three "positive" tests: the common case --persist=.persist, the
 deprecated spelling --persist=/.persist, and the less common special case
 --persist=. as used by Steam.
 It also adds "negative" tests for CVE-2024-42472: if the --persist
 directory is a symbolic link or contains path segment "..", we want that
 to be rejected.
 Reproduces: CVE-2024-42472, GHSA-7hgv-f2j8-xw87
 [smcv: Add "positive" tests]
 [smcv: Exercise --persist=..]
 [smcv: Assert that --persist with a symlink produces expected message]
 Co-authored-by: Simon McVittie <smcv@collabora.com>
 Signed-off-by: Simon McVittie <smcv@collabora.com>
 ---
 tests/test-run.sh | 41 ++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 40 insertions(+), 1 deletion(-)
 diff --git a/tests/test-run.sh b/tests/test-run.sh
 index dd371df3..bca0845d 100644
 --- a/tests/test-run.sh
 +++ b/tests/test-run.sh
@@ -24,7 +24,7 @@ set -euo pipefail
 skip_without_bwrap
 skip_revokefs_without_fuse
 -echo "1..20"
 +echo "1..21"
 # Use stable rather than master as the branch so we can test that the run
 # command automatically finds the branch correctly
@@ -512,3 +512,42 @@ ${FLATPAK} ${U} info -m org.test.App > out
 assert_file_has_content out "^sdk=org\.test\.Sdk/$(flatpak --default-arch)/stable$"
 ok "--sdk option"
 +
 +rm -fr "$HOME/.var/app/org.test.Hello"
 +mkdir -p "$HOME/.var/app/org.test.Hello"
 +run --command=sh --persist=.persist org.test.Hello -c 'echo can-persist > .persist/rc'
 +sed -e 's,^,#--persist=.persist# ,g' < "$HOME/.var/app/org.test.Hello/.persist/rc" >&2
 +assert_file_has_content "$HOME/.var/app/org.test.Hello/.persist/rc" "can-persist"
 +
 +ok "--persist=.persist persists a directory"
 +
 +rm -fr "$HOME/.var/app/org.test.Hello"
 +mkdir -p "$HOME/.var/app/org.test.Hello"
 +# G_DEBUG= to avoid the deprecation warning being fatal
 +G_DEBUG= run --command=sh --persist=/.persist org.test.Hello -c 'echo can-persist > .persist/rc'
 +sed -e 's,^,#--persist=/.persist# ,g' < "$HOME/.var/app/org.test.Hello/.persist/rc" >&2
 +assert_file_has_content "$HOME/.var/app/org.test.Hello/.persist/rc" "can-persist"
 +
 +ok "--persist=/.persist is a deprecated form of --persist=.persist"
 +
 +rm -fr "$HOME/.var/app/org.test.Hello"
 +mkdir -p "$HOME/.var/app/org.test.Hello"
 +run --command=sh --persist=. org.test.Hello -c 'echo can-persist > .persistrc'
 +sed -e 's,^,#--persist=.# ,g' < "$HOME/.var/app/org.test.Hello/.persistrc" >&2
 +assert_file_has_content "$HOME/.var/app/org.test.Hello/.persistrc" "can-persist"
 +
 +ok "--persist=. persists all files"
 +
 +mkdir "${TEST_DATA_DIR}/inaccessible"
 +echo FOO > ${TEST_DATA_DIR}/inaccessible/secret-file
 +rm -fr "$HOME/.var/app/org.test.Hello"
 +mkdir -p "$HOME/.var/app/org.test.Hello"
 +ln -fns "${TEST_DATA_DIR}/inaccessible" "$HOME/.var/app/org.test.Hello/persist"
 +# G_DEBUG= to avoid the warnings being fatal when we reject a --persist option.
 +# LC_ALL=C so we get the expected non-localized string.
 +LC_ALL=C G_DEBUG= run --command=ls --persist=persist --persist=relative/../escape org.test.Hello -la ~/persist &> hello_out || true
 +sed -e 's,^,#--persist=symlink# ,g' < hello_out >&2
 +assert_file_has_content hello_out "not allowed to avoid sandbox escape"
 +assert_not_file_has_content hello_out "secret-file"
 +
 +ok "--persist doesn't allow sandbox escape via a symlink (CVE-2024-42472)"
 -- 
 2.46.0
 From 04d8ad3009cd8a4350fba6cf7cc6c7819ccdfd34 Mon Sep 17 00:00:00 2001
 From: Simon McVittie <smcv@collabora.com>
 Date: Mon, 12 Aug 2024 19:48:18 +0100
 Subject: [PATCH 3/4] build: Require a version of bubblewrap with the --bind-fd
 option
 We need this for the --bind-fd option, which will close a race
 condition in our solution to CVE-2024-42472.
 For this stable branch, check the --help output for a --bind-fd option
 instead of requiring a specific version number, to accommodate possible
 backports in LTS distributions.
 Signed-off-by: Simon McVittie <smcv@collabora.com>
 ---
 configure.ac | 3 +++
 1 file changed, 3 insertions(+)
 diff --git a/configure.ac b/configure.ac
 index 0a44e11a..0c8e2d0e 100644
 --- a/configure.ac
 +++ b/configure.ac
@@ -175,6 +175,9 @@ if test "x$BWRAP" != xfalse; then
    BWRAP_VERSION=`$BWRAP --version | sed 's,.*\ \([0-9]*\.[0-9]*\.[0-9]*\)$,\1,'`
    AX_COMPARE_VERSION([$SYSTEM_BWRAP_REQS],[gt],[$BWRAP_VERSION],
                       [AC_MSG_ERROR([You need at least version $SYSTEM_BWRAP_REQS of bubblewrap to use the system installed version])])
 +   AS_IF([$BWRAP --help | grep '@<:@-@:>@-bind-fd' >/dev/null],
 +         [:],
 +         [AC_MSG_ERROR([$BWRAP does not list required option --bind-fd in its --help])])
    AM_CONDITIONAL([WITH_SYSTEM_BWRAP], [true])
 else
    AC_CHECK_LIB(cap, cap_from_text, CAP_LIB=-lcap)
 -- 
 2.46.0
 From 2772f19e50c0e809dde8cf3c105d90ee8baf4fa8 Mon Sep 17 00:00:00 2001
 From: Simon McVittie <smcv@collabora.com>
 Date: Wed, 14 Aug 2024 13:44:30 +0100
 Subject: [PATCH 4/4] persist directories: Pass using new bwrap --bind-fd
 option
 Instead of passing a /proc/self/fd bind mount we use --bind-fd, which
 has two advantages:
 * bwrap closes the fd when used, so it doesn't leak into the started app
 * bwrap ensures that what was mounted was the passed in fd (same dev/ino),
   as there is a small (required) gap between symlink resolve and mount
   where the target path could be replaced.
 Please note that this change requires an updated version of bubblewrap.
 Resolves: CVE-2024-42472, GHSA-7hgv-f2j8-xw87
 [smcv: Make whitespace consistent]
 Co-authored-by: Simon McVittie <smcv@collabora.com>
 Signed-off-by: Simon McVittie <smcv@collabora.com>
 ---
 common/flatpak-context.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
 diff --git a/common/flatpak-context.c b/common/flatpak-context.c
 index 8c784acf..baa62728 100644
 --- a/common/flatpak-context.c
 +++ b/common/flatpak-context.c
@@ -2813,10 +2813,10 @@ flatpak_context_append_bwrap_filesystem (FlatpakContext  *context,
               continue;
             }
 -          g_autofree char *src_via_proc = g_strdup_printf ("/proc/self/fd/%d", src_fd);
 +          g_autofree char *src_via_proc = g_strdup_printf ("%d", src_fd);
           flatpak_bwrap_add_fd (bwrap, glnx_steal_fd (&src_fd));
 -          flatpak_bwrap_add_bind_arg (bwrap, "--bind", src_via_proc, dest);
 +          flatpak_bwrap_add_bind_arg (bwrap, "--bind-fd", src_via_proc, dest);
         }
     }
 -- 
 2.46.0
--- a/SOURCES/flatpak-dir-Use-SHA256-not-SHA1-to-name-the-cache-for-a-filt.patch
+++ b/SOURCES/flatpak-dir-Use-SHA256-not-SHA1-to-name-the-cache-for-a-filt.patch
@ -1,38 +0,0 @@
 From 7dd160f33054863b1ea6f75ac279a42121a16430 Mon Sep 17 00:00:00 2001
 From: Debarshi Ray <debarshir@gnome.org>
 Date: Mon, 31 Jan 2022 21:17:29 +0100
 Subject: [PATCH] dir: Use SHA256, not SHA1, to name the cache for a filtered
 remote
 SHA1 hashes are considered weak these days. Some distributions have
 static analysis tools to detect the use of such weak hashes, and they
 get triggered by flatpak. While this particular use of SHA1 in flatpak
 is likely not security sensitive, it's also easy to move to SHA256 to
 avoid any debate.
 Here, the SHA1 hash of a named remote's filter file is used to generate
 the name of the directory where the refs from that remote are cached.
 One can reasonably assume that the cache is frequently invalidated
 because the list of refs on the remote changes all the time. Hence,
 it's not big problem if it gets invalidated once more because of this
 change.
 ---
 common/flatpak-dir.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/common/flatpak-dir.c b/common/flatpak-dir.c
 index 18384bd432fc..c6d08e85b41f 100644
 --- a/common/flatpak-dir.c
 +++ b/common/flatpak-dir.c
@@ -10923,7 +10923,7 @@ remote_filter_load (GFile *path, GError **error)
     }
   filter = g_new0 (RemoteFilter, 1);
 -  filter->checksum = g_compute_checksum_for_data (G_CHECKSUM_SHA1, (guchar *)data, data_size);
 +  filter->checksum = g_compute_checksum_for_data (G_CHECKSUM_SHA256, (guchar *)data, data_size);
   filter->path = g_object_ref (path);
   filter->mtime = mtime;
   filter->last_mtime_check = g_get_monotonic_time ();
 -- 
 2.34.1
--- a/SOURCES/flatpak.sysusers.conf
+++ b/SOURCES/flatpak.sysusers.conf
@ -0,0 +1 @@
 u flatpak - "Flatpak system helper" -
--- a/SPECS/flatpak.spec
+++ b/SPECS/flatpak.spec
@ -1,13 +1,22 @@
-%global bubblewrap_version 0.4.1-8
+%global appstream_version 1.0.0~
 %global bubblewrap_version 0.8.0
 %global glib_version 2.46.0
 %global gpgme_version 1.8.0
 %global libcurl_version 7.29.0
 %global ostree_version 2020.8
 %global wayland_protocols_version 1.32
 %global wayland_scanner_version 1.15
 # Disable parental control for RHEL builds
 %bcond malcontent %[!0%{?rhel}]
 Name:           flatpak
-Version:        1.12.9
+Version:        1.15.8
-Release:        3%{?dist}
+Release:        2%{?dist}
 Summary:        Application deployment framework for desktop apps
-License:        LGPLv2+
+License:        LGPL-2.1-or-later
-URL:            http://flatpak.org/
+URL:            https://flatpak.org/
 Source0:        https://github.com/flatpak/flatpak/releases/download/%{version}/%{name}-%{version}.tar.xz
 %if 0%{?fedora}
@ -15,43 +24,66 @@ Source0:        https://github.com/flatpak/flatpak/releases/download/%{version}/
 Source1:        flatpak-add-fedora-repos.service
 %endif
-# https://bugzilla.redhat.com/show_bug.cgi?id=1935508
+# systemd-sysusers config. Only used for the %%pre macro. Must be kept in sync
-Patch0:         flatpak-dir-Use-SHA256-not-SHA1-to-name-the-cache-for-a-filt.patch
+# with the config from upstream sources.
-# Backported upstream patch for CVE-2024-42472
+Source2:        flatpak.sysusers.conf
-Patch1:         flatpak-1.12.x-CVE-2024-42472.patch
+
 # ostree not on i686 for RHEL 10
 # https://github.com/containers/composefs/pull/229#issuecomment-1838735764
 %if 0%{?rhel} >= 10
 ExcludeArch:    %{ix86}
 %endif
-BuildRequires:  pkgconfig(appstream-glib)
+BuildRequires:  pkgconfig(appstream) >= %{appstream_version}
 BuildRequires:  pkgconfig(dconf)
-BuildRequires:  pkgconfig(fuse)
+BuildRequires:  pkgconfig(fuse3)
 BuildRequires:  pkgconfig(gdk-pixbuf-2.0)
-BuildRequires:  pkgconfig(gio-unix-2.0)
+BuildRequires:  pkgconfig(gio-unix-2.0) >= %{glib_version}
 BuildRequires:  pkgconfig(gobject-introspection-1.0) >= 1.40.0
-BuildRequires:  pkgconfig(gpgme)
+BuildRequires:  pkgconfig(gpgme) >= %{gpgme_version}
 BuildRequires:  pkgconfig(json-glib-1.0)
 BuildRequires:  pkgconfig(libarchive) >= 2.8.0
 BuildRequires:  pkgconfig(libseccomp)
-BuildRequires:  pkgconfig(libsoup-2.4)
+BuildRequires:  pkgconfig(libcurl) >= %{libcurl_version}
 BuildRequires:  pkgconfig(libsystemd)
 BuildRequires:  pkgconfig(libxml-2.0) >= 2.4
 BuildRequires:  pkgconfig(libzstd) >= 0.8.1
 %if %{with malcontent}
 BuildRequires:  pkgconfig(malcontent-0)
 %endif
 BuildRequires:  pkgconfig(ostree-1) >= %{ostree_version}
 BuildRequires:  pkgconfig(polkit-gobject-1)
 BuildRequires:  pkgconfig(wayland-client)
 BuildRequires:  pkgconfig(wayland-protocols) >= %{wayland_protocols_version}
 BuildRequires:  pkgconfig(wayland-scanner) >= %{wayland_scanner_version}
 BuildRequires:  pkgconfig(xau)
 BuildRequires:  bison
 BuildRequires:  bubblewrap >= %{bubblewrap_version}
 BuildRequires:  docbook-dtds
 BuildRequires:  docbook-style-xsl
-BuildRequires:  gettext
+BuildRequires:  gettext-devel
 BuildRequires:  gtk-doc
 BuildRequires:  libcap-devel
 BuildRequires:  meson
 BuildRequires:  python3-pyparsing
 BuildRequires:  systemd
 BuildRequires:  systemd-rpm-macros
 BuildRequires:  /usr/bin/fusermount3
 BuildRequires:  /usr/bin/pkcheck
 BuildRequires:  /usr/bin/socat
 BuildRequires:  /usr/bin/xdg-dbus-proxy
 BuildRequires:  /usr/bin/xmlto
 BuildRequires:  /usr/bin/xsltproc
 %{?sysusers_requires_compat}
 Requires:       appstream%{?_isa} >= %{appstream_version}
 Requires:       bubblewrap >= %{bubblewrap_version}
 Requires:       glib2%{?_isa} >= %{glib_version}
 Requires:       libcurl%{?_isa} >= %{libcurl_version}
 Requires:       librsvg2%{?_isa}
 Requires:       ostree-libs%{?_isa} >= %{ostree_version}
 Requires:       /usr/bin/fusermount3
 Requires:       /usr/bin/xdg-dbus-proxy
 # https://fedoraproject.org/wiki/SELinux/IndependentPolicy
 Requires:       (flatpak-selinux = %{?epoch:%{epoch}:}%{version}-%{release} if selinux-policy-targeted)
@ -72,26 +104,24 @@ more information.
 %package devel
 Summary:        Development files for %{name}
-License:        LGPLv2+
+Requires:       %{name}%{?_isa} = %{?epoch:%{epoch}:}%{version}-%{release}
-Requires:       %{name}%{?_isa} = %{version}-%{release}
+Requires:       %{name}-libs%{?_isa} = %{?epoch:%{epoch}:}%{version}-%{release}
 Requires:       %{name}-libs%{?_isa} = %{version}-%{release}
 %description devel
 This package contains the pkg-config file and development headers for %{name}.
 %package libs
 Summary:        Libraries for %{name}
 License:        LGPLv2+
 Requires:       bubblewrap >= %{bubblewrap_version}
-Requires:       ostree%{?_isa} >= %{ostree_version}
+# We can assume ostree is installed on ostree systems
-Requires(pre):  /usr/sbin/useradd
+# So do not enforce it on non-ostree ones
 Requires:       ostree-libs%{?_isa} >= %{ostree_version}
 %description libs
 This package contains libflatpak.
 %package selinux
 Summary:        SELinux policy module for %{name}
 License:        LGPLv2+
 BuildRequires:  selinux-policy
 BuildRequires:  selinux-policy-devel
 BuildRequires:  make
@ -103,7 +133,6 @@ This package contains the SELinux policy module for %{name}.
 %package session-helper
 Summary:        User D-Bus service used by %{name} and others
 License:        LGPLv2+
 Conflicts:      flatpak < 1.4.1-2
 Requires:       systemd
@ -113,10 +142,9 @@ that's used by %{name} and other packages.
 %package tests
 Summary:        Tests for %{name}
-License:        LGPLv2+
+Requires:       %{name}%{?_isa} = %{?epoch:%{epoch}:}%{version}-%{release}
-Requires:       %{name}%{?_isa} = %{version}-%{release}
+Requires:       %{name}-libs%{?_isa} = %{?epoch:%{epoch}:}%{version}-%{release}
-Requires:       %{name}-libs%{?_isa} = %{version}-%{release}
+Requires:       %{name}-session-helper%{?_isa} = %{?epoch:%{epoch}:}%{version}-%{release}
 Requires:       %{name}-session-helper%{?_isa} = %{version}-%{release}
 Requires:       bubblewrap >= %{bubblewrap_version}
 Requires:       ostree%{?_isa} >= %{ostree_version}
@ -129,32 +157,27 @@ This package contains installed tests for %{name}.
 %build
-# gobject introspection does not work with LTO.  There is an effort to fix this
+%meson \
-# in the appropriate project upstreams, so hopefully LTO can be enabled someday
+    -Dinstalled_tests=true \
-# Disable LTO.
+    -Dsystem_bubblewrap=/usr/bin/bwrap \
-%define _lto_cflags %{nil}
+    -Dsystem_dbus_proxy=/usr/bin/xdg-dbus-proxy \
-
+    -Dtmpfilesdir=%{_tmpfilesdir} \
-(if ! test -x configure; then NOCONFIGURE=1 ./autogen.sh; CONFIGFLAGS=--enable-gtk-doc; fi;
+%if %{with malcontent}
- # Generate consistent IDs between runs to avoid multilib problems.
+    -Dmalcontent=enabled \
- export XMLTO_FLAGS="--stringparam generate.consistent.ids=1"
+%else
- %configure \
+    -Dmalcontent=disabled \
-            --enable-docbook-docs \
+%endif
-            --enable-installed-tests \
+    -Dwayland_security_context=enabled \
-            --enable-selinux-module \
+    %{nil}
-            --with-priv-mode=none \
+%meson_build
            --with-system-bubblewrap \
            --with-system-dbus-proxy \
            $CONFIGFLAGS)
 %make_build V=1
 %install
-%make_install
+%meson_install
 install -pm 644 NEWS README.md %{buildroot}/%{_pkgdocdir}
 # The system repo is not installed by the flatpak build system.
 install -d %{buildroot}%{_localstatedir}/lib/flatpak
 install -d %{buildroot}%{_sysconfdir}/flatpak/remotes.d
 rm -f %{buildroot}%{_libdir}/libflatpak.la
 %if 0%{?fedora}
 install -D -t %{buildroot}%{_unitdir} %{SOURCE1}
@ -162,18 +185,8 @@ install -D -t %{buildroot}%{_unitdir} %{SOURCE1}
 %find_lang %{name}
 # Work around selinux denials, see
 # https://github.com/flatpak/flatpak/issues/4128 for details. Note that we are
 # going to need the system env generator if we should enable malcontent support
 # in the future.
 rm %{buildroot}%{_systemd_system_env_generator_dir}/60-flatpak-system-only
 %pre
-getent group flatpak >/dev/null || groupadd -r flatpak
+%sysusers_create_compat %{SOURCE2}
 getent passwd flatpak >/dev/null || \
    useradd -r -g flatpak -d / -s /sbin/nologin \
     -c "User for flatpak system helper" flatpak
 exit 0
 %if 0%{?fedora}
@ -235,15 +248,19 @@ fi
 %{_mandir}/man5/flatpak-flatpakrepo.5*
 %{_mandir}/man5/flatpak-installation.5*
 %{_mandir}/man5/flatpak-remote.5*
 %{_mandir}/man5/flatpakref.5*
 %{_mandir}/man5/flatpakrepo.5*
 %{_sysconfdir}/dbus-1/system.d/org.freedesktop.Flatpak.SystemHelper.conf
 %dir %{_sysconfdir}/flatpak
 %{_sysconfdir}/flatpak/remotes.d
 %{_sysconfdir}/profile.d/flatpak.sh
-%{_sysusersdir}/flatpak.conf
+%{_sysusersdir}/%{name}.conf
 %{_unitdir}/flatpak-system-helper.service
 %{_userunitdir}/flatpak-oci-authenticator.service
 %{_userunitdir}/flatpak-portal.service
 %{_systemd_system_env_generator_dir}/60-flatpak-system-only
 %{_systemd_user_env_generator_dir}/60-flatpak
 %{_tmpfilesdir}/%{name}.conf
 %if 0%{?fedora}
 %{_unitdir}/flatpak-add-fedora-repos.service
@ -278,75 +295,147 @@ fi
 %changelog
-* Wed Sep 04 2024 Kalev Lember <klember@redhat.com> - 1.12.9-3
+* Tue Nov 26 2024 MSVSphere Packaging Team <packager@msvsphere-os.ru> - 1.15.8-2
- Fix previous changelog entry
+- Rebuilt for MSVSphere 10
 * Mon Jun 24 2024 Troy Dawson <tdawson@redhat.com> - 1.15.8-2
 - Bump release for June 2024 mass rebuild
 * Fri Jun 07 2024 Kalev Lember <klember@redhat.com> - 1.15.8-1
 - Update to 1.15.8 (CVE-2024-32462)
 * Wed Jan 24 2024 Fedora Release Engineering <releng@fedoraproject.org> - 1.15.6-3
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
 * Fri Jan 19 2024 Fedora Release Engineering <releng@fedoraproject.org> - 1.15.6-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
 * Thu Nov 16 2023 Debarshi Ray <rishi@fedoraproject.org> - 1.15.6-1
 - Update to 1.15.6 (#2249763)
 * Tue Nov 07 2023 Neal Gompa <ngompa@fedoraproject.org> - 1.15.4-5
 - Fix appstream_version macro for prerelease appstream 1.0 package
 * Tue Nov 07 2023 Debarshi Ray <rishi@fedoraproject.org> - 1.15.4-4
 - Adjust to Appstream 1.0 API changes
 - Fix Appstream regression in 'remote-info'
 * Wed Jul 19 2023 Fedora Release Engineering <releng@fedoraproject.org> - 1.15.4-3
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
 * Thu Jun 22 2023 Tomas Popela <tpopela@redhat.com> - 1.15.4-2
 - Disable parental control support (through malcontent) on RHEL
 * Fri Mar 17 2023 David King <amigadave@amigadave.com> - 1.15.4-1
 - Update to 1.15.4
-* Mon Sep 02 2024 Kalev Lember <klember@redhat.com> - 1.12.9-2
+* Thu Feb 23 2023 David King <amigadave@amigadave.com> - 1.15.3-1
- Backport upstream patches for CVE-2024-42472
+- Update to 1.15.3 (#2120890)
 - Require bubblewrap version that has new --bind-fd option backported for
  addressing CVE-2024-42472
-* Tue Apr 30 2024 Kalev Lember <klember@redhat.com> - 1.12.9-1
+* Thu Jan 19 2023 Fedora Release Engineering <releng@fedoraproject.org> - 1.15.1-3
- Update to 1.12.9 (CVE-2024-32462)
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
-* Tue Jul 11 2023 Debarshi Ray <rishi@fedoraproject.org> - 1.12.8-1
+* Fri Jan 06 2023 David King <amigadave@amigadave.com> - 1.15.1-2
- Update to 1.12.8 (CVE-2023-28100, CVE-2023-28101)
+- Require fusermount (#2158474)
 Resolves: #2180312, #2221792
-* Mon Jun 27 2022 Debarshi Ray <rishi@fedoraproject.org> - 1.12.7-2
+* Tue Dec 13 2022 David King <amigadave@amigadave.com> - 1.15.1-1
- Let flatpak own %%{_sysconfdir}/flatpak
+- Update to 1.15.1
 Resolves: #2101456
-* Thu Mar 17 2022 Debarshi Ray <rishi@fedoraproject.org> - 1.12.7-1
+* Thu Dec 08 2022 David King <amigadave@amigadave.com> - 1.14.1-1
- Update to 1.12.7
+- Update to 1.14.1 (#2151850)
 Resolves: #2058633
-* Mon Mar 07 2022 Debarshi Ray <rishi@fedoraproject.org> - 1.12.5-2
+* Thu Sep 15 2022 Michael Catanzaro <mcatanzaro@redhat.com> - 1.14.0-2
- Cope better with /var/lib/flatpak existing but being empty
+- Refresh gssproxy patch to use new socket path
 Resolves: #2062806
-* Sun Feb 20 2022 Debarshi Ray <rishi@fedoraproject.org> - 1.12.5-1
+* Wed Sep 07 2022 Kalev Lember <klember@redhat.com> - 1.14.0-1
- Update to 1.12.5
+- Update to 1.14.0
-Resolves: #2054215
+
 * Fri Aug 19 2022 Debarshi Ray <rishi@fedoraproject.org> - 1.13.3-6
 - Use %%sysusers_requires_compat to match %%sysusers_create_compat
 * Thu Jul 21 2022 Fedora Release Engineering <releng@fedoraproject.org> - 1.13.3-5
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
 * Thu Jul 14 2022 Debarshi Ray <rishi@fedoraproject.org> - 1.13.3-4
 - Avoid SELinux denials caused by reading symbolic links in /var/lib/flatpak
 * Sun Jun 26 2022 Ralf Corsépius <corsepiu@fedoraproject.org> - 1.13.3-3
 - Let flatpak own %%{_sysconfdir}/flatpak (RHBZ#2101073).
 * Fri Jun 17 2022 David King <amigadave@amigadave.com> - 1.13.3-2
 - Add gssproxy support
 * Fri Jun 17 2022 Debarshi Ray <rishi@fedoraproject.org> - 1.13.3-1
 - Update to 1.13.3
 - Remove downstream patch for gssproxy support until it gets rebased
 * Tue Jun 07 2022 David King <amigadave@amigadave.com> - 1.13.2-4
 - Add gssproxy support
 * Tue May 17 2022 Timothée Ravier <tim@siosm.fr> - 1.13.2-3
 - Use sysusers_create_compat macro to create user & group.
 * Tue Apr 12 2022 Debarshi Ray <rishi@fedoraproject.org> - 1.13.2-2
 - Avoid SELinux denials caused by read access to /etc/passwd, watching files
  inside /usr/libexec and read access to /var/lib/flatpak
 * Thu Mar 17 2022 Debarshi Ray <rishi@fedoraproject.org> - 1.13.2-1
 - Update to 1.13.2 (#2064038)
 * Sat Mar 12 2022 Debarshi Ray <rishi@fedoraproject.org> - 1.13.1-1
 - Update to 1.13.1 (#2059784)
 * Wed Mar 02 2022 Debarshi Ray <rishi@fedoraproject.org> - 1.12.6-2
 - Specify the %%{epoch} consistently
 * Fri Feb 25 2022 Debarshi Ray <rishi@fedoraproject.org> - 1.12.6-1
 - Update to 1.12.6 (#2053655)
 * Mon Feb 14 2022 Debarshi Ray <rishi@fedoraproject.org> - 1.12.5-1
 - Update to 1.12.5 (#2032528)
 * Tue Feb 08 2022 Debarshi Ray <rishi@fedoraproject.org> - 1.12.4-2
 - Don't try to add Fedora's OCI Flatpak repository on RHEL
 - Remove an obsolete Fedora-specific update path
 Resolves: #2051697
-* Mon Feb 07 2022 Neal Gompa <ngompa@centosproject.org> - 1.12.4-1
+* Thu Jan 20 2022 Fedora Release Engineering <releng@fedoraproject.org> - 1.12.4-2
- Rebase to 1.12.4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
 Resolves: #2050302
-* Thu Feb 03 2022 Debarshi Ray <rishi@fedoraproject.org> - 1.10.7-2
+* Tue Jan 18 2022 Debarshi Ray <rishi@fedoraproject.org> - 1.12.4-1
- Use SHA256, not SHA1, to name the cache for a filtered remote
+- Update to 1.12.4 (#2042071)
 Resolves: #1935508
-* Wed Feb 02 2022 Debarshi Ray <rishi@fedoraproject.org> - 1.10.7-1
+* Fri Jan 14 2022 Debarshi Ray <rishi@fedoraproject.org> - 1.12.3-1
- Update to 1.10.7 (CVE-2021-43860)
+- Update to 1.12.3 (#2040094)
 Resolves: #2041973
-* Tue Oct 26 2021 Debarshi Ray <rishi@fedoraproject.org> - 1.10.5-1
+* Wed Oct 13 2021 David King <amigadave@amigadave.com> - 1.12.2-1
- Update to 1.10.5 (CVE-2021-41133)
+- Update to 1.12.2 (#2013492)
 Resolves: #2012862
-* Wed Sep 22 2021 Debarshi Ray <rishi@fedoraproject.org> - 1.10.3-1
+* Fri Oct 08 2021 David King <amigadave@amigadave.com> - 1.12.1-1
- Update to 1.10.3
+- Update to 1.12.1 (#2012273)
 Resolves: #2006554
-* Sat Aug 28 2021 Debarshi Ray <rishi@fedoraproject.org> - 1.10.2-6
+* Fri Oct 08 2021 David King <amigadave@amigadave.com> - 1.12.0-1
- Fix local deploys using system helper
+- Update to 1.12.0 (#2012246)
 Resolves: #1982304
-* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 1.10.2-5
+* Thu Sep 09 2021 Kalev Lember <klember@redhat.com> - 1.11.3-2
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
+- Enable malcontent support
  Related: rhbz#1991688
-* Fri May 07 2021 Kalev Lember <klember@redhat.com> - 1.10.2-4
+* Wed Aug 25 2021 Kalev Lember <klember@redhat.com> - 1.11.3-1
- Disable system env generator to work around selinux denials (#1947214)
+- Update to 1.11.3
-* Thu Apr 15 2021 Mohan Boddu <mboddu@redhat.com> - 1.10.2-3
+* Wed Jul 21 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1.11.2-2
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
 * Wed Jul 14 2021 David King <amigadave@amigadave.com> - 1.11.2-1
 - Update to 1.11.2 (#1973591)
 * Thu May 13 2021 Jeff Law <jlaw@tachyum.com> - 1.11.1-2
 - Re-enable LTO
 * Tue Apr 27 2021 David King <amigadave@amigadave.com> - 1.11.1-1
 - Update to 1.11.1 (#1953833)
 * Wed Apr 14 2021 Kalev Lember <klember@redhat.com> - 1.10.2-3
 - Disable system env generator to work around selinux denials (#1947214)
 * Mon Apr 05 2021 Kalev Lember <klember@redhat.com> - 1.10.2-2
 - OCI: Switch to pax format for tar archives
`@ -1 +1 @@`
	`41429400eab33868b6c6045fe235e86e1086a056 SOURCES/flatpak-1.12.9.tar.xz`	`b72524c06a83314b975ef618f63ee33506989e39 SOURCES/flatpak-1.15.8.tar.xz`
`@ -1 +1 @@`
	`SOURCES/flatpak-1.12.9.tar.xz`	`SOURCES/flatpak-1.15.8.tar.xz`