Overview

File flatpak-CVE-2024-32462.patch of Package flatpak.33596

commit b7c1a558e58aaeb1d007d29529bbb270dc4ff11e
Author: Alexander Larsson <alexl@redhat.com>
Date:   Mon Apr 15 16:10:36 2024 +0200

    When starting non-static command using bwrap use "--"

    This ensures that the command is not taken to be a bwrap option.

    Resolves: CVE-2024-32462
    Resolves: GHSA-phv6-cpc2-2fgj
    Signed-off-by: Alexander Larsson <alexl@redhat.com>
    [smcv: Fix DISABLE_SANDBOXED_TRIGGERS code path]
    [smcv: Make flatpak_run_maybe_start_dbus_proxy() more obviously correct]
    Signed-off-by: Simon McVittie <smcv@collabora.com>

diff -Nura flatpak-1.10.8/app/flatpak-builtins-build.c flatpak-1.10.8_new/app/flatpak-builtins-build.c
--- flatpak-1.10.8/app/flatpak-builtins-build.c	2021-06-16 16:15:42.000000000 +0800
+++ flatpak-1.10.8_new/app/flatpak-builtins-build.c	2024-04-29 01:29:24.848028231 +0800
@@ -576,7 +576,8 @@
   if (!flatpak_bwrap_bundle_args (bwrap, 1, -1, FALSE, error))
     return FALSE;
 
-  flatpak_bwrap_add_args (bwrap, command, NULL);
+  flatpak_bwrap_add_args (bwrap, "--", command, NULL);
+
   flatpak_bwrap_append_argsv (bwrap,
                               &argv[rest_argv_start + 2],
                               rest_argc - 2);
diff -Nura flatpak-1.10.8/common/flatpak-dir.c flatpak-1.10.8_new/common/flatpak-dir.c
--- flatpak-1.10.8/common/flatpak-dir.c	2023-03-15 19:18:22.000000000 +0800
+++ flatpak-1.10.8_new/common/flatpak-dir.c	2024-04-29 01:30:25.844285586 +0800
@@ -6653,6 +6653,7 @@
                                   "--proc", "/proc",
                                   "--dev", "/dev",
                                   "--bind", basedir, basedir,
+                                  "--",
                                   NULL);
 #endif
           flatpak_bwrap_add_args (bwrap,
diff -Nura flatpak-1.10.8/common/flatpak-run.c flatpak-1.10.8_new/common/flatpak-run.c
--- flatpak-1.10.8/common/flatpak-run.c	2023-03-16 17:55:42.000000000 +0800
+++ flatpak-1.10.8_new/common/flatpak-run.c	2024-04-29 01:32:15.856749755 +0800
@@ -1082,6 +1082,9 @@
   if (!flatpak_bwrap_bundle_args (bwrap, 1, -1, FALSE, error))
     return FALSE;
 
+  /* End of options: the next argument will be the executable name */
+  flatpak_bwrap_add_arg (bwrap, "--");
+
   return TRUE;
 }
 
@@ -4175,7 +4178,7 @@
   if (!flatpak_bwrap_bundle_args (bwrap, 1, -1, FALSE, error))
     return FALSE;
 
-  flatpak_bwrap_add_arg (bwrap, command);
+  flatpak_bwrap_add_args (bwrap, "--", command, NULL);
 
   if (!add_rest_args (bwrap, app_id,
                       exports, (flags & FLATPAK_RUN_FLAG_FILE_FORWARDING) != 0,
openSUSE Build Service is sponsored by
Places