!10 fix CVE-2021-21381

From: @wangxiao65 Reviewed-by: @zhanghua1831,@small_leek Signed-off-by: @small_leek
2021-03-25 11:03:53 +08:00 · 2021-03-25 11:03:53 +08:00 · 695409c69c
commit 695409c69c
parent 8a6f620707 84ddc37de5
4 changed files with 92 additions and 2 deletions
--- a/CVE-2021-21381-1.patch
+++ b/CVE-2021-21381-1.patch
@ -0,0 +1,23 @@
+From 652a28ffab67cb6cd7d12dc3a93979bcd3731c7f Mon Sep 17 00:00:00 2001
+From: Ryan Gonzalez <rymg19@gmail.com>
+Date: Tue, 2 Mar 2021 13:20:07 -0600
+Subject: [PATCH] Disallow @@ and @@u usage in desktop files
+
+Fixes #4146.
+---
+ common/flatpak-dir.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/common/flatpak-dir.c b/common/flatpak-dir.c
+index e6e4d6fb3..7d3374dad 100644
+--- a/common/flatpak-dir.c
+++ b/common/flatpak-dir.c
+@@ -5828,6 +5828,8 @@ export_desktop_file (const char         *app,
+                 g_string_append_printf (new_exec, " @@ %s @@", arg);
+               else if (strcasecmp (arg, "%u") == 0)
+                 g_string_append_printf (new_exec, " @@u %s @@", arg);
+              else if (strcmp (arg, "@@") == 0 || strcmp (arg, "@@u") == 0)
+                g_print (_("Skipping invalid Exec argument %s\n"), arg);
+               else
+                 g_string_append_printf (new_exec, " %s", arg);
+             }
--- a/CVE-2021-21381-2.patch
+++ b/CVE-2021-21381-2.patch
@ -0,0 +1,27 @@
+From 1e7e8fdb24b51078f4c48e0711e24a14930ba1f0 Mon Sep 17 00:00:00 2001
+From: Simon McVittie <smcv@collabora.com>
+Date: Fri, 5 Mar 2021 13:49:36 +0000
+Subject: [PATCH] dir: Reserve the whole @@ prefix
+
+If we add new features analogous to file forwarding later, we might
+find that we need a different magic token. Let's reserve the whole
+@@* namespace so we can call it @@something-else.
+
+Signed-off-by: Simon McVittie <smcv@collabora.com>
+---
+ common/flatpak-dir.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/common/flatpak-dir.c b/common/flatpak-dir.c
+index 7d3374dad..facfab37a 100644
+--- a/common/flatpak-dir.c
+++ b/common/flatpak-dir.c
+@@ -5828,7 +5828,7 @@ export_desktop_file (const char         *app,
+                 g_string_append_printf (new_exec, " @@ %s @@", arg);
+               else if (strcasecmp (arg, "%u") == 0)
+                 g_string_append_printf (new_exec, " @@u %s @@", arg);
+-              else if (strcmp (arg, "@@") == 0 || strcmp (arg, "@@u") == 0)
+              else if (g_str_has_prefix (arg, "@@"))
+                 g_print (_("Skipping invalid Exec argument %s\n"), arg);
+               else
+                 g_string_append_printf (new_exec, " %s", arg);
--- a/CVE-2021-21381-3.patch
+++ b/CVE-2021-21381-3.patch
@ -0,0 +1,34 @@
+From 46b3ede5241561c7d588951048c687c5075a3eac Mon Sep 17 00:00:00 2001
+From: Simon McVittie <smcv@collabora.com>
+Date: Fri, 5 Mar 2021 13:51:33 +0000
+Subject: [PATCH] dir: Refuse to export .desktop files with suspicious uses of
+ @@ tokens
+
+This is either a malicious/compromised app trying to do an attack, or
+a mistake that will break handling of %f, %u and so on. Either way,
+if we refuse to export the .desktop file, resulting in installation
+failing, then it makes the rejection more obvious than quietly
+removing the magic tokens.
+
+Signed-off-by: Simon McVittie <smcv@collabora.com>
+---
+ common/flatpak-dir.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/common/flatpak-dir.c b/common/flatpak-dir.c
+index facfab37a..c5edf346f 100644
+--- a/common/flatpak-dir.c
+++ b/common/flatpak-dir.c
+@@ -5829,7 +5829,11 @@ export_desktop_file (const char         *app,
+               else if (strcasecmp (arg, "%u") == 0)
+                 g_string_append_printf (new_exec, " @@u %s @@", arg);
+               else if (g_str_has_prefix (arg, "@@"))
+-                g_print (_("Skipping invalid Exec argument %s\n"), arg);
+                {
+                  flatpak_fail_error (error, FLATPAK_ERROR_EXPORT_FAILED,
+                                     _("Invalid Exec argument %s"), arg);
+                  goto out;
+                }
+               else
+                 g_string_append_printf (new_exec, " %s", arg);
+             }
--- a/flatpak.spec
+++ b/flatpak.spec
@ -1,6 +1,6 @@
 Name:           flatpak
 Version:        1.0.3
-Release:        3
+Release:        4
 Summary:        Application deployment framework for desktop apps
 License:        LGPLv2+
 URL:            http://flatpak.org/
@ -11,6 +11,9 @@ Patch0002:      CVE-2021-21261-2.patch
 Patch0003:      CVE-2021-21261-3.patch
 Patch0004:      CVE-2021-21261-4.patch
 Patch0005:      CVE-2021-21261-5.patch
+Patch0006:      CVE-2021-21381-1.patch
+Patch0007:      CVE-2021-21381-2.patch
+Patch0008:      CVE-2021-21381-3.patch

 BuildRequires:  pkgconfig(appstream-glib) pkgconfig(gio-unix-2.0) pkgconfig(gobject-introspection-1.0) >= 1.40.0 pkgconfig(json-glib-1.0) pkgconfig(libarchive) >= 2.8.0
 BuildRequires:  pkgconfig(libsoup-2.4) pkgconfig(libxml-2.0) >= 2.4 pkgconfig(ostree-1) >= 2018.7 pkgconfig(polkit-gobject-1) pkgconfig(libseccomp) pkgconfig(xau)
@ -105,7 +108,10 @@ flatpak remote-list --system &> /dev/null || :
 %{_mandir}/man5/flatpak-remote.5*

 %changelog
-* Sun Feb 07 2021 wangxiao <wangxiao65> - 1.0.3-3
+* Wed Mar 24 2021 wangxiao <wangxiao65@huawei.com> - 1.0.3-4
+- Fix CVE-2021-21381
+
+* Sun Feb 07 2021 wangxiao <wangxiao65@huawei.com> - 1.0.3-3
 - Modify automake version
 - Fix CVE-2021-21261