packages/flatpak
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!10 fix CVE-2021-21381

Browse Source 
From: @wangxiao65
Reviewed-by: @zhanghua1831,@small_leek
Signed-off-by: @small_leek
This commit is contained in:
openeuler-ci-bot 2021-03-25 11:03:53 +08:00 committed by Gitee
commit 695409c69c
4 changed files with 92 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
CVE-2021-21381-1.patch Normal file
View File

@ -0,0 +1,23 @@
From 652a28ffab67cb6cd7d12dc3a93979bcd3731c7f Mon Sep 17 00:00:00 2001
From: Ryan Gonzalez <rymg19@gmail.com>
Date: Tue, 2 Mar 2021 13:20:07 -0600
Subject: [PATCH] Disallow @@ and @@u usage in desktop files
Fixes #4146.
---
common/flatpak-dir.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/common/flatpak-dir.c b/common/flatpak-dir.c
index e6e4d6fb3..7d3374dad 100644
--- a/common/flatpak-dir.c
+++ b/common/flatpak-dir.c
@@ -5828,6 +5828,8 @@ export_desktop_file (const char *app,
g_string_append_printf (new_exec, " @@ %s @@", arg);
else if (strcasecmp (arg, "%u") == 0)
g_string_append_printf (new_exec, " @@u %s @@", arg);
+ else if (strcmp (arg, "@@") == 0 || strcmp (arg, "@@u") == 0)
+ g_print (_("Skipping invalid Exec argument %s\n"), arg);
else
g_string_append_printf (new_exec, " %s", arg);
}

27
CVE-2021-21381-2.patch Normal file
View File

@ -0,0 +1,27 @@
From 1e7e8fdb24b51078f4c48e0711e24a14930ba1f0 Mon Sep 17 00:00:00 2001
From: Simon McVittie <smcv@collabora.com>
Date: Fri, 5 Mar 2021 13:49:36 +0000
Subject: [PATCH] dir: Reserve the whole @@ prefix
If we add new features analogous to file forwarding later, we might
find that we need a different magic token. Let's reserve the whole
@@* namespace so we can call it @@something-else.
Signed-off-by: Simon McVittie <smcv@collabora.com>
---
common/flatpak-dir.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/common/flatpak-dir.c b/common/flatpak-dir.c
index 7d3374dad..facfab37a 100644
--- a/common/flatpak-dir.c
+++ b/common/flatpak-dir.c
@@ -5828,7 +5828,7 @@ export_desktop_file (const char *app,
g_string_append_printf (new_exec, " @@ %s @@", arg);
else if (strcasecmp (arg, "%u") == 0)
g_string_append_printf (new_exec, " @@u %s @@", arg);
- else if (strcmp (arg, "@@") == 0 || strcmp (arg, "@@u") == 0)
+ else if (g_str_has_prefix (arg, "@@"))
g_print (_("Skipping invalid Exec argument %s\n"), arg);
else
g_string_append_printf (new_exec, " %s", arg);

34
CVE-2021-21381-3.patch Normal file
View File

@ -0,0 +1,34 @@
From 46b3ede5241561c7d588951048c687c5075a3eac Mon Sep 17 00:00:00 2001
From: Simon McVittie <smcv@collabora.com>
Date: Fri, 5 Mar 2021 13:51:33 +0000
Subject: [PATCH] dir: Refuse to export .desktop files with suspicious uses of
@@ tokens
This is either a malicious/compromised app trying to do an attack, or
a mistake that will break handling of %f, %u and so on. Either way,
if we refuse to export the .desktop file, resulting in installation
failing, then it makes the rejection more obvious than quietly
removing the magic tokens.
Signed-off-by: Simon McVittie <smcv@collabora.com>
---
common/flatpak-dir.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/common/flatpak-dir.c b/common/flatpak-dir.c
index facfab37a..c5edf346f 100644
--- a/common/flatpak-dir.c
+++ b/common/flatpak-dir.c
@@ -5829,7 +5829,11 @@ export_desktop_file (const char *app,
else if (strcasecmp (arg, "%u") == 0)
g_string_append_printf (new_exec, " @@u %s @@", arg);
else if (g_str_has_prefix (arg, "@@"))
- g_print (_("Skipping invalid Exec argument %s\n"), arg);
+ {
+ flatpak_fail_error (error, FLATPAK_ERROR_EXPORT_FAILED,
+ _("Invalid Exec argument %s"), arg);
+ goto out;
+ }
else
g_string_append_printf (new_exec, " %s", arg);
}

10
flatpak.spec
View File

@ -1,6 +1,6 @@
Name: flatpak Name: flatpak
Version: 1.0.3 Version: 1.0.3
Release: 3 Release: 4
Summary: Application deployment framework for desktop apps Summary: Application deployment framework for desktop apps
License: LGPLv2+ License: LGPLv2+
URL: http://flatpak.org/ URL: http://flatpak.org/
@ -11,6 +11,9 @@ Patch0002: CVE-2021-21261-2.patch
Patch0003: CVE-2021-21261-3.patch Patch0003: CVE-2021-21261-3.patch
Patch0004: CVE-2021-21261-4.patch Patch0004: CVE-2021-21261-4.patch
Patch0005: CVE-2021-21261-5.patch Patch0005: CVE-2021-21261-5.patch
Patch0006: CVE-2021-21381-1.patch
Patch0007: CVE-2021-21381-2.patch
Patch0008: CVE-2021-21381-3.patch
BuildRequires: pkgconfig(appstream-glib) pkgconfig(gio-unix-2.0) pkgconfig(gobject-introspection-1.0) >= 1.40.0 pkgconfig(json-glib-1.0) pkgconfig(libarchive) >= 2.8.0 BuildRequires: pkgconfig(appstream-glib) pkgconfig(gio-unix-2.0) pkgconfig(gobject-introspection-1.0) >= 1.40.0 pkgconfig(json-glib-1.0) pkgconfig(libarchive) >= 2.8.0
BuildRequires: pkgconfig(libsoup-2.4) pkgconfig(libxml-2.0) >= 2.4 pkgconfig(ostree-1) >= 2018.7 pkgconfig(polkit-gobject-1) pkgconfig(libseccomp) pkgconfig(xau) BuildRequires: pkgconfig(libsoup-2.4) pkgconfig(libxml-2.0) >= 2.4 pkgconfig(ostree-1) >= 2018.7 pkgconfig(polkit-gobject-1) pkgconfig(libseccomp) pkgconfig(xau)
@ -105,7 +108,10 @@ flatpak remote-list --system &> /dev/null || :
%{_mandir}/man5/flatpak-remote.5* %{_mandir}/man5/flatpak-remote.5*
%changelog %changelog
* Sun Feb 07 2021 wangxiao <wangxiao65> - 1.0.3-3 * Wed Mar 24 2021 wangxiao <wangxiao65@huawei.com> - 1.0.3-4
- Fix CVE-2021-21381
* Sun Feb 07 2021 wangxiao <wangxiao65@huawei.com> - 1.0.3-3
- Modify automake version - Modify automake version
- Fix CVE-2021-21261 - Fix CVE-2021-21261