Version in base suite: 1.14.4-1

Base version: flatpak_1.14.4-1
Target version: flatpak_1.14.4-1+deb12u1
Base file: /srv/ftp-master.debian.org/ftp/pool/main/f/flatpak/flatpak_1.14.4-1.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/f/flatpak/flatpak_1.14.4-1+deb12u1.dsc

 changelog                                                      |   12 +
 gbp.conf                                                       |    2 
 patches/When-starting-non-static-command-using-bwrap-use.patch |   67 ++++++++++
 patches/series                                                 |    2 
 patches/test-run-Add-a-reproducer-for-CVE-2024-32462.patch     |   38 +++++
 5 files changed, 120 insertions(+), 1 deletion(-)

diff -Nru flatpak-1.14.4/debian/changelog flatpak-1.14.4/debian/changelog
--- flatpak-1.14.4/debian/changelog	2023-03-16 10:39:01.000000000 +0000
+++ flatpak-1.14.4/debian/changelog	2024-04-17 18:39:48.000000000 +0000
@@ -1,3 +1,15 @@
+flatpak (1.14.4-1+deb12u1) bookworm-security; urgency=high
+
+  * d/p/When-starting-non-static-command-using-bwrap-use.patch,
+    d/p/test-run-Add-a-reproducer-for-CVE-2024-32462.patch:
+    Don't allow an executable name to be misinterpreted as a command-line
+    option for bwrap(1). This prevents a sandbox escape where a malicious
+    or compromised app could ask xdg-desktop-portal to generate a .desktop
+    file with access to files outside the sandbox. (CVE-2024-32462)
+  * d/gbp.conf: Use debian/bookworm packaging branch
+
+ -- Simon McVittie <smcv@debian.org>  Wed, 17 Apr 2024 19:39:48 +0100
+
 flatpak (1.14.4-1) unstable; urgency=high
 
   * New upstream security fix release
diff -Nru flatpak-1.14.4/debian/gbp.conf flatpak-1.14.4/debian/gbp.conf
--- flatpak-1.14.4/debian/gbp.conf	2023-03-16 10:39:01.000000000 +0000
+++ flatpak-1.14.4/debian/gbp.conf	2024-04-17 18:39:48.000000000 +0000
@@ -1,7 +1,7 @@
 [DEFAULT]
 pristine-tar = True
 compression = xz
-debian-branch = debian/unstable
+debian-branch = debian/bookworm
 upstream-branch = upstream/1.14.x
 patch-numbers = False
 upstream-vcs-tag = %(version)s
diff -Nru flatpak-1.14.4/debian/patches/When-starting-non-static-command-using-bwrap-use.patch flatpak-1.14.4/debian/patches/When-starting-non-static-command-using-bwrap-use.patch
--- flatpak-1.14.4/debian/patches/When-starting-non-static-command-using-bwrap-use.patch	1970-01-01 00:00:00.000000000 +0000
+++ flatpak-1.14.4/debian/patches/When-starting-non-static-command-using-bwrap-use.patch	2024-04-17 18:39:48.000000000 +0000
@@ -0,0 +1,67 @@
+From: Alexander Larsson <alexl@redhat.com>
+Date: Mon, 15 Apr 2024 16:10:36 +0200
+Subject: When starting non-static command using bwrap use "--"
+
+This ensures that the command is not taken to be a bwrap option.
+
+Resolves: CVE-2024-32462
+Resolves: GHSA-phv6-cpc2-2fgj
+Signed-off-by: Alexander Larsson <alexl@redhat.com>
+[smcv: Fix DISABLE_SANDBOXED_TRIGGERS code path]
+[smcv: Make flatpak_run_maybe_start_dbus_proxy() more obviously correct]
+Signed-off-by: Simon McVittie <smcv@collabora.com>
+---
+ app/flatpak-builtins-build.c | 3 ++-
+ common/flatpak-dir.c         | 1 +
+ common/flatpak-run.c         | 5 ++++-
+ 3 files changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/app/flatpak-builtins-build.c b/app/flatpak-builtins-build.c
+index f9f1a40..ed7f92b 100644
+--- a/app/flatpak-builtins-build.c
++++ b/app/flatpak-builtins-build.c
+@@ -587,7 +587,8 @@ flatpak_builtin_build (int argc, char **argv, GCancellable *cancellable, GError
+   if (!flatpak_bwrap_bundle_args (bwrap, 1, -1, FALSE, error))
+     return FALSE;
+ 
+-  flatpak_bwrap_add_args (bwrap, command, NULL);
++  flatpak_bwrap_add_args (bwrap, "--", command, NULL);
++
+   flatpak_bwrap_append_argsv (bwrap,
+                               &argv[rest_argv_start + 2],
+                               rest_argc - 2);
+diff --git a/common/flatpak-dir.c b/common/flatpak-dir.c
+index eba81fe..edf2eb3 100644
+--- a/common/flatpak-dir.c
++++ b/common/flatpak-dir.c
+@@ -7071,6 +7071,7 @@ flatpak_dir_run_triggers (FlatpakDir   *self,
+                                   "--proc", "/proc",
+                                   "--dev", "/dev",
+                                   "--bind", basedir, basedir,
++                                  "--",
+                                   NULL);
+ #endif
+           flatpak_bwrap_add_args (bwrap,
+diff --git a/common/flatpak-run.c b/common/flatpak-run.c
+index 8fa8c0e..db42ceb 100644
+--- a/common/flatpak-run.c
++++ b/common/flatpak-run.c
+@@ -1299,6 +1299,9 @@ add_bwrap_wrapper (FlatpakBwrap *bwrap,
+   if (!flatpak_bwrap_bundle_args (bwrap, 1, -1, FALSE, error))
+     return FALSE;
+ 
++  /* End of options: the next argument will be the executable name */
++  flatpak_bwrap_add_arg (bwrap, "--");
++
+   return TRUE;
+ }
+ 
+@@ -4680,7 +4683,7 @@ flatpak_run_app (FlatpakDecomposed *app_ref,
+   if (!flatpak_bwrap_bundle_args (bwrap, 1, -1, FALSE, error))
+     return FALSE;
+ 
+-  flatpak_bwrap_add_arg (bwrap, command);
++  flatpak_bwrap_add_args (bwrap, "--", command, NULL);
+ 
+   if (!add_rest_args (bwrap, app_id,
+                       exports, (flags & FLATPAK_RUN_FLAG_FILE_FORWARDING) != 0,
diff -Nru flatpak-1.14.4/debian/patches/series flatpak-1.14.4/debian/patches/series
--- flatpak-1.14.4/debian/patches/series	1970-01-01 00:00:00.000000000 +0000
+++ flatpak-1.14.4/debian/patches/series	2024-04-17 18:39:48.000000000 +0000
@@ -0,0 +1,2 @@
+When-starting-non-static-command-using-bwrap-use.patch
+test-run-Add-a-reproducer-for-CVE-2024-32462.patch
diff -Nru flatpak-1.14.4/debian/patches/test-run-Add-a-reproducer-for-CVE-2024-32462.patch flatpak-1.14.4/debian/patches/test-run-Add-a-reproducer-for-CVE-2024-32462.patch
--- flatpak-1.14.4/debian/patches/test-run-Add-a-reproducer-for-CVE-2024-32462.patch	1970-01-01 00:00:00.000000000 +0000
+++ flatpak-1.14.4/debian/patches/test-run-Add-a-reproducer-for-CVE-2024-32462.patch	2024-04-17 18:39:48.000000000 +0000
@@ -0,0 +1,38 @@
+From: Simon McVittie <smcv@collabora.com>
+Date: Tue, 16 Apr 2024 10:50:00 +0100
+Subject: test-run: Add a reproducer for CVE-2024-32462
+
+Signed-off-by: Simon McVittie <smcv@collabora.com>
+---
+ tests/test-run.sh | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+diff --git a/tests/test-run.sh b/tests/test-run.sh
+index 7138bc6..d124c51 100644
+--- a/tests/test-run.sh
++++ b/tests/test-run.sh
+@@ -24,7 +24,7 @@ set -euo pipefail
+ skip_without_bwrap
+ skip_revokefs_without_fuse
+ 
+-echo "1..20"
++echo "1..21"
+ 
+ # Use stable rather than master as the branch so we can test that the run
+ # command automatically finds the branch correctly
+@@ -76,6 +76,15 @@ assert_file_has_content hello_out '^Hello world, from a sandbox$'
+ 
+ ok "hello"
+ 
++# This should try and fail to run e.g. /usr/bin/--tmpfs, which will
++# exit with status 127 because there is no such executable.
++# It should not pass "--tmpfs /blah hello.sh" as bwrap options.
++exit_status=0
++run --command=--tmpfs org.test.Hello /blah hello.sh >&2 || exit_status=$?
++assert_not_streq "$exit_status" 0
++
++ok "avoided CVE-2024-32462"
++
+ # XDG_RUNTIME_DIR is set to <temp directory>/runtime by libtest.sh,
+ # so we always have the necessary setup to reproduce #4372
+ assert_not_streq "$XDG_RUNTIME_DIR" "/run/user/$(id -u)"