Package: flatpak-builder | Debian Sources

Package: flatpak-builder / 1.0.12-1+deb11u1

Metadata

Package	Version	Patches format
flatpak-builder	1.0.12-1+deb11u1	3.0 (quilt)

Patch series

view the series file

Patch	File delta	Description
Disable filesystem access with nofilesystem host reset.patch \| (download)	src/builder-main.c \| 2 1 + 1 - 0 ! src/builder-manifest.c \| 4 2 + 2 - 0 ! src/builder-module.c \| 2 1 + 1 - 0 ! src/builder-source-shell.c \| 2 1 + 1 - 0 ! 4 files changed, 5 insertions(+), 5 deletions(-)	disable filesystem access with --nofilesystem=host:reset This requires <https://github.com/flatpak/flatpak/pull/4678>. In addition to counteracting an earlier --filesystem=host, in Flatpak versions that support it, the new --nofilesystem=host:reset removes all filesystem access that might have been inherited from the app manifest or overrides. This prevents CVE-2022-21682, while avoiding behaviour changes in Flatpak for non-builder use cases. In older Flatpak versions, this option acts as --filesystem=host with an unknown mode suffix, which is ignored (with a warning, which is harmless but will hopefully nudge people towards upgrading Flatpak to a version that enables CVE-2022-21682 to be avoided). flatpak-builder will still be vulnerable to CVE-2022-21682 in this case. Signed-off-by: Simon McVittie <smcv@collabora.com>
Allow nofilesystem host reset in flatpak builder run.patch \| (download)	src/builder-flatpak-utils.c \| 23 21 + 2 - 0 ! 1 file changed, 21 insertions(+), 2 deletions(-)	allow --nofilesystem=host:reset in flatpak-builder --run This adds support for the new host:reset mode. We don't verify that the argument is used as carefully as flatpak does, but any issue will be reported later when passed to flatpak. Co-authored-by: Simon McVittie <smcv@collabora.com>

Patch

File delta

Description

Disable filesystem access with nofilesystem host reset.patch | (download)

src/builder-main.c | 2 1 + 1 - 0 !
src/builder-manifest.c | 4 2 + 2 - 0 !
src/builder-module.c | 2 1 + 1 - 0 !
src/builder-source-shell.c | 2 1 + 1 - 0 !
4 files changed, 5 insertions(+), 5 deletions(-)

disable filesystem access with --nofilesystem=host:reset

This requires <https://github.com/flatpak/flatpak/pull/4678>.

In addition to counteracting an earlier --filesystem=host, in Flatpak
versions that support it, the new --nofilesystem=host:reset removes all
filesystem access that might have been inherited from the app manifest
or overrides. This prevents CVE-2022-21682, while avoiding behaviour
changes in Flatpak for non-builder use cases.

In older Flatpak versions, this option acts as --filesystem=host with an
unknown mode suffix, which is ignored (with a warning, which is harmless
but will hopefully nudge people towards upgrading Flatpak to a version
that enables CVE-2022-21682 to be avoided). flatpak-builder will still
be vulnerable to CVE-2022-21682 in this case.

Signed-off-by: Simon McVittie <smcv@collabora.com>

Allow nofilesystem host reset in flatpak builder run.patch | (download)

src/builder-flatpak-utils.c | 23 21 + 2 - 0 !
1 file changed, 21 insertions(+), 2 deletions(-)

 allow --nofilesystem=host:reset in flatpak-builder --run

This adds support for the new host:reset mode. We don't verify
that the argument is used as carefully as flatpak does, but any
issue will be reported later when passed to flatpak.

Co-authored-by: Simon McVittie <smcv@collabora.com>