Version in base suite: 1.10.8-0+deb11u1 Base version: flatpak_1.10.8-0+deb11u1 Target version: flatpak_1.10.8-0+deb11u2 Base file: /srv/ftp-master.debian.org/ftp/pool/main/f/flatpak/flatpak_1.10.8-0+deb11u1.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/f/flatpak/flatpak_1.10.8-0+deb11u2.dsc changelog | 11 + patches/When-starting-non-static-command-using-bwrap-use.patch | 67 ++++++++++ patches/series | 2 patches/test-run-Add-a-reproducer-for-CVE-2024-32462.patch | 38 +++++ 4 files changed, 118 insertions(+) diff -Nru flatpak-1.10.8/debian/changelog flatpak-1.10.8/debian/changelog --- flatpak-1.10.8/debian/changelog 2023-03-18 15:29:44.000000000 +0000 +++ flatpak-1.10.8/debian/changelog 2024-04-17 18:43:12.000000000 +0000 @@ -1,3 +1,14 @@ +flatpak (1.10.8-0+deb11u2) bullseye-security; urgency=high + + * d/p/When-starting-non-static-command-using-bwrap-use.patch, + d/p/test-run-Add-a-reproducer-for-CVE-2024-32462.patch: + Don't allow an executable name to be misinterpreted as a command-line + option for bwrap(1). This prevents a sandbox escape where a malicious + or compromised app could ask xdg-desktop-portal to generate a .desktop + file with access to files outside the sandbox. (CVE-2024-32462) + + -- Simon McVittie Wed, 17 Apr 2024 19:43:12 +0100 + flatpak (1.10.8-0+deb11u1) bullseye; urgency=high * New upstream stable release diff -Nru flatpak-1.10.8/debian/patches/When-starting-non-static-command-using-bwrap-use.patch flatpak-1.10.8/debian/patches/When-starting-non-static-command-using-bwrap-use.patch --- flatpak-1.10.8/debian/patches/When-starting-non-static-command-using-bwrap-use.patch 1970-01-01 00:00:00.000000000 +0000 +++ flatpak-1.10.8/debian/patches/When-starting-non-static-command-using-bwrap-use.patch 2024-04-17 18:43:12.000000000 +0000 @@ -0,0 +1,67 @@ +From: Alexander Larsson +Date: Mon, 15 Apr 2024 16:10:36 +0200 +Subject: When starting non-static command using bwrap use "--" + +This ensures that the command is not taken to be a bwrap option. + +Resolves: CVE-2024-32462 +Resolves: GHSA-phv6-cpc2-2fgj +Signed-off-by: Alexander Larsson +[smcv: Fix DISABLE_SANDBOXED_TRIGGERS code path] +[smcv: Make flatpak_run_maybe_start_dbus_proxy() more obviously correct] +Signed-off-by: Simon McVittie +--- + app/flatpak-builtins-build.c | 3 ++- + common/flatpak-dir.c | 1 + + common/flatpak-run.c | 5 ++++- + 3 files changed, 7 insertions(+), 2 deletions(-) + +diff --git a/app/flatpak-builtins-build.c b/app/flatpak-builtins-build.c +index c0b12db..761af9a 100644 +--- a/app/flatpak-builtins-build.c ++++ b/app/flatpak-builtins-build.c +@@ -576,7 +576,8 @@ flatpak_builtin_build (int argc, char **argv, GCancellable *cancellable, GError + if (!flatpak_bwrap_bundle_args (bwrap, 1, -1, FALSE, error)) + return FALSE; + +- flatpak_bwrap_add_args (bwrap, command, NULL); ++ flatpak_bwrap_add_args (bwrap, "--", command, NULL); ++ + flatpak_bwrap_append_argsv (bwrap, + &argv[rest_argv_start + 2], + rest_argc - 2); +diff --git a/common/flatpak-dir.c b/common/flatpak-dir.c +index 6e07d08..296a7df 100644 +--- a/common/flatpak-dir.c ++++ b/common/flatpak-dir.c +@@ -6653,6 +6653,7 @@ flatpak_dir_run_triggers (FlatpakDir *self, + "--proc", "/proc", + "--dev", "/dev", + "--bind", basedir, basedir, ++ "--", + NULL); + #endif + flatpak_bwrap_add_args (bwrap, +diff --git a/common/flatpak-run.c b/common/flatpak-run.c +index c4dcaca..7a3900c 100644 +--- a/common/flatpak-run.c ++++ b/common/flatpak-run.c +@@ -1082,6 +1082,9 @@ add_bwrap_wrapper (FlatpakBwrap *bwrap, + if (!flatpak_bwrap_bundle_args (bwrap, 1, -1, FALSE, error)) + return FALSE; + ++ /* End of options: the next argument will be the executable name */ ++ flatpak_bwrap_add_arg (bwrap, "--"); ++ + return TRUE; + } + +@@ -4175,7 +4178,7 @@ flatpak_run_app (FlatpakDecomposed *app_ref, + if (!flatpak_bwrap_bundle_args (bwrap, 1, -1, FALSE, error)) + return FALSE; + +- flatpak_bwrap_add_arg (bwrap, command); ++ flatpak_bwrap_add_args (bwrap, "--", command, NULL); + + if (!add_rest_args (bwrap, app_id, + exports, (flags & FLATPAK_RUN_FLAG_FILE_FORWARDING) != 0, diff -Nru flatpak-1.10.8/debian/patches/series flatpak-1.10.8/debian/patches/series --- flatpak-1.10.8/debian/patches/series 1970-01-01 00:00:00.000000000 +0000 +++ flatpak-1.10.8/debian/patches/series 2024-04-17 18:43:12.000000000 +0000 @@ -0,0 +1,2 @@ +When-starting-non-static-command-using-bwrap-use.patch +test-run-Add-a-reproducer-for-CVE-2024-32462.patch diff -Nru flatpak-1.10.8/debian/patches/test-run-Add-a-reproducer-for-CVE-2024-32462.patch flatpak-1.10.8/debian/patches/test-run-Add-a-reproducer-for-CVE-2024-32462.patch --- flatpak-1.10.8/debian/patches/test-run-Add-a-reproducer-for-CVE-2024-32462.patch 1970-01-01 00:00:00.000000000 +0000 +++ flatpak-1.10.8/debian/patches/test-run-Add-a-reproducer-for-CVE-2024-32462.patch 2024-04-17 18:43:12.000000000 +0000 @@ -0,0 +1,38 @@ +From: Simon McVittie +Date: Tue, 16 Apr 2024 10:50:00 +0100 +Subject: test-run: Add a reproducer for CVE-2024-32462 + +Signed-off-by: Simon McVittie +--- + tests/test-run.sh | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +diff --git a/tests/test-run.sh b/tests/test-run.sh +index b28cf7b..324c0fe 100644 +--- a/tests/test-run.sh ++++ b/tests/test-run.sh +@@ -24,7 +24,7 @@ set -euo pipefail + skip_without_bwrap + skip_revokefs_without_fuse + +-echo "1..19" ++echo "1..20" + + # Use stable rather than master as the branch so we can test that the run + # command automatically finds the branch correctly +@@ -74,6 +74,15 @@ assert_file_has_content hello_out '^Hello world, from a sandbox$' + + ok "hello" + ++# This should try and fail to run e.g. /usr/bin/--tmpfs, which will ++# exit with status 127 because there is no such executable. ++# It should not pass "--tmpfs /blah hello.sh" as bwrap options. ++exit_status=0 ++run --command=--tmpfs org.test.Hello /blah hello.sh >&2 || exit_status=$? ++assert_not_streq "$exit_status" 0 ++ ++ok "avoided CVE-2024-32462" ++ + # XDG_RUNTIME_DIR is set to /runtime by libtest.sh, + # so we always have the necessary setup to reproduce #4372 + assert_not_streq "$XDG_RUNTIME_DIR" "/run/user/$(id -u)"