!79 Fix CVE-2024-32462

From: @wk333 
Reviewed-by: @lyn1001 
Signed-off-by: @lyn1001

CVE-2024-32462.patch

@@ -0,0 +1,70 @@
+From 72016e3fce8fcbeab707daf4f1a02b931fcc004d Mon Sep 17 00:00:00 2001
+From: Alexander Larsson <alexl@redhat.com>
+Date: Mon, 15 Apr 2024 16:10:36 +0200
+Subject: [PATCH] When starting non-static command using bwrap use "--"
+
+Origin: https://github.com/flatpak/flatpak/commit/72016e3fce8fcbeab707daf4f1a02b931fcc004d
+
+This ensures that the command is not taken to be a bwrap option.
+
+Resolves: CVE-2024-32462
+Resolves: GHSA-phv6-cpc2-2fgj
+Signed-off-by: Alexander Larsson <alexl@redhat.com>
+[smcv: Fix DISABLE_SANDBOXED_TRIGGERS code path]
+[smcv: Make flatpak_run_maybe_start_dbus_proxy() more obviously correct]
+Signed-off-by: Simon McVittie <smcv@collabora.com>
+---
+ app/flatpak-builtins-build.c | 3 ++-
+ common/flatpak-dir.c         | 1 +
+ common/flatpak-run.c         | 5 ++++-
+ 3 files changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/app/flatpak-builtins-build.c b/app/flatpak-builtins-build.c
+index c0b12dbca1..761af9a1b0 100644
+--- a/app/flatpak-builtins-build.c
++++ b/app/flatpak-builtins-build.c
+@@ -576,7 +576,8 @@ flatpak_builtin_build (int argc, char **argv, GCancellable *cancellable, GError
+   if (!flatpak_bwrap_bundle_args (bwrap, 1, -1, FALSE, error))
+     return FALSE;
+ 
+-  flatpak_bwrap_add_args (bwrap, command, NULL);
++  flatpak_bwrap_add_args (bwrap, "--", command, NULL);
++
+   flatpak_bwrap_append_argsv (bwrap,
+                               &argv[rest_argv_start + 2],
+                               rest_argc - 2);
+diff --git a/common/flatpak-dir.c b/common/flatpak-dir.c
+index 6e07d08e3d..296a7dfd78 100644
+--- a/common/flatpak-dir.c
++++ b/common/flatpak-dir.c
+@@ -6653,6 +6653,7 @@ flatpak_dir_run_triggers (FlatpakDir   *self,
+                                   "--proc", "/proc",
+                                   "--dev", "/dev",
+                                   "--bind", basedir, basedir,
++                                  "--",
+                                   NULL);
+ #endif
+           flatpak_bwrap_add_args (bwrap,
+diff --git a/common/flatpak-run.c b/common/flatpak-run.c
+index c4dcaca9e6..7a3900c651 100644
+--- a/common/flatpak-run.c
++++ b/common/flatpak-run.c
+@@ -1082,6 +1082,9 @@ add_bwrap_wrapper (FlatpakBwrap *bwrap,
+   if (!flatpak_bwrap_bundle_args (bwrap, 1, -1, FALSE, error))
+     return FALSE;
+ 
++  /* End of options: the next argument will be the executable name */
++  flatpak_bwrap_add_arg (bwrap, "--");
++
+   return TRUE;
+ }
+ 
+@@ -4175,7 +4178,7 @@ flatpak_run_app (FlatpakDecomposed *app_ref,
+   if (!flatpak_bwrap_bundle_args (bwrap, 1, -1, FALSE, error))
+     return FALSE;
+ 
+-  flatpak_bwrap_add_arg (bwrap, command);
++  flatpak_bwrap_add_args (bwrap, "--", command, NULL);
+ 
+   if (!add_rest_args (bwrap, app_id,
+                       exports, (flags & FLATPAK_RUN_FLAG_FILE_FORWARDING) != 0,

flatpak.spec

@@ -1,6 +1,6 @@
 Name:           flatpak
 Version:        1.10.2
-Release:        7
+Release:        8
 Summary:        Application deployment framework for desktop apps
 License:        LGPLv2+
 URL:            http://flatpak.org/
@@ -39,6 +39,7 @@ Patch6021:      CVE-2023-28100.patch
 Patch6022:      CVE-2023-28101-1.patch
 # https://github.com/flatpak/flatpak/commit/e88eedce76f79a5573df4fc38b344bbeaf7af024
 Patch6023:      CVE-2023-28101-2.patch
+Patch6024:      CVE-2024-32462.patch
 
 BuildRequires:  pkgconfig(appstream-glib) pkgconfig(gio-unix-2.0) pkgconfig(gobject-introspection-1.0) >= 1.40.0 pkgconfig(json-glib-1.0) pkgconfig(libarchive) >= 2.8.0
 BuildRequires:  pkgconfig(libsoup-2.4) pkgconfig(libxml-2.0) >= 2.4 pkgconfig(ostree-1) >= 2020.8 pkgconfig(polkit-gobject-1) pkgconfig(libseccomp) pkgconfig(xau)
@@ -144,6 +145,9 @@ flatpak remote-list --system &> /dev/null || :
 %{_mandir}/man5/flatpak-remote.5*
 
 %changelog
+* Fri Apr 19 2024 wangkai <13474090681@163.com> - 1.10.2-8
+- Fix CVE-2024-32462
+
 * Thu Mar 28 2024 yaoxin <yao_xin001@hoperun.com> - 1.10.2-7
 - Fix CVE-2023-28100 and CVE-2023-28101