Package: flatpak / 0.8.9-0+deb9u3
Patch seriesview the series file
|Don t expose proc when running apply_extra.patch | (download)||
don't expose /proc when running apply_extra As shown by CVE-2019-5736, it is sometimes possible for the sandbox app to access outside files using /proc/self/exe. This is not typically an issue for flatpak as the sandbox runs as the user which has no permissions to e.g. modify the host files. However, when installing apps using extra-data into the system repo we *do* actually run a sandbox as root. So, in this case we disable mounting /proc in the sandbox, which will neuter attacks like this. (cherry picked from commit 468858c1cbcdbcb27266deb5c7347b37adf3a9e4)
|run Only compare the lowest 32 ioctl arg bits for TIOCSTI.patch | (download)||
2 1 + 1 - 0 !
run: only compare the lowest 32 ioctl arg bits for tiocsti Closes #2782. Closes: #2783 Approved by: alexlarsson (cherry picked from commit a9107feeb4b8275b78965b36bf21b92d5724699e)