Overview

File flatpak-CVE-2024-42472-part02-2cdd1e1e.patch of Package flatpak.35425

From 2cdd1e1e5ae90d7c3a4b60ce2e36e4d609e44e72
From: Alexander Larsson <alexl@redhat.com>
Date: Mon, 3 Jun 2024 12:59:05 +0200
Subject: [PATCH] Add test coverage for --persist
References: CVE-2024-42472
References: bsc#1229157
Upstream: Backport from upstream

This adds three "positive" tests: the common case --persist=.persist, the
deprecated spelling --persist=/.persist, and the less common special case
--persist=. as used by Steam.

It also adds "negative" tests for CVE-2024-42472: if the --persist
directory is a symbolic link or contains path segment "..", we want that
to be rejected.

Reproduces: CVE-2024-42472, GHSA-7hgv-f2j8-xw87
[smcv: Add "positive" tests]
[smcv: Exercise --persist=..]
[smcv: Assert that --persist with a symlink produces expected message]
Co-authored-by: Simon McVittie <smcv@collabora.com>
Signed-off-by: Simon McVittie <smcv@collabora.com>
---
 tests/test-run.sh | 41 ++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 40 insertions(+), 1 deletion(-)

--- flatpak-1.10.8/tests/test-run.sh
+++ flatpak-1.10.8_new/tests/test-run.sh
@@ -503,3 +503,43 @@
 assert_file_has_content out "^sdk=org\.test\.Sdk/$(flatpak --default-arch)/stable$"
 
 ok "--sdk option"
+
+
+rm -fr "$HOME/.var/app/org.test.Hello"
+mkdir -p "$HOME/.var/app/org.test.Hello"
+run --command=sh --persist=.persist org.test.Hello -c 'echo can-persist > .persist/rc'
+sed -e 's,^,#--persist=.persist# ,g' < "$HOME/.var/app/org.test.Hello/.persist/rc" >&2
+assert_file_has_content "$HOME/.var/app/org.test.Hello/.persist/rc" "can-persist"
+
+ok "--persist=.persist persists a directory"
+
+rm -fr "$HOME/.var/app/org.test.Hello"
+mkdir -p "$HOME/.var/app/org.test.Hello"
+# G_DEBUG= to avoid the deprecation warning being fatal
+G_DEBUG= run --command=sh --persist=/.persist org.test.Hello -c 'echo can-persist > .persist/rc'
+sed -e 's,^,#--persist=/.persist# ,g' < "$HOME/.var/app/org.test.Hello/.persist/rc" >&2
+assert_file_has_content "$HOME/.var/app/org.test.Hello/.persist/rc" "can-persist"
+
+ok "--persist=/.persist is a deprecated form of --persist=.persist"
+
+rm -fr "$HOME/.var/app/org.test.Hello"
+mkdir -p "$HOME/.var/app/org.test.Hello"
+run --command=sh --persist=. org.test.Hello -c 'echo can-persist > .persistrc'
+sed -e 's,^,#--persist=.# ,g' < "$HOME/.var/app/org.test.Hello/.persistrc" >&2
+assert_file_has_content "$HOME/.var/app/org.test.Hello/.persistrc" "can-persist"
+
+ok "--persist=. persists all files"
+
+mkdir "${TEST_DATA_DIR}/inaccessible"
+echo FOO > ${TEST_DATA_DIR}/inaccessible/secret-file
+rm -fr "$HOME/.var/app/org.test.Hello"
+mkdir -p "$HOME/.var/app/org.test.Hello"
+ln -fns "${TEST_DATA_DIR}/inaccessible" "$HOME/.var/app/org.test.Hello/persist"
+# G_DEBUG= to avoid the warnings being fatal when we reject a --persist option.
+# LC_ALL=C so we get the expected non-localized string.
+LC_ALL=C G_DEBUG= run --command=ls --persist=persist --persist=relative/../escape org.test.Hello -la ~/persist &> hello_out || true
+sed -e 's,^,#--persist=symlink# ,g' < hello_out >&2
+assert_file_has_content hello_out "not allowed to avoid sandbox escape"
+assert_not_file_has_content hello_out "secret-file"
+
+ok "--persist doesn't allow sandbox escape via a symlink (CVE-2024-42472)"
openSUSE Build Service is sponsored by
Places