diff -Nru flatpak-1.10.2/debian/changelog flatpak-1.10.2/debian/changelog --- flatpak-1.10.2/debian/changelog 2021-10-12 23:36:35.000000000 +0000 +++ flatpak-1.10.2/debian/changelog 2022-01-20 00:10:56.000000000 +0000 @@ -1,3 +1,45 @@ +flatpak (1.10.2-3ubuntu0.2) impish-security; urgency=medium + + * SECURITY UPDATE: Prevent a malicious repository from arranging for + permissions to be granted without being correctly displayed + during installation (LP: #1957716) + - debian/patches/CVE-2021-43860-1.patch: Fix metadata file contents + after null terminators being ignored + - debian/patches/CVE-2021-43860-2.patch: Transaction: Fail the resolve + if xa.metadata invalid or missing + - debian/patches/CVE-2021-43860-3.patch: Require metadata in commit also + for OCI remotes + - debian/patches/CVE-2021-43860-4.patch: Ensure that bundles have metadata + on install + - debian/patches/CVE-2021-43860-5.patch: Add test for metadata validation + - CVE-2021-43860 + * SECURITY UPDATE: Provide a new --nofilesystem=host:reset option which + flatpak-builder can use to prevent malicious builds from creating + directories outside the build directory(LP: #1957716) + - debian/patches/CVE-2022-21682-1.patch: test-override: Assert that only + the expected term is negated + - debian/patches/CVE-2022-21682-2.patch: test-override: Assert that + unimplemented suffix is ignored with a warning + - debian/patches/CVE-2022-21682-3.patch: run, override: Clarify the effect + of --nofilesystem + - debian/patches/CVE-2022-21682-4.patch: test-override: Assert pre-1.12.3 + behaviour of --nofilesystem=home, host + - debian/patches/CVE-2022-21682-5.patch: test-override: Assert that + --nofilesystem with suffix yields a warning + - debian/patches/CVE-2022-21682-6.patch: context: Introduce new + --nofilesystem=host:reset + - debian/patches/CVE-2022-21682-7.patch: test-exports: Exercise host:reset + and related filesystem tokens + - debian/patches/CVE-2022-21682-8.patch: test-context: Exercise some corner + cases for merging filesystems + - debian/patches/CVE-2022-21682-9.patch: test-override: Exercise + --nofilesystem=host:reset + - CVE-2022-21682 + * debian/patches/test-metadata-validation.sh-Ensure-that-mtimes-chang.patch: + Add a patch to make unit tests more reliable. + + -- Andrew Hayzen Thu, 20 Jan 2022 00:10:56 +0000 + flatpak (1.10.2-3ubuntu0.1) impish-security; urgency=medium * SECURITY UPDATE: Sandbox bypass via recent VFS-manipulating syscalls diff -Nru flatpak-1.10.2/debian/patches/CVE-2021-43860-1.patch flatpak-1.10.2/debian/patches/CVE-2021-43860-1.patch --- flatpak-1.10.2/debian/patches/CVE-2021-43860-1.patch 1970-01-01 00:00:00.000000000 +0000 +++ flatpak-1.10.2/debian/patches/CVE-2021-43860-1.patch 2022-01-20 00:10:56.000000000 +0000 @@ -0,0 +1,206 @@ +From 3c3dc554e744f0ce974e2051aa8cf94f9736c785 Mon Sep 17 00:00:00 2001 +From: Ryan Gonzalez +Date: Thu, 23 Dec 2021 18:30:17 -0600 +Subject: Fix metadata file contents after null terminators being ignored + +In particular, if a null terminator is placed inside the metadata file, +Flatpak will only compare the text *before* it to the value of +xa.metadata, but the full file will be parsed when permissions are set +at runtime. This means that any app can include a null terminator in its +permissions metadata, and Flatpak will only show the user the +permissions *preceding* the terminator during install, but the +permissions *after* the terminator are applied at runtime. + +Fixes GHSA-qpjc-vq3c-572j / CVE-2021-43860 + +Signed-off-by: Ryan Gonzalez +(cherry picked from commit c9c3a667c09a846c0b230cf1cc8ed330028aa03c) +--- + common/flatpak-dir.c | 36 +++++++++++++++++++++++++++--------- + common/flatpak-transaction.c | 8 ++++---- + common/flatpak-utils.c | 9 +++++---- + 3 files changed, 36 insertions(+), 17 deletions(-) + +diff --git a/common/flatpak-dir.c b/common/flatpak-dir.c +index a511c4c4..99d325ab 100644 +--- a/common/flatpak-dir.c ++++ b/common/flatpak-dir.c +@@ -1762,19 +1762,29 @@ static gboolean + validate_commit_metadata (GVariant *commit_data, + const char *ref, + const char *required_metadata, ++ gsize required_metadata_size, + gboolean require_xa_metadata, + GError **error) + { + g_autoptr(GVariant) commit_metadata = NULL; ++ g_autoptr(GVariant) xa_metadata_v = NULL; + const char *xa_metadata = NULL; ++ gsize xa_metadata_size = 0; + + commit_metadata = g_variant_get_child_value (commit_data, 0); + + if (commit_metadata != NULL) +- g_variant_lookup (commit_metadata, "xa.metadata", "&s", &xa_metadata); ++ { ++ xa_metadata_v = g_variant_lookup_value (commit_metadata, ++ "xa.metadata", ++ G_VARIANT_TYPE_STRING); ++ if (xa_metadata_v) ++ xa_metadata = g_variant_get_string (xa_metadata_v, &xa_metadata_size); ++ } + + if ((xa_metadata == NULL && require_xa_metadata) || +- (xa_metadata != NULL && g_strcmp0 (required_metadata, xa_metadata) != 0)) ++ (xa_metadata != NULL && (xa_metadata_size != required_metadata_size || ++ memcmp (xa_metadata, required_metadata, xa_metadata_size) != 0))) + { + g_set_error (error, G_IO_ERROR, G_IO_ERROR_PERMISSION_DENIED, + _("Commit metadata for %s not matching expected metadata"), ref); +@@ -3478,6 +3488,7 @@ upgrade_deploy_data (GBytes *deploy_data, + g_autoptr(GKeyFile) keyfile = NULL; + g_autoptr(GFile) metadata_file = NULL; + g_autofree char *metadata_contents = NULL; ++ gsize metadata_size = 0; + g_autofree char *id = flatpak_decomposed_dup_id (ref); + + /* Add fields from commit metadata to deploy */ +@@ -3491,9 +3502,9 @@ upgrade_deploy_data (GBytes *deploy_data, + keyfile = g_key_file_new (); + metadata_file = g_file_resolve_relative_path (deploy_dir, "metadata"); + if (!g_file_load_contents (metadata_file, cancellable, +- &metadata_contents, NULL, NULL, error)) ++ &metadata_contents, &metadata_size, NULL, error)) + return NULL; +- if (!g_key_file_load_from_data (keyfile, metadata_contents, -1, 0, error)) ++ if (!g_key_file_load_from_data (keyfile, metadata_contents, metadata_size, 0, error)) + return NULL; + add_metadata_to_deploy_data (&metadata_dict, keyfile); + +@@ -5799,8 +5810,13 @@ flatpak_dir_pull (FlatpakDir *self, + { + g_autoptr(GVariant) commit_data = NULL; + if (!ostree_repo_load_commit (repo, rev, &commit_data, NULL, error) || +- !validate_commit_metadata (commit_data, ref, (const char *)g_bytes_get_data (require_metadata, NULL), TRUE, error)) +- return FALSE; ++ !validate_commit_metadata (commit_data, ++ ref, ++ (const char *)g_bytes_get_data (require_metadata, NULL), ++ g_bytes_get_size (require_metadata), ++ TRUE, ++ error)) ++ goto out; + } + + if (!flatpak_dir_pull_extra_data (self, repo, +@@ -8117,6 +8133,7 @@ flatpak_dir_deploy (FlatpakDir *self, + g_auto(GLnxLockFile) lock = { 0, }; + g_autoptr(GFile) metadata_file = NULL; + g_autofree char *metadata_contents = NULL; ++ gsize metadata_size = 0; + gboolean is_oci; + + if (!flatpak_dir_ensure_repo (self, cancellable, error)) +@@ -8326,11 +8343,12 @@ flatpak_dir_deploy (FlatpakDir *self, + keyfile = g_key_file_new (); + metadata_file = g_file_resolve_relative_path (checkoutdir, "metadata"); + if (g_file_load_contents (metadata_file, NULL, +- &metadata_contents, NULL, NULL, NULL)) ++ &metadata_contents, ++ &metadata_size, NULL, NULL)) + { + if (!g_key_file_load_from_data (keyfile, + metadata_contents, +- -1, ++ metadata_size, + 0, error)) + return FALSE; + +@@ -8346,7 +8364,7 @@ flatpak_dir_deploy (FlatpakDir *self, + */ + is_oci = flatpak_dir_get_remote_oci (self, origin); + if (!validate_commit_metadata (commit_data, flatpak_decomposed_get_ref (ref), +- metadata_contents, !is_oci, error)) ++ metadata_contents, metadata_size, !is_oci, error)) + return FALSE; + + dotref = g_file_resolve_relative_path (checkoutdir, "files/.ref"); +diff --git a/common/flatpak-transaction.c b/common/flatpak-transaction.c +index 19274988..721da145 100644 +--- a/common/flatpak-transaction.c ++++ b/common/flatpak-transaction.c +@@ -2520,7 +2520,7 @@ flatpak_transaction_add_ref (FlatpakTransaction *self, + return FALSE; + + if (external_metadata) +- op->external_metadata = g_bytes_new (external_metadata, strlen (external_metadata) + 1); ++ op->external_metadata = g_bytes_new (external_metadata, strlen (external_metadata)); + + return TRUE; + } +@@ -2937,7 +2937,7 @@ load_deployed_metadata (FlatpakTransaction *self, FlatpakDecomposed *ref, char * + return NULL; + } + +- return g_bytes_new_take (g_steal_pointer (&metadata_contents), metadata_contents_length + 1); ++ return g_bytes_new_take (g_steal_pointer (&metadata_contents), metadata_contents_length); + } + + static void +@@ -3034,7 +3034,7 @@ resolve_op_from_commit (FlatpakTransaction *self, + if (xa_metadata == NULL) + g_message ("Warning: No xa.metadata in local commit %s ref %s", checksum, flatpak_decomposed_get_ref (op->ref)); + else +- metadata_bytes = g_bytes_new (xa_metadata, strlen (xa_metadata) + 1); ++ metadata_bytes = g_bytes_new (xa_metadata, strlen (xa_metadata)); + + if (g_variant_lookup (commit_metadata, "xa.download-size", "t", &download_size)) + op->download_size = GUINT64_FROM_BE (download_size); +@@ -3074,7 +3074,7 @@ try_resolve_op_from_metadata (FlatpakTransaction *self, + &download_size, &installed_size, &metadata, NULL)) + return FALSE; + +- metadata_bytes = g_bytes_new (metadata, strlen (metadata) + 1); ++ metadata_bytes = g_bytes_new (metadata, strlen (metadata)); + + if (flatpak_remote_state_lookup_ref (state, flatpak_decomposed_get_ref (op->ref), + NULL, NULL, &info, NULL, NULL)) +diff --git a/common/flatpak-utils.c b/common/flatpak-utils.c +index 84bc6a39..be52453f 100644 +--- a/common/flatpak-utils.c ++++ b/common/flatpak-utils.c +@@ -6655,6 +6655,7 @@ flatpak_pull_from_bundle (OstreeRepo *repo, + GCancellable *cancellable, + GError **error) + { ++ gsize metadata_size = 0; + g_autofree char *metadata_contents = NULL; + g_autofree char *to_checksum = NULL; + g_autoptr(GFile) root = NULL; +@@ -6671,6 +6672,8 @@ flatpak_pull_from_bundle (OstreeRepo *repo, + if (metadata == NULL) + return FALSE; + ++ metadata_size = strlen (metadata_contents); ++ + if (!ostree_repo_get_remote_option (repo, remote, "collection-id", NULL, + &remote_collection_id, NULL)) + remote_collection_id = NULL; +@@ -6740,12 +6743,10 @@ flatpak_pull_from_bundle (OstreeRepo *repo, + cancellable, error) < 0) + return FALSE; + +- /* Null terminate */ +- g_output_stream_write (G_OUTPUT_STREAM (data_stream), "\0", 1, NULL, NULL); +- + metadata_valid = + metadata_contents != NULL && +- strcmp (metadata_contents, g_memory_output_stream_get_data (data_stream)) == 0; ++ metadata_size == g_memory_output_stream_get_data_size (data_stream) && ++ memcmp (metadata_contents, g_memory_output_stream_get_data (data_stream), metadata_size) == 0; + } + else + { +-- +2.33.1 + diff -Nru flatpak-1.10.2/debian/patches/CVE-2021-43860-2.patch flatpak-1.10.2/debian/patches/CVE-2021-43860-2.patch --- flatpak-1.10.2/debian/patches/CVE-2021-43860-2.patch 1970-01-01 00:00:00.000000000 +0000 +++ flatpak-1.10.2/debian/patches/CVE-2021-43860-2.patch 2022-01-20 00:10:56.000000000 +0000 @@ -0,0 +1,236 @@ +From 10367bd7d2036d39bcd108d7ed81fee9c87685f3 Mon Sep 17 00:00:00 2001 +From: Alexander Larsson +Date: Mon, 10 Jan 2022 16:43:08 +0100 +Subject: Transaction: Fail the resolve if xa.metadata invalid or missing + +If we fail to parse xa.metadata from the summary cache or the commit +xa.metadata we fail the resolve. + +If xa.metadata is missing in the commit we fail the resolve (it is +always set in the summary cache, because summary update converts +missing xa.metadata to "", so we either get that, or cache miss which +leads to resolving from the commit. + +This means that op->resolved_metadata is always set during install and +updates, which means we will show the app permissions. The transaction +will also always make sure that this data actually matches what gets +deployed. + +Before this change an invalid metadata in the summary cache could lead +to a NULL resolved_metadata, which means we wouldn't print the app +permissions, yet we would still deploy some metadata file that could +have permissions. (NOTE: It would fail to deploy unless the +xa.metadata in the commit matched the metadata file, but in this +corner case we would't compare the summary and commit metadata, so +they may differ.) + +(cherry picked from commit 5036bca4214d5b77e884dec42e36496a06e74081) +--- + common/flatpak-transaction.c | 84 +++++++++++++++++++++++------------- + 1 file changed, 55 insertions(+), 29 deletions(-) + +diff --git a/common/flatpak-transaction.c b/common/flatpak-transaction.c +index 721da145..18007ce3 100644 +--- a/common/flatpak-transaction.c ++++ b/common/flatpak-transaction.c +@@ -2957,12 +2957,13 @@ emit_eol_and_maybe_skip (FlatpakTransaction *self, + g_signal_emit (self, signals[END_OF_LIFED_WITH_REBASE], 0, op->remote, flatpak_decomposed_get_ref (op->ref), op->eol, op->eol_rebase, previous_ids, &op->skip); + } + +-static void ++static gboolean + mark_op_resolved (FlatpakTransactionOperation *op, + const char *commit, + GFile *sideload_path, + GBytes *metadata, +- GBytes *old_metadata) ++ GBytes *old_metadata, ++ GError **error) + { + g_debug ("marking op %s:%s resolved to %s", kind_to_str (op->kind), flatpak_decomposed_get_ref (op->ref), commit ? commit : "-"); + +@@ -2980,13 +2981,12 @@ mark_op_resolved (FlatpakTransactionOperation *op, + if (metadata) + { + g_autoptr(GKeyFile) metakey = g_key_file_new (); +- if (g_key_file_load_from_bytes (metakey, metadata, G_KEY_FILE_NONE, NULL)) +- { +- op->resolved_metadata = g_bytes_ref (metadata); +- op->resolved_metakey = g_steal_pointer (&metakey); +- } +- else +- g_message ("Warning: Failed to parse metadata for %s\n", flatpak_decomposed_get_ref (op->ref)); ++ if (!g_key_file_load_from_bytes (metakey, metadata, G_KEY_FILE_NONE, NULL)) ++ return flatpak_fail_error (error, FLATPAK_ERROR_INVALID_DATA, ++ "Metadata for %s is invalid", flatpak_decomposed_get_ref (op->ref)); ++ ++ op->resolved_metadata = g_bytes_ref (metadata); ++ op->resolved_metakey = g_steal_pointer (&metakey); + } + if (old_metadata) + { +@@ -2997,31 +2997,40 @@ mark_op_resolved (FlatpakTransactionOperation *op, + op->resolved_old_metakey = g_steal_pointer (&metakey); + } + else +- g_message ("Warning: Failed to parse old metadata for %s\n", flatpak_decomposed_get_ref (op->ref)); ++ { ++ /* This shouldn't happen, but a NULL old metadata is safe (all permisssions are considered new) */ ++ g_message ("Warning: Failed to parse old metadata for %s\n", flatpak_decomposed_get_ref (op->ref)); ++ } + } ++ ++ return TRUE; + } + +-static void ++static gboolean + resolve_op_end (FlatpakTransaction *self, + FlatpakTransactionOperation *op, + const char *checksum, + GFile *sideload_path, +- GBytes *metadata_bytes) ++ GBytes *metadata_bytes, ++ GError **error) + { + g_autoptr(GBytes) old_metadata_bytes = NULL; + + old_metadata_bytes = load_deployed_metadata (self, op->ref, NULL, NULL); +- mark_op_resolved (op, checksum, sideload_path, metadata_bytes, old_metadata_bytes); ++ if (!mark_op_resolved (op, checksum, sideload_path, metadata_bytes, old_metadata_bytes, error)) ++ return FALSE; + emit_eol_and_maybe_skip (self, op); ++ return TRUE; + } + + +-static void ++static gboolean + resolve_op_from_commit (FlatpakTransaction *self, + FlatpakTransactionOperation *op, + const char *checksum, + GFile *sideload_path, +- GVariant *commit_data) ++ GVariant *commit_data, ++ GError **error) + { + g_autoptr(GBytes) metadata_bytes = NULL; + g_autoptr(GVariant) commit_metadata = NULL; +@@ -3032,9 +3041,11 @@ resolve_op_from_commit (FlatpakTransaction *self, + commit_metadata = g_variant_get_child_value (commit_data, 0); + g_variant_lookup (commit_metadata, "xa.metadata", "&s", &xa_metadata); + if (xa_metadata == NULL) +- g_message ("Warning: No xa.metadata in local commit %s ref %s", checksum, flatpak_decomposed_get_ref (op->ref)); +- else +- metadata_bytes = g_bytes_new (xa_metadata, strlen (xa_metadata)); ++ return flatpak_fail_error (error, FLATPAK_ERROR_INVALID_DATA, ++ "No xa.metadata in local commit %s ref %s", ++ checksum, flatpak_decomposed_get_ref (op->ref)); ++ ++ metadata_bytes = g_bytes_new (xa_metadata, strlen (xa_metadata)); + + if (g_variant_lookup (commit_metadata, "xa.download-size", "t", &download_size)) + op->download_size = GUINT64_FROM_BE (download_size); +@@ -3044,15 +3055,19 @@ resolve_op_from_commit (FlatpakTransaction *self, + g_variant_lookup (commit_metadata, OSTREE_COMMIT_META_KEY_ENDOFLIFE, "s", &op->eol); + g_variant_lookup (commit_metadata, OSTREE_COMMIT_META_KEY_ENDOFLIFE_REBASE, "s", &op->eol_rebase); + +- resolve_op_end (self, op, checksum, sideload_path, metadata_bytes); ++ return resolve_op_end (self, op, checksum, sideload_path, metadata_bytes, error); + } + ++/* NOTE: In case of non-available summary this returns FALSE with a ++ * NULL error, but for other error cases it will be set. ++ */ + static gboolean + try_resolve_op_from_metadata (FlatpakTransaction *self, + FlatpakTransactionOperation *op, + const char *checksum, + GFile *sideload_path, +- FlatpakRemoteState *state) ++ FlatpakRemoteState *state, ++ GError **error) + { + g_autoptr(GBytes) metadata_bytes = NULL; + guint64 download_size = 0; +@@ -3092,8 +3107,7 @@ try_resolve_op_from_metadata (FlatpakTransaction *self, + op->token_type = GINT32_FROM_LE (var_metadata_lookup_int32 (sparse_cache, FLATPAK_SPARSE_CACHE_KEY_TOKEN_TYPE, op->token_type)); + } + +- resolve_op_end (self, op, checksum, sideload_path, metadata_bytes); +- return TRUE; ++ return resolve_op_end (self, op, checksum, sideload_path, metadata_bytes, error); + } + + static gboolean +@@ -3136,7 +3150,8 @@ resolve_ops (FlatpakTransaction *self, + * checksum we got was the version already installed. + */ + g_assert (op->resolved_commit != NULL); +- mark_op_resolved (op, op->resolved_commit, NULL, NULL, NULL); ++ if (!mark_op_resolved (op, op->resolved_commit, NULL, NULL, NULL, error)) ++ return FALSE; + continue; + } + +@@ -3145,14 +3160,16 @@ resolve_ops (FlatpakTransaction *self, + /* We resolve to the deployed metadata, because we need it to uninstall related ops */ + + metadata_bytes = load_deployed_metadata (self, op->ref, &checksum, NULL); +- mark_op_resolved (op, checksum, NULL, metadata_bytes, NULL); ++ if (!mark_op_resolved (op, checksum, NULL, metadata_bytes, NULL, error)) ++ return FALSE; + continue; + } + + if (op->kind == FLATPAK_TRANSACTION_OPERATION_INSTALL_BUNDLE) + { + g_assert (op->commit != NULL); +- mark_op_resolved (op, op->commit, NULL, op->external_metadata, NULL); ++ if (!mark_op_resolved (op, op->commit, NULL, op->external_metadata, NULL, error)) ++ return FALSE; + continue; + } + +@@ -3183,7 +3200,8 @@ resolve_ops (FlatpakTransaction *self, + if (commit_data == NULL) + return FALSE; + +- resolve_op_from_commit (self, op, checksum, NULL, commit_data); ++ if (!resolve_op_from_commit (self, op, checksum, NULL, commit_data, error)) ++ return FALSE; + } + else + { +@@ -3242,9 +3260,16 @@ resolve_ops (FlatpakTransaction *self, + } + + /* First try to resolve via metadata (if remote is available and its metadata matches the commit version) */ +- if (!try_resolve_op_from_metadata (self, op, checksum, sideload_path, state)) ++ if (!try_resolve_op_from_metadata (self, op, checksum, sideload_path, state, &local_error)) + { +- /* Else try to load the commit object. ++ if (local_error) ++ { ++ /* Actual error, not just missing from summary */ ++ g_propagate_error (error, g_steal_pointer (&local_error)); ++ return FALSE; ++ } ++ ++ /* Missing from summary, try to load the commit object. + * Note, we don't have a token here, so this will not work for authenticated apps. + * We handle this by catching the 401 http status and retrying. */ + g_autoptr(GVariant) commit_data = NULL; +@@ -3280,7 +3305,8 @@ resolve_ops (FlatpakTransaction *self, + return FALSE; + } + +- resolve_op_from_commit (self, op, checksum, sideload_path, commit_data); ++ if (!resolve_op_from_commit (self, op, checksum, sideload_path, commit_data, error)) ++ return FALSE; + } + } + } +-- +2.33.1 + diff -Nru flatpak-1.10.2/debian/patches/CVE-2021-43860-3.patch flatpak-1.10.2/debian/patches/CVE-2021-43860-3.patch --- flatpak-1.10.2/debian/patches/CVE-2021-43860-3.patch 1970-01-01 00:00:00.000000000 +0000 +++ flatpak-1.10.2/debian/patches/CVE-2021-43860-3.patch 2022-01-20 00:10:56.000000000 +0000 @@ -0,0 +1,74 @@ +From bd6948c375d50860ce891ead16040faf21839fc7 Mon Sep 17 00:00:00 2001 +From: Alexander Larsson +Date: Tue, 11 Jan 2022 10:27:46 +0100 +Subject: Require metadata in commit also for OCI remotes + +This was disables a long time ago because the fedora remotes didn't +contain metadata, but that has been added since then. Requiring fixes +a security concern where an app claims to require no permissions (by +having no metadata in commit) but then actually requires permissions +in the installed app. + +(cherry picked from commit f0f3a35f404b5bd533186095db055f8b3d135576) +--- + common/flatpak-dir.c | 14 ++++---------- + 1 file changed, 4 insertions(+), 10 deletions(-) + +diff --git a/common/flatpak-dir.c b/common/flatpak-dir.c +index 99d325ab..7356f2dd 100644 +--- a/common/flatpak-dir.c ++++ b/common/flatpak-dir.c +@@ -1763,7 +1763,6 @@ validate_commit_metadata (GVariant *commit_data, + const char *ref, + const char *required_metadata, + gsize required_metadata_size, +- gboolean require_xa_metadata, + GError **error) + { + g_autoptr(GVariant) commit_metadata = NULL; +@@ -1782,9 +1781,9 @@ validate_commit_metadata (GVariant *commit_data, + xa_metadata = g_variant_get_string (xa_metadata_v, &xa_metadata_size); + } + +- if ((xa_metadata == NULL && require_xa_metadata) || +- (xa_metadata != NULL && (xa_metadata_size != required_metadata_size || +- memcmp (xa_metadata, required_metadata, xa_metadata_size) != 0))) ++ if (xa_metadata == NULL || ++ xa_metadata_size != required_metadata_size || ++ memcmp (xa_metadata, required_metadata, xa_metadata_size) != 0) + { + g_set_error (error, G_IO_ERROR, G_IO_ERROR_PERMISSION_DENIED, + _("Commit metadata for %s not matching expected metadata"), ref); +@@ -5814,7 +5813,6 @@ flatpak_dir_pull (FlatpakDir *self, + ref, + (const char *)g_bytes_get_data (require_metadata, NULL), + g_bytes_get_size (require_metadata), +- TRUE, + error)) + goto out; + } +@@ -8134,7 +8132,6 @@ flatpak_dir_deploy (FlatpakDir *self, + g_autoptr(GFile) metadata_file = NULL; + g_autofree char *metadata_contents = NULL; + gsize metadata_size = 0; +- gboolean is_oci; + + if (!flatpak_dir_ensure_repo (self, cancellable, error)) + return FALSE; +@@ -8359,12 +8356,9 @@ flatpak_dir_deploy (FlatpakDir *self, + /* Check the metadata in the commit to make sure it matches the actual + * deployed metadata, in case we relied on the one in the commit for + * a decision +- * Note: For historical reason we don't enforce commits to contain xa.metadata +- * since this was lacking in fedora builds. + */ +- is_oci = flatpak_dir_get_remote_oci (self, origin); + if (!validate_commit_metadata (commit_data, flatpak_decomposed_get_ref (ref), +- metadata_contents, metadata_size, !is_oci, error)) ++ metadata_contents, metadata_size, error)) + return FALSE; + + dotref = g_file_resolve_relative_path (checkoutdir, "files/.ref"); +-- +2.33.1 + diff -Nru flatpak-1.10.2/debian/patches/CVE-2021-43860-4.patch flatpak-1.10.2/debian/patches/CVE-2021-43860-4.patch --- flatpak-1.10.2/debian/patches/CVE-2021-43860-4.patch 1970-01-01 00:00:00.000000000 +0000 +++ flatpak-1.10.2/debian/patches/CVE-2021-43860-4.patch 2022-01-20 00:10:56.000000000 +0000 @@ -0,0 +1,34 @@ +From 574cb113720a32e60cb948495621d704fee440ad Mon Sep 17 00:00:00 2001 +From: Alexander Larsson +Date: Wed, 12 Jan 2022 11:00:56 +0100 +Subject: Ensure that bundles have metadata on install + +If we have a bundle without metadata we wouldn't properly present +the permissions in the transaction. + +(cherry picked from commit b250541302187ff2209b0bb1295e8223d0af860f) +--- + common/flatpak-dir.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/common/flatpak-dir.c b/common/flatpak-dir.c +index 7356f2dd..605d06fc 100644 +--- a/common/flatpak-dir.c ++++ b/common/flatpak-dir.c +@@ -9313,6 +9313,13 @@ flatpak_dir_ensure_bundle_remote (FlatpakDir *self, + if (metadata == NULL) + return NULL; + ++ /* If we rely on metadata (to e.g. print permissions), check it exists before creating the remote */ ++ if (out_metadata && fp_metadata == NULL) ++ { ++ flatpak_fail_error (error, FLATPAK_ERROR_INVALID_DATA, "No metadata in bundler header"); ++ return NULL; ++ } ++ + gpg_data = extra_gpg_data ? extra_gpg_data : included_gpg_data; + + deploy_data = flatpak_dir_get_deploy_data (self, ref, FLATPAK_DEPLOY_VERSION_ANY, cancellable, NULL); +-- +2.33.1 + diff -Nru flatpak-1.10.2/debian/patches/CVE-2021-43860-5.patch flatpak-1.10.2/debian/patches/CVE-2021-43860-5.patch --- flatpak-1.10.2/debian/patches/CVE-2021-43860-5.patch 1970-01-01 00:00:00.000000000 +0000 +++ flatpak-1.10.2/debian/patches/CVE-2021-43860-5.patch 2022-01-20 00:10:56.000000000 +0000 @@ -0,0 +1,208 @@ +From ce0bb56c6fc256ee0aee5407924243f0c0f14559 Mon Sep 17 00:00:00 2001 +From: Phaedrus Leeds +Date: Tue, 28 Dec 2021 11:48:16 -0800 +Subject: Add test for metadata validation + +This tests for invalid metadata, missing xa.metadata and mismatched +values in xa.metadata and the real metadata, including the embedded +null leading to the hidden permissions of CVE-2021-43860. + +(cherry picked from commit 2c2ce58c54b3e6c62f9c21c15efa0ba22f4bc09b) +--- + tests/Makefile-test-matrix.am.inc | 1 + + tests/Makefile.am.inc | 1 + + tests/test-metadata-validation.sh | 158 ++++++++++++++++++++++++++++++ + 3 files changed, 160 insertions(+) + create mode 100755 tests/test-metadata-validation.sh + +diff --git a/tests/Makefile-test-matrix.am.inc b/tests/Makefile-test-matrix.am.inc +index 30b402d4..eef5a7e7 100644 +--- a/tests/Makefile-test-matrix.am.inc ++++ b/tests/Makefile-test-matrix.am.inc +@@ -36,6 +36,7 @@ TEST_MATRIX_DIST= \ + tests/test-build-update-repo.sh \ + tests/test-http-utils.sh \ + tests/test-default-remotes.sh \ ++ tests/test-metadata-validation.sh \ + tests/test-extensions.sh \ + tests/test-oci.sh \ + tests/test-override.sh \ +diff --git a/tests/Makefile.am.inc b/tests/Makefile.am.inc +index 2458445c..53d6403e 100644 +--- a/tests/Makefile.am.inc ++++ b/tests/Makefile.am.inc +@@ -216,6 +216,7 @@ TEST_MATRIX_SOURCE = \ + tests/test-repo.sh{{user+system+system-norevokefs}+{{user+system},oldsummary}} \ + tests/test-sideload.sh{user+system} \ + tests/test-default-remotes.sh \ ++ tests/test-metadata-validation.sh \ + tests/test-extensions.sh \ + tests/test-bundle.sh{user+system+system-norevokefs} \ + tests/test-oci.sh \ +diff --git a/tests/test-metadata-validation.sh b/tests/test-metadata-validation.sh +new file mode 100755 +index 00000000..7e3efccb +--- /dev/null ++++ b/tests/test-metadata-validation.sh +@@ -0,0 +1,158 @@ ++#!/bin/bash ++# ++# Copyright (C) 2021 Matthew Leeds ++# ++# SPDX-License-Identifier: LGPL-2.0-or-later ++ ++set -euo pipefail ++ ++. $(dirname $0)/libtest.sh ++ ++echo "1..7" ++ ++setup_repo ++ ++COUNTER=1 ++ ++create_app () { ++ local OPTIONS="$1" ++ local DIR=`mktemp -d` ++ ++ mkdir ${DIR}/files ++ echo $COUNTER > ${DIR}/files/counter ++ let COUNTER=COUNTER+1 ++ ++ local INVALID="" ++ if [[ $OPTIONS =~ "invalid" ]]; then ++ INVALID=invalidkeyfileline ++ fi ++ cat > ${DIR}/metadata <> ${DIR}/metadata ++ fi ++ if [[ $OPTIONS =~ "hidden" ]]; then ++ echo -ne "\0" >> ${DIR}/metadata ++ echo -e "\nfilesystems=home;" >> ${DIR}/metadata ++ fi ++ local XA_METADATA=--add-metadata-string=xa.metadata="$(head -n6 ${DIR}/metadata)"$'\n' ++ if [[ $OPTIONS =~ "no-xametadata" ]]; then ++ XA_METADATA="--add-metadata-string=xa.nometadata=1" ++ fi ++ ostree commit --repo=repos/test --branch=app/org.test.Malicious/${ARCH}/master ${FL_GPGARGS} "$XA_METADATA" ${DIR}/ ++ if [[ $OPTIONS =~ "no-cache-in-summary" ]]; then ++ ostree --repo=repos/test ${FL_GPGARGS} summary -u ++ # force use of legacy summary format ++ rm -rf repos/test/summary.idx repos/test/summaries ++ else ++ update_repo ++ fi ++ rm -rf ${DIR} ++} ++ ++cleanup_repo () { ++ ostree refs --repo=repos/test --delete app/org.test.Malicious/${ARCH}/master ++ update_repo ++} ++ ++create_app "hidden" ++ ++if ${FLATPAK} ${U} install -y test-repo org.test.Malicious 2>install-error-log; then ++ assert_not_reached "Should not be able to install app with hidden permissions" ++fi ++ ++assert_file_has_content install-error-log "not matching expected metadata" ++ ++assert_not_has_dir $FL_DIR/app/org.test.Malicious/current/active ++ ++cleanup_repo ++ ++ok "app with hidden permissions can't be installed (CVE-2021-43860)" ++ ++create_app no-xametadata ++ ++# The install will fail because the metadata in the summary doesn't match the metadata on the commit ++# The missing xa.metadata in the commit got turned into "" in the xa.cache ++if ${FLATPAK} ${U} install -y test-repo org.test.Malicious 2>install-error-log; then ++ assert_not_reached "Should not be able to install app with missing xa.metadata" ++fi ++ ++assert_file_has_content install-error-log "not matching expected metadata" ++ ++assert_not_has_dir $FL_DIR/app/org.test.Malicious/current/active ++ ++cleanup_repo ++ ++ok "app with no xa.metadata can't be installed" ++ ++create_app "no-xametadata no-cache-in-summary" ++ ++# The install will fail because there's no metadata in the summary or on the commit ++if ${FLATPAK} ${U} install -y test-repo org.test.Malicious 2>install-error-log; then ++ assert_not_reached "Should not be able to install app with missing metadata" ++fi ++assert_file_has_content install-error-log "No xa.metadata in local commit" ++ ++assert_not_has_dir $FL_DIR/app/org.test.Malicious/current/active ++ ++cleanup_repo ++ ++ok "app with no xa.metadata and no metadata in summary can't be installed" ++ ++create_app "invalid" ++ ++if ${FLATPAK} ${U} install -y test-repo org.test.Malicious 2>install-error-log; then ++ assert_not_reached "Should not be able to install app with invalid metadata" ++fi ++assert_file_has_content install-error-log "Metadata for .* is invalid" ++ ++assert_not_has_dir $FL_DIR/app/org.test.Malicious/current/active ++ ++cleanup_repo ++ ++ok "app with invalid metadata (in summary) can't be installed" ++ ++create_app "invalid no-cache-in-summary" ++ ++if ${FLATPAK} ${U} install -y test-repo org.test.Malicious 2>install-error-log; then ++ assert_not_reached "Should not be able to install app with invalid metadata" ++fi ++assert_file_has_content install-error-log "Metadata for .* is invalid" ++ ++assert_not_has_dir $FL_DIR/app/org.test.Malicious/current/active ++ ++cleanup_repo ++ ++ok "app with invalid metadata (in commit) can't be installed" ++ ++create_app "mismatch no-cache-in-summary" ++ ++if ${FLATPAK} ${U} install -y test-repo org.test.Malicious 2>install-error-log; then ++ assert_not_reached "Should not be able to install app with non-matching metadata" ++fi ++assert_file_has_content install-error-log "Commit metadata for .* not matching expected metadata" ++ ++assert_not_has_dir $FL_DIR/app/org.test.Malicious/current/active ++ ++cleanup_repo ++ ++ok "app with mismatched metadata (in commit) can't be installed" ++ ++create_app "mismatch" ++ ++if ${FLATPAK} ${U} install -y test-repo org.test.Malicious 2>install-error-log; then ++ assert_not_reached "Should not be able to install app with non-matching metadata" ++fi ++assert_file_has_content install-error-log "Commit metadata for .* not matching expected metadata" ++ ++assert_not_has_dir $FL_DIR/app/org.test.Malicious/current/active ++ ++cleanup_repo ++ ++ok "app with mismatched metadata (in summary) can't be installed" +-- +2.33.1 + diff -Nru flatpak-1.10.2/debian/patches/CVE-2022-21682-1.patch flatpak-1.10.2/debian/patches/CVE-2022-21682-1.patch --- flatpak-1.10.2/debian/patches/CVE-2022-21682-1.patch 1970-01-01 00:00:00.000000000 +0000 +++ flatpak-1.10.2/debian/patches/CVE-2022-21682-1.patch 2022-01-20 00:10:56.000000000 +0000 @@ -0,0 +1,80 @@ +From 74f02d1e9569bde9523b9add9e7d3fb5fbfa1e63 Mon Sep 17 00:00:00 2001 +From: Simon McVittie +Date: Sun, 16 Jan 2022 14:15:58 +0000 +Subject: test-override: Assert that only the expected term is negated + +We weren't distinguishing here between overrides that should have been +negated (xdg-documents) and overrides that should not have been negated +(everything else). + +Signed-off-by: Simon McVittie +(cherry picked from commit 4e3d1d8b7bbd4c0611b6bb44f67c6ad1734d6b7d) +--- + tests/libtest.sh | 24 ++++++++++++++++++++++++ + tests/test-override.sh | 18 +++++++++++++----- + 2 files changed, 37 insertions(+), 5 deletions(-) + +diff --git a/tests/libtest.sh b/tests/libtest.sh +index 1daac333..c6d9ab56 100644 +--- a/tests/libtest.sh ++++ b/tests/libtest.sh +@@ -597,3 +597,27 @@ trap cleanup EXIT + if test -n "${FLATPAK_TESTS_DEBUG:-}"; then + set -x + fi ++ ++assert_semicolon_list_contains () { ++ list="$1" ++ member="$2" ++ ++ case ";$list;" in ++ (*";$member;"*) ++ ;; ++ (*) ++ assert_not_reached "\"$list\" should contain \"$member\"" ++ ;; ++ esac ++} ++ ++assert_not_semicolon_list_contains () { ++ local list="$1" ++ local member="$2" ++ ++ case ";$list;" in ++ (*";$member;"*) ++ assert_not_reached "\"$list\" should not contain \"$member\"" ++ ;; ++ esac ++} +diff --git a/tests/test-override.sh b/tests/test-override.sh +index b8af5521..c7b283ae 100755 +--- a/tests/test-override.sh ++++ b/tests/test-override.sh +@@ -173,11 +173,19 @@ ${FLATPAK} override --user --nofilesystem=xdg-documents org.test.Hello + ${FLATPAK} override --user --show org.test.Hello > override + + assert_file_has_content override "^\[Context\]$" +-assert_file_has_content override "^filesystems=.*/media;.*$" +-assert_file_has_content override "^filesystems=.*home;.*$" +-assert_file_has_content override "^filesystems=.*xdg-documents;.*$" +-assert_file_has_content override "^filesystems=.*xdg-desktop/foo:create;.*$" +-assert_file_has_content override "^filesystems=.*xdg-config:ro;.*$" ++filesystems="$(sed -ne 's/^filesystems=//p' override)" ++assert_semicolon_list_contains "$filesystems" "/media" ++assert_not_semicolon_list_contains "$filesystems" "!/media" ++assert_semicolon_list_contains "$filesystems" "home" ++assert_not_semicolon_list_contains "$filesystems" "!home" ++assert_not_semicolon_list_contains "$filesystems" "xdg-documents" ++assert_semicolon_list_contains "$filesystems" "!xdg-documents" ++assert_semicolon_list_contains "$filesystems" "xdg-desktop/foo:create" ++assert_not_semicolon_list_contains "$filesystems" "!xdg-desktop/foo" ++assert_not_semicolon_list_contains "$filesystems" "!xdg-desktop/foo:create" ++assert_semicolon_list_contains "$filesystems" "xdg-config:ro" ++assert_not_semicolon_list_contains "$filesystems" "!xdg-config" ++assert_not_semicolon_list_contains "$filesystems" "!xdg-config:ro" + + ok "override --filesystem" + +-- +2.33.1 + diff -Nru flatpak-1.10.2/debian/patches/CVE-2022-21682-2.patch flatpak-1.10.2/debian/patches/CVE-2022-21682-2.patch --- flatpak-1.10.2/debian/patches/CVE-2022-21682-2.patch 1970-01-01 00:00:00.000000000 +0000 +++ flatpak-1.10.2/debian/patches/CVE-2022-21682-2.patch 2022-01-20 00:10:56.000000000 +0000 @@ -0,0 +1,40 @@ +From 97dd26c02eb759236fb5b069f9764604fc550a37 Mon Sep 17 00:00:00 2001 +From: Simon McVittie +Date: Sun, 16 Jan 2022 17:32:11 +0000 +Subject: test-override: Assert that unimplemented suffix is ignored with a + warning + +Signed-off-by: Simon McVittie +(cherry picked from commit 8a44df04c88491c9e694d4a31f968b81805c2c44) +--- + tests/test-override.sh | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +diff --git a/tests/test-override.sh b/tests/test-override.sh +index c7b283ae..dcec1baf 100755 +--- a/tests/test-override.sh ++++ b/tests/test-override.sh +@@ -187,6 +187,20 @@ assert_semicolon_list_contains "$filesystems" "xdg-config:ro" + assert_not_semicolon_list_contains "$filesystems" "!xdg-config" + assert_not_semicolon_list_contains "$filesystems" "!xdg-config:ro" + ++# --filesystem=...:bar => warning ++# Warnings need to be made temporarily non-fatal here. ++e=0 ++G_DEBUG= ${FLATPAK} override --user --filesystem=/foo:bar org.test.Hello 2>log || e=$? ++assert_file_has_content log "Unexpected filesystem suffix bar, ignoring" ++assert_streq "$e" 0 ++ ++# --nofilesystem=...:bar => warning ++# Warnings need to be made temporarily non-fatal here. ++e=0 ++G_DEBUG= ${FLATPAK} override --user --nofilesystem=/foo:bar org.test.Hello 2>log || e=$? ++assert_file_has_content log "Unexpected filesystem suffix bar, ignoring" ++assert_streq "$e" 0 ++ + ok "override --filesystem" + + reset_overrides +-- +2.33.1 + diff -Nru flatpak-1.10.2/debian/patches/CVE-2022-21682-3.patch flatpak-1.10.2/debian/patches/CVE-2022-21682-3.patch --- flatpak-1.10.2/debian/patches/CVE-2022-21682-3.patch 1970-01-01 00:00:00.000000000 +0000 +++ flatpak-1.10.2/debian/patches/CVE-2022-21682-3.patch 2022-01-20 00:10:56.000000000 +0000 @@ -0,0 +1,107 @@ +From fe3954ff63f0cafc70fd79c8aeac24d4a7ba85e6 Mon Sep 17 00:00:00 2001 +From: Simon McVittie +Date: Sun, 16 Jan 2022 12:38:25 +0000 +Subject: run, override: Clarify the effect of --nofilesystem + +There are two reasonable interpretations for --nofilesystem=home: +either it revokes a previous --filesystem=home (as in Flatpak 1.12.2 and +older versions), or it completely forbids access to the home directory +(as in Flatpak 1.12.3). Clarify the man pages to indicate that it only +revokes a previous --filesystem=home. This will hopefully reduce +mismatches between the design and what users expect to happen, as +in flatpak#4654. + +A subsequent commit will introduce a way to get the Flatpak 1.12.3 +behaviour in a way that is more backwards-compatible with Flatpak 1.12.2 +and older versions. + +Signed-off-by: Simon McVittie +(cherry picked from commit 7bbeed2b87b84d6d94006e25418b7f89a7784fdb) +--- + doc/flatpak-override.xml | 28 +++++++++++++++++++++++----- + doc/flatpak-run.xml | 26 +++++++++++++++++++++----- + 2 files changed, 44 insertions(+), 10 deletions(-) + +diff --git a/doc/flatpak-override.xml b/doc/flatpak-override.xml +index 306026cb..acf9a1fe 100644 +--- a/doc/flatpak-override.xml ++++ b/doc/flatpak-override.xml +@@ -219,13 +219,31 @@ + + + +- Remove access to the specified subset of the filesystem from +- the application. This overrides to the Context section from the ++ Undo the effect of a previous ++ FILESYSTEM ++ in the app's manifest or a lower-precedence layer of ++ overrides, and/or remove a previous ++ FILESYSTEM ++ from this layer of overrides. ++ This overrides the Context section of the + application metadata. +- FILESYSTEM can be one of: home, host, host-os, host-etc, xdg-desktop, xdg-documents, xdg-download, +- xdg-music, xdg-pictures, xdg-public-share, xdg-templates, xdg-videos, +- an absolute path, or a homedir-relative path like ~/dir. ++ FILESYSTEM can take the same ++ values as for , but the ++ :ro and ++ :create suffixes are not ++ used here. + This option can be used multiple times. ++ ++ This option does not prevent access to a more ++ narrowly-scoped . ++ For example, if an application has the equivalent of ++ in ++ its manifest or as a system-wide override, and ++ flatpak override --user --nofilesystem=home ++ as a per-user override, then it will be prevented from ++ accessing most of the home directory, but it will still ++ be allowed to access ++ $XDG_CONFIG_HOME/MyApp. + + + +diff --git a/doc/flatpak-run.xml b/doc/flatpak-run.xml +index 28e7f599..3f917b60 100644 +--- a/doc/flatpak-run.xml ++++ b/doc/flatpak-run.xml +@@ -366,13 +366,29 @@ + + + +- Remove access to the specified subset of the filesystem from +- the application. This overrides to the Context section from the ++ Undo the effect of a previous ++ FILESYSTEM ++ in the app's manifest and/or the overrides set up with ++ flatpak-override1. ++ This overrides the Context section of the + application metadata. +- FILESYSTEM can be one of: home, host, host-os, host-etc, xdg-desktop, xdg-documents, xdg-download, +- xdg-music, xdg-pictures, xdg-public-share, xdg-templates, xdg-videos, +- an absolute path, or a homedir-relative path like ~/dir. ++ FILESYSTEM can take the same ++ values as for , but the ++ :ro and ++ :create suffixes are not ++ used here. + This option can be used multiple times. ++ ++ This option does not prevent access to a more ++ narrowly-scoped . ++ For example, if an application has the equivalent of ++ in ++ its manifest or as a system-wide override, and ++ flatpak override --user --nofilesystem=home ++ as a per-user override, then it will be prevented from ++ accessing most of the home directory, but it will still ++ be allowed to access ++ $XDG_CONFIG_HOME/MyApp. + + + +-- +2.33.1 + diff -Nru flatpak-1.10.2/debian/patches/CVE-2022-21682-4.patch flatpak-1.10.2/debian/patches/CVE-2022-21682-4.patch --- flatpak-1.10.2/debian/patches/CVE-2022-21682-4.patch 1970-01-01 00:00:00.000000000 +0000 +++ flatpak-1.10.2/debian/patches/CVE-2022-21682-4.patch 2022-01-20 00:10:56.000000000 +0000 @@ -0,0 +1,111 @@ +From 734047a1d74218ff0ed4e4667628a0ea241985ac Mon Sep 17 00:00:00 2001 +From: Simon McVittie +Date: Sun, 16 Jan 2022 17:13:18 +0000 +Subject: test-override: Assert pre-1.12.3 behaviour of --nofilesystem=home, + host + +Signed-off-by: Simon McVittie +(cherry picked from commit 813e1f0b3bef788553b9d37d1ec89c1124491a65) +--- + tests/test-override.sh | 81 +++++++++++++++++++++++++++++++++++++++++- + 1 file changed, 80 insertions(+), 1 deletion(-) + +diff --git a/tests/test-override.sh b/tests/test-override.sh +index dcec1baf..c22f9b0e 100755 +--- a/tests/test-override.sh ++++ b/tests/test-override.sh +@@ -17,7 +17,7 @@ reset_overrides () { + assert_file_empty info + } + +-echo "1..15" ++echo "1..17" + + setup_repo + install_repo +@@ -309,3 +309,82 @@ if ! skip_one_without_bwrap "persist"; then + + ok "persist" + fi ++ ++reset_overrides ++ ++if ! skip_one_without_bwrap "runtime override --nofilesystem=home"; then ++ mkdir -p "$HOME/dir" ++ mkdir -p "$TEST_DATA_DIR/dir1" ++ mkdir -p "$TEST_DATA_DIR/dir2" ++ echo "hello" > "$HOME/example" ++ echo "hello" > "$HOME/dir/example" ++ echo "hello" > "$TEST_DATA_DIR/dir1/example" ++ echo "hello" > "$TEST_DATA_DIR/dir2/example" ++ ++ ${FLATPAK} override --user --filesystem=home org.test.Hello ++ ${FLATPAK} override --user --filesystem='~/dir' org.test.Hello ++ ${FLATPAK} override --user --filesystem="$TEST_DATA_DIR/dir1" org.test.Hello ++ ++ ${FLATPAK} run --env=TEST_DATA_DIR="$TEST_DATA_DIR" \ ++ --command=sh --nofilesystem=home org.test.Hello -c ' ++ echo overwritten > "$HOME/dir/example" || true ++ echo overwritten > "$HOME/example" || true ++ echo overwritten > "$TEST_DATA_DIR/dir1/example" || true ++ echo overwritten > "$TEST_DATA_DIR/dir2/example" || true ++ ' ++ # --nofilesystem=home does not cancel a more narrowly-scoped permission ++ # such as --filesystem=~/dir ++ assert_file_has_content "$HOME/dir/example" overwritten ++ # --nofilesystem=home cancels the --filesystem=home at a lower precedence, ++ # so $HOME/example was not shared ++ assert_file_has_content "$HOME/example" hello ++ # --nofilesystem=home does not affect access to files outside $HOME ++ assert_file_has_content "$TEST_DATA_DIR/dir1/example" overwritten ++ assert_file_has_content "$TEST_DATA_DIR/dir2/example" hello ++ ++ rm -fr "$HOME/dir" ++ rm -fr "$HOME/example" ++ rm -fr "$TEST_DATA_DIR/dir1" ++ rm -fr "$TEST_DATA_DIR/dir2" ++ ++ ok "runtime override --nofilesystem=home" ++fi ++ ++reset_overrides ++ ++if ! skip_one_without_bwrap "runtime override --nofilesystem=host"; then ++ mkdir -p "$HOME/dir" ++ mkdir -p "$TEST_DATA_DIR/dir1" ++ mkdir -p "$TEST_DATA_DIR/dir2" ++ echo "hello" > "$HOME/example" ++ echo "hello" > "$HOME/dir/example" ++ echo "hello" > "$TEST_DATA_DIR/dir1/example" ++ echo "hello" > "$TEST_DATA_DIR/dir2/example" ++ ++ ${FLATPAK} override --user --filesystem=host org.test.Hello ++ ${FLATPAK} override --user --filesystem='~/dir' org.test.Hello ++ ${FLATPAK} override --user --filesystem="$TEST_DATA_DIR/dir1" org.test.Hello ++ ++ ${FLATPAK} run --env=TEST_DATA_DIR="$TEST_DATA_DIR" \ ++ --command=sh --nofilesystem=host org.test.Hello -c ' ++ echo overwritten > "$HOME/dir/example" || true ++ echo overwritten > "$HOME/example" || true ++ echo overwritten > "$TEST_DATA_DIR/dir1/example" || true ++ echo overwritten > "$TEST_DATA_DIR/dir2/example" || true ++ ' ++ # --nofilesystem=host does not cancel a more narrowly-scoped permission ++ # such as --filesystem=~/dir ++ assert_file_has_content "$HOME/dir/example" overwritten ++ assert_file_has_content "$TEST_DATA_DIR/dir1/example" overwritten ++ # --nofilesystem=host cancels the --filesystem=host at a lower precedence, ++ # so $HOME/example was not shared ++ assert_file_has_content "$HOME/example" hello ++ assert_file_has_content "$TEST_DATA_DIR/dir2/example" hello ++ ++ rm -fr "$HOME/dir" ++ rm -fr "$HOME/example" ++ rm -fr "$TEST_DATA_DIR/dir1" ++ rm -fr "$TEST_DATA_DIR/dir2" ++ ++ ok "runtime override --nofilesystem=host" ++fi +-- +2.33.1 + diff -Nru flatpak-1.10.2/debian/patches/CVE-2022-21682-5.patch flatpak-1.10.2/debian/patches/CVE-2022-21682-5.patch --- flatpak-1.10.2/debian/patches/CVE-2022-21682-5.patch 1970-01-01 00:00:00.000000000 +0000 +++ flatpak-1.10.2/debian/patches/CVE-2022-21682-5.patch 2022-01-20 00:10:56.000000000 +0000 @@ -0,0 +1,35 @@ +From b543933ce14ccb787de6964f52ed32fbbfce9f2d Mon Sep 17 00:00:00 2001 +From: Simon McVittie +Date: Sun, 16 Jan 2022 17:33:22 +0000 +Subject: test-override: Assert that --nofilesystem with suffix yields a + warning + +This was added as part of implementing the :reset suffix. + +Signed-off-by: Simon McVittie +(cherry picked from commit ab0169ee39fe72eb0cd6544e10e094cfe8cd0466) +--- + tests/test-override.sh | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/tests/test-override.sh b/tests/test-override.sh +index c22f9b0e..735f811e 100755 +--- a/tests/test-override.sh ++++ b/tests/test-override.sh +@@ -187,6 +187,13 @@ assert_semicolon_list_contains "$filesystems" "xdg-config:ro" + assert_not_semicolon_list_contains "$filesystems" "!xdg-config" + assert_not_semicolon_list_contains "$filesystems" "!xdg-config:ro" + ++# --nofilesystem=...:rw => warning ++# Warnings need to be made temporarily non-fatal here. ++e=0 ++G_DEBUG= ${FLATPAK} override --user --nofilesystem=/foo:rw org.test.Hello 2>log || e=$? ++assert_file_has_content log "Filesystem suffix \"rw\" is not applicable for --nofilesystem" ++assert_streq "$e" 0 ++ + # --filesystem=...:bar => warning + # Warnings need to be made temporarily non-fatal here. + e=0 +-- +2.33.1 + diff -Nru flatpak-1.10.2/debian/patches/CVE-2022-21682-6.patch flatpak-1.10.2/debian/patches/CVE-2022-21682-6.patch --- flatpak-1.10.2/debian/patches/CVE-2022-21682-6.patch 1970-01-01 00:00:00.000000000 +0000 +++ flatpak-1.10.2/debian/patches/CVE-2022-21682-6.patch 2022-01-20 00:10:56.000000000 +0000 @@ -0,0 +1,405 @@ +From 92b8cfe46b3adc43c24404decff0d0c393513731 Mon Sep 17 00:00:00 2001 +From: Simon McVittie +Date: Sun, 16 Jan 2022 12:42:30 +0000 +Subject: context: Introduce new --nofilesystem=host:reset + +This reintroduces the special case that existed in Flatpak 1.12.3, but +under a different name, so that it will be backwards-compatible. With +this change, flatpak-builder will be able to resolve CVE-2022-21682 by +using --filesystem=host:reset. + +We want to implement this as a suffix rather than as a new keyword, +because unknown suffixes are ignored with a warning, rather than causing +a fatal error. This means that the new version of flatpak-builder will +be able to run against older versions of flatpak: it will still be +vulnerable to CVE-2022-21682 in that situation, but at least it will run. + +Co-authored-by: Alexander Larsson +(cherry picked from commit 5709f1aaed6579f0136976e14e7f3cae399134ca) +--- + common/flatpak-context-private.h | 1 + + common/flatpak-context.c | 166 ++++++++++++++++++++++++++++--- + doc/flatpak-override.xml | 8 ++ + doc/flatpak-run.xml | 8 ++ + tests/test-exports.c | 8 +- + 5 files changed, 173 insertions(+), 18 deletions(-) + +diff --git a/common/flatpak-context-private.h b/common/flatpak-context-private.h +index 45879ac0..b6b9e56a 100644 +--- a/common/flatpak-context-private.h ++++ b/common/flatpak-context-private.h +@@ -83,6 +83,7 @@ extern const char *flatpak_context_features[]; + extern const char *flatpak_context_shares[]; + + gboolean flatpak_context_parse_filesystem (const char *filesystem_and_mode, ++ gboolean negated, + char **filesystem_out, + FlatpakFilesystemMode *mode_out, + GError **error); +diff --git a/common/flatpak-context.c b/common/flatpak-context.c +index abeda358..9c506499 100644 +--- a/common/flatpak-context.c ++++ b/common/flatpak-context.c +@@ -86,6 +86,7 @@ const char *flatpak_context_special_filesystems[] = { + "host", + "host-etc", + "host-os", ++ "host-reset", + NULL + }; + +@@ -703,6 +704,12 @@ unparse_filesystem_flags (const char *path, + + case FLATPAK_FILESYSTEM_MODE_NONE: + g_string_insert_c (s, 0, '!'); ++ ++ if (g_str_has_suffix (s->str, "-reset")) ++ { ++ g_string_truncate (s, s->len - 6); ++ g_string_append (s, ":reset"); ++ } + break; + + default: +@@ -715,11 +722,14 @@ unparse_filesystem_flags (const char *path, + + static char * + parse_filesystem_flags (const char *filesystem, +- FlatpakFilesystemMode *mode_out) ++ gboolean negated, ++ FlatpakFilesystemMode *mode_out, ++ GError **error) + { + g_autoptr(GString) s = g_string_new (""); + const char *p, *suffix; + FlatpakFilesystemMode mode; ++ gboolean reset = FALSE; + + p = filesystem; + while (*p != 0 && *p != ':') +@@ -734,7 +744,31 @@ parse_filesystem_flags (const char *filesystem, + g_string_append_c (s, *p++); + } + +- mode = FLATPAK_FILESYSTEM_MODE_READ_WRITE; ++ if (negated) ++ mode = FLATPAK_FILESYSTEM_MODE_NONE; ++ else ++ mode = FLATPAK_FILESYSTEM_MODE_READ_WRITE; ++ ++ if (g_str_equal (s->str, "host-reset")) ++ { ++ reset = TRUE; ++ ++ if (!negated) ++ { ++ g_set_error (error, G_OPTION_ERROR, G_OPTION_ERROR_FAILED, ++ "Filesystem token \"%s\" is only applicable for --nofilesystem", ++ s->str); ++ return NULL; ++ } ++ ++ if (*p != '\0') ++ { ++ g_set_error (error, G_OPTION_ERROR, G_OPTION_ERROR_FAILED, ++ "Filesystem token \"%s\" cannot be used with a suffix", ++ s->str); ++ return NULL; ++ } ++ } + + if (*p == ':') + { +@@ -746,10 +780,63 @@ parse_filesystem_flags (const char *filesystem, + mode = FLATPAK_FILESYSTEM_MODE_READ_WRITE; + else if (strcmp (suffix, "create") == 0) + mode = FLATPAK_FILESYSTEM_MODE_CREATE; ++ else if (strcmp (suffix, "reset") == 0) ++ reset = TRUE; + else if (*suffix != 0) + g_warning ("Unexpected filesystem suffix %s, ignoring", suffix); ++ ++ if (negated && mode != FLATPAK_FILESYSTEM_MODE_NONE) ++ { ++ g_warning ("Filesystem suffix \"%s\" is not applicable for --nofilesystem", ++ suffix); ++ mode = FLATPAK_FILESYSTEM_MODE_NONE; ++ } ++ ++ if (reset) ++ { ++ if (!negated) ++ { ++ g_set_error (error, G_OPTION_ERROR, G_OPTION_ERROR_FAILED, ++ "Filesystem suffix \"%s\" only applies to --nofilesystem", ++ suffix); ++ return NULL; ++ } ++ ++ if (!g_str_equal (s->str, "host")) ++ { ++ g_set_error (error, G_OPTION_ERROR, G_OPTION_ERROR_FAILED, ++ "Filesystem suffix \"%s\" can only be applied to " ++ "--nofilesystem=host", ++ suffix); ++ return NULL; ++ } ++ ++ /* We internally handle host:reset (etc) as host-reset, only exposing it as a flag in the public ++ part to allow it to be ignored (with a warning) for old flatpak versions */ ++ g_string_append (s, "-reset"); ++ } + } + ++ /* Postcondition check: the code above should make some results ++ * impossible */ ++ if (negated) ++ { ++ g_assert (mode == FLATPAK_FILESYSTEM_MODE_NONE); ++ } ++ else ++ { ++ g_assert (mode > FLATPAK_FILESYSTEM_MODE_NONE); ++ /* This flag is only applicable to --nofilesystem */ ++ g_assert (!reset); ++ } ++ ++ /* Postcondition check: filesystem token is host-reset iff reset flag ++ * was found */ ++ if (reset) ++ g_assert (g_str_equal (s->str, "host-reset")); ++ else ++ g_assert (!g_str_equal (s->str, "host-reset")); ++ + if (mode_out) + *mode_out = mode; + +@@ -758,13 +845,18 @@ parse_filesystem_flags (const char *filesystem, + + gboolean + flatpak_context_parse_filesystem (const char *filesystem_and_mode, ++ gboolean negated, + char **filesystem_out, + FlatpakFilesystemMode *mode_out, + GError **error) + { +- g_autofree char *filesystem = parse_filesystem_flags (filesystem_and_mode, mode_out); ++ g_autofree char *filesystem = NULL; + char *slash; + ++ filesystem = parse_filesystem_flags (filesystem_and_mode, negated, mode_out, error); ++ if (filesystem == NULL) ++ return FALSE; ++ + slash = strchr (filesystem, '/'); + + /* Forbid /../ in paths */ +@@ -856,6 +948,14 @@ flatpak_context_take_filesystem (FlatpakContext *context, + char *fs, + FlatpakFilesystemMode mode) + { ++ /* Special case: --nofilesystem=host-reset implies --nofilesystem=host. ++ * --filesystem=host-reset (or host:reset) is not allowed. */ ++ if (g_str_equal (fs, "host-reset")) ++ { ++ g_return_if_fail (mode == FLATPAK_FILESYSTEM_MODE_NONE); ++ g_hash_table_insert (context->filesystems, g_strdup ("host"), GINT_TO_POINTER (mode)); ++ } ++ + g_hash_table_insert (context->filesystems, fs, GINT_TO_POINTER (mode)); + } + +@@ -887,6 +987,14 @@ flatpak_context_merge (FlatpakContext *context, + while (g_hash_table_iter_next (&iter, &key, &value)) + g_hash_table_insert (context->persistent, g_strdup (key), value); + ++ /* We first handle host:reset, as it overrides all other keys from the parent */ ++ if (g_hash_table_lookup_extended (other->filesystems, "host-reset", NULL, &value)) ++ { ++ g_warn_if_fail (GPOINTER_TO_INT (value) == FLATPAK_FILESYSTEM_MODE_NONE); ++ g_hash_table_remove_all (context->filesystems); ++ } ++ ++ /* Then set the new ones, which includes propagating host:reset. */ + g_hash_table_iter_init (&iter, other->filesystems); + while (g_hash_table_iter_next (&iter, &key, &value)) + g_hash_table_insert (context->filesystems, g_strdup (key), value); +@@ -1074,7 +1182,7 @@ option_filesystem_cb (const gchar *option_name, + g_autofree char *fs = NULL; + FlatpakFilesystemMode mode; + +- if (!flatpak_context_parse_filesystem (value, &fs, &mode, error)) ++ if (!flatpak_context_parse_filesystem (value, FALSE, &fs, &mode, error)) + return FALSE; + + flatpak_context_take_filesystem (context, g_steal_pointer (&fs), mode); +@@ -1091,7 +1199,7 @@ option_nofilesystem_cb (const gchar *option_name, + g_autofree char *fs = NULL; + FlatpakFilesystemMode mode; + +- if (!flatpak_context_parse_filesystem (value, &fs, &mode, error)) ++ if (!flatpak_context_parse_filesystem (value, TRUE, &fs, &mode, error)) + return FALSE; + + flatpak_context_take_filesystem (context, g_steal_pointer (&fs), +@@ -1571,15 +1679,13 @@ flatpak_context_load_metadata (FlatpakContext *context, + g_autofree char *filesystem = NULL; + FlatpakFilesystemMode mode; + +- if (!flatpak_context_parse_filesystem (fs, &filesystem, &mode, NULL)) ++ if (!flatpak_context_parse_filesystem (fs, remove, ++ &filesystem, &mode, NULL)) + g_debug ("Unknown filesystem type %s", filesystems[i]); + else + { +- if (remove) +- flatpak_context_take_filesystem (context, g_steal_pointer (&filesystem), +- FLATPAK_FILESYSTEM_MODE_NONE); +- else +- flatpak_context_take_filesystem (context, g_steal_pointer (&filesystem), mode); ++ g_assert (mode == FLATPAK_FILESYSTEM_MODE_NONE || !remove); ++ flatpak_context_take_filesystem (context, g_steal_pointer (&filesystem), mode); + } + } + } +@@ -1825,11 +1931,24 @@ flatpak_context_save_metadata (FlatpakContext *context, + { + g_autoptr(GPtrArray) array = g_ptr_array_new_with_free_func (g_free); + ++ /* Serialize host-reset first, because order can matter in ++ * corner cases. */ ++ if (g_hash_table_lookup_extended (context->filesystems, "host-reset", ++ NULL, &value)) ++ { ++ g_warn_if_fail (GPOINTER_TO_INT (value) == FLATPAK_FILESYSTEM_MODE_NONE); ++ g_ptr_array_add (array, g_strdup ("!host:reset")); ++ } ++ + g_hash_table_iter_init (&iter, context->filesystems); + while (g_hash_table_iter_next (&iter, &key, &value)) + { + FlatpakFilesystemMode mode = GPOINTER_TO_INT (value); + ++ /* We already did this */ ++ if (g_str_equal (key, "host-reset")) ++ continue; ++ + g_ptr_array_add (array, unparse_filesystem_flags (key, mode)); + } + +@@ -1968,7 +2087,8 @@ flatpak_context_save_metadata (FlatpakContext *context, + void + flatpak_context_allow_host_fs (FlatpakContext *context) + { +- flatpak_context_take_filesystem (context, g_strdup ("host"), FLATPAK_FILESYSTEM_MODE_READ_WRITE); ++ flatpak_context_take_filesystem (context, g_strdup ("host"), ++ FLATPAK_FILESYSTEM_MODE_READ_WRITE); + } + + gboolean +@@ -2155,18 +2275,36 @@ flatpak_context_to_args (FlatpakContext *context, + g_ptr_array_add (args, g_strdup_printf ("--system-%s-name=%s", flatpak_policy_to_string (policy), name)); + } + ++ /* Serialize host-reset first, because order can matter in ++ * corner cases. */ ++ if (g_hash_table_lookup_extended (context->filesystems, "host-reset", ++ NULL, &value)) ++ { ++ g_warn_if_fail (GPOINTER_TO_INT (value) == FLATPAK_FILESYSTEM_MODE_NONE); ++ g_ptr_array_add (args, g_strdup ("--nofilesystem=host:reset")); ++ } ++ + g_hash_table_iter_init (&iter, context->filesystems); + while (g_hash_table_iter_next (&iter, &key, &value)) + { ++ g_autofree char *fs = NULL; + FlatpakFilesystemMode mode = GPOINTER_TO_INT (value); + ++ /* We already did this */ ++ if (g_str_equal (key, "host-reset")) ++ continue; ++ ++ fs = unparse_filesystem_flags (key, mode); ++ + if (mode != FLATPAK_FILESYSTEM_MODE_NONE) + { +- g_autofree char *fs = unparse_filesystem_flags (key, mode); + g_ptr_array_add (args, g_strdup_printf ("--filesystem=%s", fs)); + } + else +- g_ptr_array_add (args, g_strdup_printf ("--nofilesystem=%s", (char *) key)); ++ { ++ g_assert (fs[0] == '!'); ++ g_ptr_array_add (args, g_strdup_printf ("--nofilesystem=%s", &fs[1])); ++ } + } + } + +diff --git a/doc/flatpak-override.xml b/doc/flatpak-override.xml +index acf9a1fe..035f3c85 100644 +--- a/doc/flatpak-override.xml ++++ b/doc/flatpak-override.xml +@@ -244,6 +244,14 @@ + accessing most of the home directory, but it will still + be allowed to access + $XDG_CONFIG_HOME/MyApp. ++ ++ As a special case, ++ ++ will ignore all ++ permissions inherited from the app manifest or a ++ lower-precedence layer of overrides, in addition to ++ having the behaviour of ++ . + + + +diff --git a/doc/flatpak-run.xml b/doc/flatpak-run.xml +index 3f917b60..06357386 100644 +--- a/doc/flatpak-run.xml ++++ b/doc/flatpak-run.xml +@@ -389,6 +389,14 @@ + accessing most of the home directory, but it will still + be allowed to access + $XDG_CONFIG_HOME/MyApp. ++ ++ As a special case, ++ ++ will ignore all ++ permissions inherited from the app manifest or ++ flatpak-override1, ++ in addition to having the behaviour of ++ . + + + +diff --git a/tests/test-exports.c b/tests/test-exports.c +index 55120479..4abaf3c2 100644 +--- a/tests/test-exports.c ++++ b/tests/test-exports.c +@@ -651,8 +651,8 @@ test_filesystems (void) + gboolean ret; + + g_test_message ("%s", fs->input); +- ret = flatpak_context_parse_filesystem (fs->input, &normalized, &mode, +- &error); ++ ret = flatpak_context_parse_filesystem (fs->input, FALSE, ++ &normalized, &mode, &error); + g_assert_no_error (error); + g_assert_true (ret); + +@@ -673,8 +673,8 @@ test_filesystems (void) + gboolean ret; + + g_test_message ("%s", not->input); +- ret = flatpak_context_parse_filesystem (not->input, &normalized, &mode, +- &error); ++ ret = flatpak_context_parse_filesystem (not->input, FALSE, ++ &normalized, &mode, &error); + g_test_message ("-> %s", error ? error->message : "(no error)"); + g_assert_error (error, G_OPTION_ERROR, not->code); + g_assert_false (ret); +-- +2.33.1 + diff -Nru flatpak-1.10.2/debian/patches/CVE-2022-21682-7.patch flatpak-1.10.2/debian/patches/CVE-2022-21682-7.patch --- flatpak-1.10.2/debian/patches/CVE-2022-21682-7.patch 1970-01-01 00:00:00.000000000 +0000 +++ flatpak-1.10.2/debian/patches/CVE-2022-21682-7.patch 2022-01-20 00:10:56.000000000 +0000 @@ -0,0 +1,102 @@ +From d2128c54188bcccb5e5cea59587532ad3d0295cd Mon Sep 17 00:00:00 2001 +From: Simon McVittie +Date: Mon, 17 Jan 2022 19:21:33 +0000 +Subject: test-exports: Exercise host:reset and related filesystem tokens + +Signed-off-by: Simon McVittie +Co-authored-by: Alexander Larsson +(cherry picked from commit f3d12dc7930334d42cfa96a57fd68de9919f1537) +--- + tests/test-exports.c | 38 +++++++++++++++++++++++++++++++++++--- + 1 file changed, 35 insertions(+), 3 deletions(-) + +diff --git a/tests/test-exports.c b/tests/test-exports.c +index 4abaf3c2..2099303d 100644 +--- a/tests/test-exports.c ++++ b/tests/test-exports.c +@@ -580,6 +580,13 @@ static const NotFilesystem not_filesystems[] = + { "xdg-run", G_OPTION_ERROR_FAILED }, + { "/", G_OPTION_ERROR_BAD_VALUE }, + { "/////././././././//////", G_OPTION_ERROR_BAD_VALUE }, ++ { "host:reset", G_OPTION_ERROR_FAILED }, ++ { "host-reset", G_OPTION_ERROR_FAILED }, ++ { "host-reset:rw", G_OPTION_ERROR_FAILED }, ++ { "host-reset:reset", G_OPTION_ERROR_FAILED }, ++ { "!host-reset:reset", G_OPTION_ERROR_FAILED }, ++ { "/foo:reset", G_OPTION_ERROR_FAILED }, ++ { "!/foo:reset", G_OPTION_ERROR_FAILED }, + }; + + typedef struct +@@ -635,6 +642,9 @@ static const Filesystem filesystems[] = + { "~///././//", FLATPAK_FILESYSTEM_MODE_READ_WRITE, "home" }, + { "home/", FLATPAK_FILESYSTEM_MODE_READ_WRITE, "home" }, + { "home/Projects", FLATPAK_FILESYSTEM_MODE_READ_WRITE, "~/Projects" }, ++ { "!home", FLATPAK_FILESYSTEM_MODE_NONE, "home" }, ++ { "!host:reset", FLATPAK_FILESYSTEM_MODE_NONE, "host-reset" }, ++ { "!host-reset", FLATPAK_FILESYSTEM_MODE_NONE, "host-reset" }, + }; + + static void +@@ -645,19 +655,32 @@ test_filesystems (void) + for (i = 0; i < G_N_ELEMENTS (filesystems); i++) + { + const Filesystem *fs = &filesystems[i]; ++ const char *input = fs->input; ++ gboolean negated = FALSE; + g_autoptr(GError) error = NULL; + g_autofree char *normalized; + FlatpakFilesystemMode mode; + gboolean ret; + + g_test_message ("%s", fs->input); +- ret = flatpak_context_parse_filesystem (fs->input, FALSE, ++ ++ if (input[0] == '!') ++ { ++ g_test_message ("-> input is negated"); ++ negated = TRUE; ++ input++; ++ } ++ ++ ret = flatpak_context_parse_filesystem (input, negated, + &normalized, &mode, &error); + g_assert_no_error (error); + g_assert_true (ret); + ++ g_test_message ("-> mode: %u", mode); ++ g_test_message ("-> normalized filesystem: %s", normalized); ++ + if (fs->fs == NULL) +- g_assert_cmpstr (normalized, ==, fs->input); ++ g_assert_cmpstr (normalized, ==, input); + else + g_assert_cmpstr (normalized, ==, fs->fs); + +@@ -667,13 +690,22 @@ test_filesystems (void) + for (i = 0; i < G_N_ELEMENTS (not_filesystems); i++) + { + const NotFilesystem *not = ¬_filesystems[i]; ++ const char *input = not->input; ++ gboolean negated = FALSE; + g_autoptr(GError) error = NULL; + char *normalized = NULL; + FlatpakFilesystemMode mode; + gboolean ret; + + g_test_message ("%s", not->input); +- ret = flatpak_context_parse_filesystem (not->input, FALSE, ++ ++ if (input[0] == '!') ++ { ++ negated = TRUE; ++ input++; ++ } ++ ++ ret = flatpak_context_parse_filesystem (input, negated, + &normalized, &mode, &error); + g_test_message ("-> %s", error ? error->message : "(no error)"); + g_assert_error (error, G_OPTION_ERROR, not->code); +-- +2.33.1 + diff -Nru flatpak-1.10.2/debian/patches/CVE-2022-21682-8.patch flatpak-1.10.2/debian/patches/CVE-2022-21682-8.patch --- flatpak-1.10.2/debian/patches/CVE-2022-21682-8.patch 1970-01-01 00:00:00.000000000 +0000 +++ flatpak-1.10.2/debian/patches/CVE-2022-21682-8.patch 2022-01-20 00:10:56.000000000 +0000 @@ -0,0 +1,396 @@ +From 4206d681c5c52691dec0074e3f8c32dab1953a94 Mon Sep 17 00:00:00 2001 +From: Simon McVittie +Date: Fri, 21 May 2021 17:41:31 +0100 +Subject: test-context: Exercise some corner cases for merging filesystems + +Signed-off-by: Simon McVittie +Co-authored-by: Alexander Larsson +(cherry picked from commit fab0f8ed7c52fc58e6c550d123ede9621c760ca7) +[smcv: Also backport the scaffolding to create this test-case] +--- + tests/Makefile.am.inc | 11 +- + tests/test-context.c | 343 ++++++++++++++++++++++++++++++++++++++++++ + 2 files changed, 353 insertions(+), 1 deletion(-) + create mode 100644 tests/test-context.c + +diff --git a/tests/Makefile.am.inc b/tests/Makefile.am.inc +index 53d6403e..0fb650cb 100644 +--- a/tests/Makefile.am.inc ++++ b/tests/Makefile.am.inc +@@ -66,6 +66,10 @@ testcommon_LDADD = \ + $(NULL) + testcommon_SOURCES = tests/testcommon.c + ++test_context_CFLAGS = $(testcommon_CFLAGS) ++test_context_LDADD = $(testcommon_LDADD) ++test_context_SOURCES = tests/test-context.c ++ + test_exports_CFLAGS = $(testcommon_CFLAGS) + test_exports_LDADD = $(testcommon_LDADD) + test_exports_SOURCES = tests/test-exports.c +@@ -252,7 +256,12 @@ test_scripts = ${TEST_MATRIX} + dist_test_scripts = ${TEST_MATRIX_DIST} + dist_installed_test_extra_scripts += ${TEST_MATRIX_EXTRA_DIST} + +-test_programs = testlibrary testcommon test-exports ++test_programs = \ ++ test-context \ ++ test-exports \ ++ testcommon \ ++ testlibrary \ ++ $(NULL) + test_extra_programs = tests/httpcache tests/test-update-portal tests/test-portal-impl tests/test-authenticator tests/list-unused + + @VALGRIND_CHECK_RULES@ +diff --git a/tests/test-context.c b/tests/test-context.c +new file mode 100644 +index 00000000..c128a83f +--- /dev/null ++++ b/tests/test-context.c +@@ -0,0 +1,343 @@ ++/* ++ * Copyright © 2021 Collabora Ltd. ++ * ++ * This program is free software; you can redistribute it and/or ++ * modify it under the terms of the GNU Lesser General Public ++ * License as published by the Free Software Foundation; either ++ * version 2.1 of the License, or (at your option) any later version. ++ * ++ * This library is distributed in the hope that it will be useful, ++ * but WITHOUT ANY WARRANTY; without even the implied warranty of ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ * Lesser General Public License for more details. ++ * ++ * You should have received a copy of the GNU Lesser General Public ++ * License along with this library. If not, see . ++ */ ++ ++#include "config.h" ++ ++#include ++ ++#include ++#include "flatpak.h" ++#include "flatpak-context-private.h" ++#include "flatpak-run-private.h" ++#include "flatpak-utils-private.h" ++ ++/* g_str_has_prefix as a GEqualFunc */ ++static gboolean ++str_has_prefix (gconstpointer candidate, ++ gconstpointer pattern) ++{ ++ return g_str_has_prefix (candidate, pattern); ++} ++ ++static void context_parse_args (FlatpakContext *context, ++ ...) G_GNUC_NULL_TERMINATED; ++ ++static void ++context_parse_args (FlatpakContext *context, ++ ...) ++{ ++ g_autoptr(GError) local_error = NULL; ++ g_autoptr(GOptionContext) oc = NULL; ++ g_autoptr(GOptionGroup) group = NULL; ++ g_autoptr(GPtrArray) args = g_ptr_array_new_with_free_func (g_free); ++ g_auto(GStrv) argv = NULL; ++ const char *arg; ++ va_list ap; ++ ++ g_ptr_array_add (args, g_strdup ("argv[0]")); ++ ++ va_start (ap, context); ++ ++ while ((arg = va_arg (ap, const char *)) != NULL) ++ g_ptr_array_add (args, g_strdup (arg)); ++ ++ va_end (ap); ++ ++ g_ptr_array_add (args, NULL); ++ argv = (GStrv) g_ptr_array_free (g_steal_pointer (&args), FALSE); ++ ++ oc = g_option_context_new (""); ++ group = flatpak_context_get_options (context); ++ g_option_context_add_group (oc, group); ++ g_option_context_parse_strv (oc, &argv, &local_error); ++ g_assert_no_error (local_error); ++} ++ ++static void ++test_context_merge_fs (void) ++{ ++ /* ++ * We want to arrive at the same result regardless of whether we: ++ * - start from lowest precedence, and successively merge higher ++ * precedences into it, discarding them when done; ++ * - successively merge highest precedence into second-highest, and ++ * then discard highest ++ */ ++ enum { LOWEST_FIRST, HIGHEST_FIRST, INVALID } merge_order; ++ ++ for (merge_order = LOWEST_FIRST; merge_order < INVALID; merge_order++) ++ { ++ g_autoptr(FlatpakContext) lowest = flatpak_context_new (); ++ g_autoptr(FlatpakContext) middle = flatpak_context_new (); ++ g_autoptr(FlatpakContext) highest = flatpak_context_new (); ++ gpointer value; ++ ++ context_parse_args (lowest, ++ "--filesystem=/one", ++ NULL); ++ context_parse_args (middle, ++ "--nofilesystem=host:reset", ++ "--filesystem=/two", ++ NULL); ++ context_parse_args (highest, ++ "--nofilesystem=host", ++ "--filesystem=/three", ++ NULL); ++ ++ g_assert_false (g_hash_table_lookup_extended (lowest->filesystems, "host", NULL, NULL)); ++ g_assert_false (g_hash_table_lookup_extended (lowest->filesystems, "host-reset", NULL, NULL)); ++ g_assert_true (g_hash_table_lookup_extended (lowest->filesystems, "/one", NULL, &value)); ++ g_assert_cmpint (GPOINTER_TO_INT (value), ==, FLATPAK_FILESYSTEM_MODE_READ_WRITE); ++ g_assert_false (g_hash_table_lookup_extended (lowest->filesystems, "/two", NULL, NULL)); ++ g_assert_false (g_hash_table_lookup_extended (lowest->filesystems, "/three", NULL, NULL)); ++ ++ g_assert_true (g_hash_table_lookup_extended (middle->filesystems, "host", NULL, &value)); ++ g_assert_cmpint (GPOINTER_TO_INT (value), ==, FLATPAK_FILESYSTEM_MODE_NONE); ++ g_assert_true (g_hash_table_lookup_extended (middle->filesystems, "host-reset", NULL, &value)); ++ g_assert_cmpint (GPOINTER_TO_INT (value), ==, FLATPAK_FILESYSTEM_MODE_NONE); ++ g_assert_false (g_hash_table_lookup_extended (middle->filesystems, "/one", NULL, NULL)); ++ g_assert_true (g_hash_table_lookup_extended (middle->filesystems, "/two", NULL, &value)); ++ g_assert_cmpint (GPOINTER_TO_INT (value), ==, FLATPAK_FILESYSTEM_MODE_READ_WRITE); ++ g_assert_false (g_hash_table_lookup_extended (middle->filesystems, "/three", NULL, NULL)); ++ ++ g_assert_true (g_hash_table_lookup_extended (highest->filesystems, "host", NULL, &value)); ++ g_assert_cmpint (GPOINTER_TO_INT (value), ==, FLATPAK_FILESYSTEM_MODE_NONE); ++ g_assert_false (g_hash_table_lookup_extended (highest->filesystems, "host-reset", NULL, NULL)); ++ g_assert_false (g_hash_table_lookup_extended (highest->filesystems, "/one", NULL, NULL)); ++ g_assert_false (g_hash_table_lookup_extended (highest->filesystems, "/two", NULL, NULL)); ++ g_assert_true (g_hash_table_lookup_extended (highest->filesystems, "/three", NULL, &value)); ++ g_assert_cmpint (GPOINTER_TO_INT (value), ==, FLATPAK_FILESYSTEM_MODE_READ_WRITE); ++ ++ if (merge_order == LOWEST_FIRST) ++ { ++ flatpak_context_merge (lowest, middle); ++ ++ g_assert_true (g_hash_table_lookup_extended (lowest->filesystems, "host", NULL, &value)); ++ g_assert_cmpint (GPOINTER_TO_INT (value), ==, FLATPAK_FILESYSTEM_MODE_NONE); ++ g_assert_true (g_hash_table_lookup_extended (lowest->filesystems, "host-reset", NULL, &value)); ++ g_assert_cmpint (GPOINTER_TO_INT (value), ==, FLATPAK_FILESYSTEM_MODE_NONE); ++ g_assert_false (g_hash_table_lookup_extended (lowest->filesystems, "/one", NULL, NULL)); ++ g_assert_true (g_hash_table_lookup_extended (lowest->filesystems, "/two", NULL, &value)); ++ g_assert_cmpint (GPOINTER_TO_INT (value), ==, FLATPAK_FILESYSTEM_MODE_READ_WRITE); ++ g_assert_false (g_hash_table_lookup_extended (lowest->filesystems, "/three", NULL, NULL)); ++ ++ flatpak_context_merge (lowest, highest); ++ } ++ else ++ { ++ flatpak_context_merge (middle, highest); ++ ++ g_assert_true (g_hash_table_lookup_extended (middle->filesystems, "host", NULL, &value)); ++ g_assert_cmpint (GPOINTER_TO_INT (value), ==, FLATPAK_FILESYSTEM_MODE_NONE); ++ g_assert_true (g_hash_table_lookup_extended (middle->filesystems, "host-reset", NULL, &value)); ++ g_assert_cmpint (GPOINTER_TO_INT (value), ==, FLATPAK_FILESYSTEM_MODE_NONE); ++ g_assert_false (g_hash_table_lookup_extended (middle->filesystems, "/one", NULL, NULL)); ++ g_assert_true (g_hash_table_lookup_extended (middle->filesystems, "/two", NULL, &value)); ++ g_assert_cmpint (GPOINTER_TO_INT (value), ==, FLATPAK_FILESYSTEM_MODE_READ_WRITE); ++ g_assert_true (g_hash_table_lookup_extended (middle->filesystems, "/three", NULL, &value)); ++ g_assert_cmpint (GPOINTER_TO_INT (value), ==, FLATPAK_FILESYSTEM_MODE_READ_WRITE); ++ ++ flatpak_context_merge (lowest, middle); ++ } ++ ++ g_assert_true (g_hash_table_lookup_extended (lowest->filesystems, "host", NULL, &value)); ++ g_assert_cmpint (GPOINTER_TO_INT (value), ==, FLATPAK_FILESYSTEM_MODE_NONE); ++ g_assert_true (g_hash_table_lookup_extended (lowest->filesystems, "host-reset", NULL, &value)); ++ g_assert_cmpint (GPOINTER_TO_INT (value), ==, FLATPAK_FILESYSTEM_MODE_NONE); ++ g_assert_false (g_hash_table_lookup_extended (lowest->filesystems, "/one", NULL, NULL)); ++ g_assert_true (g_hash_table_lookup_extended (lowest->filesystems, "/two", NULL, &value)); ++ g_assert_cmpint (GPOINTER_TO_INT (value), ==, FLATPAK_FILESYSTEM_MODE_READ_WRITE); ++ g_assert_true (g_hash_table_lookup_extended (lowest->filesystems, "/three", NULL, &value)); ++ g_assert_cmpint (GPOINTER_TO_INT (value), ==, FLATPAK_FILESYSTEM_MODE_READ_WRITE); ++ } ++ ++ for (merge_order = LOWEST_FIRST; merge_order < INVALID; merge_order++) ++ { ++ g_autoptr(FlatpakContext) lowest = flatpak_context_new (); ++ g_autoptr(FlatpakContext) mid_low = flatpak_context_new (); ++ g_autoptr(FlatpakContext) mid_high = flatpak_context_new (); ++ g_autoptr(FlatpakContext) highest = flatpak_context_new (); ++ g_autoptr(GError) local_error = NULL; ++ g_autoptr(GKeyFile) metakey = g_key_file_new (); ++ g_autoptr(GPtrArray) args = g_ptr_array_new_with_free_func (g_free); ++ g_autofree char *filesystems = NULL; ++ gpointer value; ++ ++ context_parse_args (lowest, ++ "--filesystem=/one", ++ NULL); ++ context_parse_args (mid_low, ++ "--nofilesystem=host:reset", ++ "--filesystem=/two", ++ NULL); ++ context_parse_args (mid_high, ++ "--filesystem=host", ++ "--filesystem=/three", ++ NULL); ++ context_parse_args (highest, ++ "--nofilesystem=host", ++ "--filesystem=/four", ++ NULL); ++ ++ g_assert_false (g_hash_table_lookup_extended (lowest->filesystems, "host", NULL, NULL)); ++ g_assert_false (g_hash_table_lookup_extended (lowest->filesystems, "host-reset", NULL, NULL)); ++ g_assert_true (g_hash_table_lookup_extended (lowest->filesystems, "/one", NULL, &value)); ++ g_assert_cmpint (GPOINTER_TO_INT (value), ==, FLATPAK_FILESYSTEM_MODE_READ_WRITE); ++ g_assert_false (g_hash_table_lookup_extended (lowest->filesystems, "/two", NULL, NULL)); ++ g_assert_false (g_hash_table_lookup_extended (lowest->filesystems, "/three", NULL, NULL)); ++ g_assert_false (g_hash_table_lookup_extended (lowest->filesystems, "/four", NULL, NULL)); ++ ++ g_assert_true (g_hash_table_lookup_extended (mid_low->filesystems, "host", NULL, &value)); ++ g_assert_cmpint (GPOINTER_TO_INT (value), ==, FLATPAK_FILESYSTEM_MODE_NONE); ++ g_assert_true (g_hash_table_lookup_extended (mid_low->filesystems, "host-reset", NULL, &value)); ++ g_assert_cmpint (GPOINTER_TO_INT (value), ==, FLATPAK_FILESYSTEM_MODE_NONE); ++ g_assert_false (g_hash_table_lookup_extended (mid_low->filesystems, "/one", NULL, NULL)); ++ g_assert_true (g_hash_table_lookup_extended (mid_low->filesystems, "/two", NULL, &value)); ++ g_assert_cmpint (GPOINTER_TO_INT (value), ==, FLATPAK_FILESYSTEM_MODE_READ_WRITE); ++ g_assert_false (g_hash_table_lookup_extended (mid_low->filesystems, "/three", NULL, NULL)); ++ g_assert_false (g_hash_table_lookup_extended (mid_low->filesystems, "/four", NULL, NULL)); ++ ++ g_assert_true (g_hash_table_lookup_extended (mid_high->filesystems, "host", NULL, &value)); ++ g_assert_cmpint (GPOINTER_TO_INT (value), ==, FLATPAK_FILESYSTEM_MODE_READ_WRITE); ++ g_assert_false (g_hash_table_lookup_extended (mid_high->filesystems, "host-reset", NULL, NULL)); ++ g_assert_false (g_hash_table_lookup_extended (mid_high->filesystems, "/one", NULL, NULL)); ++ g_assert_false (g_hash_table_lookup_extended (mid_high->filesystems, "/two", NULL, NULL)); ++ g_assert_true (g_hash_table_lookup_extended (mid_high->filesystems, "/three", NULL, &value)); ++ g_assert_cmpint (GPOINTER_TO_INT (value), ==, FLATPAK_FILESYSTEM_MODE_READ_WRITE); ++ g_assert_false (g_hash_table_lookup_extended (mid_high->filesystems, "/four", NULL, NULL)); ++ ++ g_assert_true (g_hash_table_lookup_extended (highest->filesystems, "host", NULL, &value)); ++ g_assert_cmpint (GPOINTER_TO_INT (value), ==, FLATPAK_FILESYSTEM_MODE_NONE); ++ g_assert_false (g_hash_table_lookup_extended (mid_high->filesystems, "host-reset", NULL, NULL)); ++ g_assert_false (g_hash_table_lookup_extended (highest->filesystems, "/one", NULL, NULL)); ++ g_assert_false (g_hash_table_lookup_extended (highest->filesystems, "/two", NULL, NULL)); ++ g_assert_false (g_hash_table_lookup_extended (highest->filesystems, "/three", NULL, NULL)); ++ g_assert_true (g_hash_table_lookup_extended (highest->filesystems, "/four", NULL, &value)); ++ g_assert_cmpint (GPOINTER_TO_INT (value), ==, FLATPAK_FILESYSTEM_MODE_READ_WRITE); ++ ++ if (merge_order == LOWEST_FIRST) ++ { ++ flatpak_context_merge (lowest, mid_low); ++ ++ g_assert_true (g_hash_table_lookup_extended (lowest->filesystems, "host", NULL, &value)); ++ g_assert_cmpint (GPOINTER_TO_INT (value), ==, FLATPAK_FILESYSTEM_MODE_NONE); ++ g_assert_true (g_hash_table_lookup_extended (lowest->filesystems, "host-reset", NULL, &value)); ++ g_assert_cmpint (GPOINTER_TO_INT (value), ==, FLATPAK_FILESYSTEM_MODE_NONE); ++ g_assert_false (g_hash_table_lookup_extended (lowest->filesystems, "/one", NULL, NULL)); ++ g_assert_true (g_hash_table_lookup_extended (lowest->filesystems, "/two", NULL, &value)); ++ g_assert_cmpint (GPOINTER_TO_INT (value), ==, FLATPAK_FILESYSTEM_MODE_READ_WRITE); ++ g_assert_false (g_hash_table_lookup_extended (lowest->filesystems, "/three", NULL, NULL)); ++ g_assert_false (g_hash_table_lookup_extended (lowest->filesystems, "/four", NULL, NULL)); ++ ++ flatpak_context_merge (lowest, mid_high); ++ ++ g_assert_true (g_hash_table_lookup_extended (lowest->filesystems, "host", NULL, &value)); ++ g_assert_cmpint (GPOINTER_TO_INT (value), ==, FLATPAK_FILESYSTEM_MODE_READ_WRITE); ++ g_assert_true (g_hash_table_lookup_extended (lowest->filesystems, "host-reset", NULL, &value)); ++ g_assert_cmpint (GPOINTER_TO_INT (value), ==, FLATPAK_FILESYSTEM_MODE_NONE); ++ g_assert_false (g_hash_table_lookup_extended (lowest->filesystems, "/one", NULL, NULL)); ++ g_assert_true (g_hash_table_lookup_extended (lowest->filesystems, "/two", NULL, &value)); ++ g_assert_cmpint (GPOINTER_TO_INT (value), ==, FLATPAK_FILESYSTEM_MODE_READ_WRITE); ++ g_assert_true (g_hash_table_lookup_extended (lowest->filesystems, "/three", NULL, &value)); ++ g_assert_cmpint (GPOINTER_TO_INT (value), ==, FLATPAK_FILESYSTEM_MODE_READ_WRITE); ++ g_assert_false (g_hash_table_lookup_extended (lowest->filesystems, "/four", NULL, NULL)); ++ ++ flatpak_context_merge (lowest, highest); ++ } ++ else ++ { ++ flatpak_context_merge (mid_high, highest); ++ ++ g_assert_true (g_hash_table_lookup_extended (mid_high->filesystems, "host", NULL, &value)); ++ g_assert_cmpint (GPOINTER_TO_INT (value), ==, FLATPAK_FILESYSTEM_MODE_NONE); ++ g_assert_false (g_hash_table_lookup_extended (mid_high->filesystems, "host-reset", NULL, NULL)); ++ g_assert_false (g_hash_table_lookup_extended (mid_high->filesystems, "/one", NULL, NULL)); ++ g_assert_false (g_hash_table_lookup_extended (mid_high->filesystems, "/two", NULL, NULL)); ++ g_assert_true (g_hash_table_lookup_extended (mid_high->filesystems, "/three", NULL, &value)); ++ g_assert_cmpint (GPOINTER_TO_INT (value), ==, FLATPAK_FILESYSTEM_MODE_READ_WRITE); ++ g_assert_true (g_hash_table_lookup_extended (mid_high->filesystems, "/four", NULL, &value)); ++ g_assert_cmpint (GPOINTER_TO_INT (value), ==, FLATPAK_FILESYSTEM_MODE_READ_WRITE); ++ ++ flatpak_context_merge (mid_low, mid_high); ++ ++ g_assert_true (g_hash_table_lookup_extended (mid_low->filesystems, "host", NULL, &value)); ++ g_assert_cmpint (GPOINTER_TO_INT (value), ==, FLATPAK_FILESYSTEM_MODE_NONE); ++ g_assert_true (g_hash_table_lookup_extended (mid_low->filesystems, "host-reset", NULL, &value)); ++ g_assert_cmpint (GPOINTER_TO_INT (value), ==, FLATPAK_FILESYSTEM_MODE_NONE); ++ g_assert_false (g_hash_table_lookup_extended (mid_low->filesystems, "/one", NULL, NULL)); ++ g_assert_true (g_hash_table_lookup_extended (mid_low->filesystems, "/two", NULL, &value)); ++ g_assert_cmpint (GPOINTER_TO_INT (value), ==, FLATPAK_FILESYSTEM_MODE_READ_WRITE); ++ g_assert_true (g_hash_table_lookup_extended (mid_low->filesystems, "/three", NULL, &value)); ++ g_assert_cmpint (GPOINTER_TO_INT (value), ==, FLATPAK_FILESYSTEM_MODE_READ_WRITE); ++ g_assert_true (g_hash_table_lookup_extended (mid_low->filesystems, "/four", NULL, &value)); ++ g_assert_cmpint (GPOINTER_TO_INT (value), ==, FLATPAK_FILESYSTEM_MODE_READ_WRITE); ++ ++ flatpak_context_merge (lowest, mid_low); ++ } ++ ++ g_assert_true (g_hash_table_lookup_extended (lowest->filesystems, "host", NULL, &value)); ++ g_assert_cmpint (GPOINTER_TO_INT (value), ==, FLATPAK_FILESYSTEM_MODE_NONE); ++ g_assert_true (g_hash_table_lookup_extended (lowest->filesystems, "host-reset", NULL, &value)); ++ g_assert_cmpint (GPOINTER_TO_INT (value), ==, FLATPAK_FILESYSTEM_MODE_NONE); ++ g_assert_false (g_hash_table_lookup_extended (lowest->filesystems, "/one", NULL, NULL)); ++ g_assert_true (g_hash_table_lookup_extended (lowest->filesystems, "/two", NULL, &value)); ++ g_assert_cmpint (GPOINTER_TO_INT (value), ==, FLATPAK_FILESYSTEM_MODE_READ_WRITE); ++ g_assert_true (g_hash_table_lookup_extended (lowest->filesystems, "/three", NULL, &value)); ++ g_assert_cmpint (GPOINTER_TO_INT (value), ==, FLATPAK_FILESYSTEM_MODE_READ_WRITE); ++ g_assert_true (g_hash_table_lookup_extended (lowest->filesystems, "/four", NULL, &value)); ++ g_assert_cmpint (GPOINTER_TO_INT (value), ==, FLATPAK_FILESYSTEM_MODE_READ_WRITE); ++ ++ flatpak_context_save_metadata (lowest, FALSE, metakey); ++ filesystems = g_key_file_get_value (metakey, ++ FLATPAK_METADATA_GROUP_CONTEXT, ++ FLATPAK_METADATA_KEY_FILESYSTEMS, ++ &local_error); ++ g_assert_no_error (local_error); ++ g_test_message ("%s=%s", FLATPAK_METADATA_KEY_FILESYSTEMS, filesystems); ++ /* !host:reset is serialized first */ ++ g_assert_true (g_str_has_prefix (filesystems, "!host:reset;")); ++ /* The rest are serialized in arbitrary order */ ++ g_assert_nonnull (strstr (filesystems, ";!host;")); ++ g_assert_null (strstr (filesystems, "/one")); ++ g_assert_nonnull (strstr (filesystems, ";/two;")); ++ g_assert_nonnull (strstr (filesystems, ";/three;")); ++ g_assert_nonnull (strstr (filesystems, ";/four;")); ++ ++ flatpak_context_to_args (lowest, args); ++ /* !host:reset is serialized first */ ++ g_assert_cmpuint (args->len, >, 0); ++ g_assert_cmpstr (g_ptr_array_index (args, 0), ==, ++ "--nofilesystem=host:reset"); ++ /* The rest are serialized in arbitrary order */ ++ g_assert_true (g_ptr_array_find_with_equal_func (args, "--nofilesystem=host", g_str_equal, NULL)); ++ g_assert_false (g_ptr_array_find_with_equal_func (args, "--filesystem=/one", str_has_prefix, NULL)); ++ g_assert_false (g_ptr_array_find_with_equal_func (args, "--nofilesystem=/one", str_has_prefix, NULL)); ++ g_assert_true (g_ptr_array_find_with_equal_func (args, "--filesystem=/two", g_str_equal, NULL)); ++ g_assert_true (g_ptr_array_find_with_equal_func (args, "--filesystem=/three", g_str_equal, NULL)); ++ g_assert_true (g_ptr_array_find_with_equal_func (args, "--filesystem=/four", g_str_equal, NULL)); ++ } ++} ++ ++int ++main (int argc, char *argv[]) ++{ ++ g_test_init (&argc, &argv, NULL); ++ ++ g_test_add_func ("/context/merge-fs", test_context_merge_fs); ++ ++ return g_test_run (); ++} +-- +2.33.1 + diff -Nru flatpak-1.10.2/debian/patches/CVE-2022-21682-9.patch flatpak-1.10.2/debian/patches/CVE-2022-21682-9.patch --- flatpak-1.10.2/debian/patches/CVE-2022-21682-9.patch 1970-01-01 00:00:00.000000000 +0000 +++ flatpak-1.10.2/debian/patches/CVE-2022-21682-9.patch 2022-01-20 00:10:56.000000000 +0000 @@ -0,0 +1,121 @@ +From 2c89fc3ef340cf0d762b225a4f0578797e992003 Mon Sep 17 00:00:00 2001 +From: Simon McVittie +Date: Sun, 16 Jan 2022 17:33:28 +0000 +Subject: test-override: Exercise --nofilesystem=host:reset + +Signed-off-by: Simon McVittie +Co-authored-by: Alexander Larsson +(cherry picked from commit 4aa70d2d7201e44c7259bf5aeae90beb733e331f) +--- + tests/test-override.sh | 84 +++++++++++++++++++++++++++++++++++++++++- + 1 file changed, 83 insertions(+), 1 deletion(-) + +diff --git a/tests/test-override.sh b/tests/test-override.sh +index 735f811e..becad19a 100755 +--- a/tests/test-override.sh ++++ b/tests/test-override.sh +@@ -17,7 +17,7 @@ reset_overrides () { + assert_file_empty info + } + +-echo "1..17" ++echo "1..18" + + setup_repo + install_repo +@@ -187,6 +187,51 @@ assert_semicolon_list_contains "$filesystems" "xdg-config:ro" + assert_not_semicolon_list_contains "$filesystems" "!xdg-config" + assert_not_semicolon_list_contains "$filesystems" "!xdg-config:ro" + ++${FLATPAK} override --user --nofilesystem=host:reset org.test.Hello ++${FLATPAK} override --user --show org.test.Hello > override ++filesystems="$(sed -ne 's/^filesystems=//p' override)" ++assert_not_semicolon_list_contains "$filesystems" "host" ++assert_not_semicolon_list_contains "$filesystems" "host:reset" ++assert_semicolon_list_contains "$filesystems" "!host" ++assert_semicolon_list_contains "$filesystems" "!host:reset" ++assert_not_semicolon_list_contains "$filesystems" "host-reset" ++assert_not_semicolon_list_contains "$filesystems" "!host-reset" ++ ++# !host-reset is the same as !host:reset, and serializes as !host:reset ++${FLATPAK} override --user --nofilesystem=host-reset org.test.Hello ++${FLATPAK} override --user --show org.test.Hello > override ++filesystems="$(sed -ne 's/^filesystems=//p' override)" ++assert_not_semicolon_list_contains "$filesystems" "host" ++assert_not_semicolon_list_contains "$filesystems" "host:reset" ++assert_semicolon_list_contains "$filesystems" "!host" ++assert_semicolon_list_contains "$filesystems" "!host:reset" ++assert_not_semicolon_list_contains "$filesystems" "host-reset" ++assert_not_semicolon_list_contains "$filesystems" "!host-reset" ++ ++# --filesystem=...:reset => error ++e=0 ++${FLATPAK} override --user --filesystem=host:reset org.test.Hello 2>log || e=$? ++assert_file_has_content log "Filesystem suffix \"reset\" only applies to --nofilesystem" ++assert_not_streq "$e" 0 ++ ++# --filesystem=host-reset => error ++e=0 ++${FLATPAK} override --user --filesystem=host-reset org.test.Hello 2>log || e=$? ++assert_file_has_content log "Filesystem token \"host-reset\" is only applicable for --nofilesystem" ++assert_not_streq "$e" 0 ++ ++# --filesystem=host-reset:suffix => error ++e=0 ++${FLATPAK} override --user --nofilesystem=host-reset:suffix org.test.Hello 2>log || e=$? ++assert_file_has_content log "Filesystem token \"host-reset\" cannot be used with a suffix" ++assert_not_streq "$e" 0 ++ ++# --nofilesystem=/foo:reset => error ++e=0 ++${FLATPAK} override --user --nofilesystem=/foo:reset org.test.Hello 2>log || e=$? ++assert_file_has_content log "Filesystem suffix \"reset\" can only be applied to --nofilesystem=host" ++assert_not_streq "$e" 0 ++ + # --nofilesystem=...:rw => warning + # Warnings need to be made temporarily non-fatal here. + e=0 +@@ -395,3 +440,40 @@ if ! skip_one_without_bwrap "runtime override --nofilesystem=host"; then + + ok "runtime override --nofilesystem=host" + fi ++ ++reset_overrides ++ ++if ! skip_one_without_bwrap "runtime override --nofilesystem=host:reset"; then ++ mkdir -p "$HOME/dir" ++ mkdir -p "$TEST_DATA_DIR/dir1" ++ mkdir -p "$TEST_DATA_DIR/dir2" ++ echo "hello" > "$HOME/example" ++ echo "hello" > "$HOME/dir/example" ++ echo "hello" > "$TEST_DATA_DIR/dir1/example" ++ echo "hello" > "$TEST_DATA_DIR/dir2/example" ++ ++ ${FLATPAK} override --user --filesystem=host org.test.Hello ++ ${FLATPAK} override --user --filesystem='~/dir' org.test.Hello ++ ${FLATPAK} override --user --filesystem="$TEST_DATA_DIR/dir1" org.test.Hello ++ ++ ${FLATPAK} run --env=TEST_DATA_DIR="$TEST_DATA_DIR" \ ++ --command=sh --nofilesystem=host:reset org.test.Hello -c ' ++ echo overwritten > "$HOME/dir/example" || true ++ echo overwritten > "$HOME/example" || true ++ echo overwritten > "$TEST_DATA_DIR/dir1/example" || true ++ echo overwritten > "$TEST_DATA_DIR/dir2/example" || true ++ ' ++ # --nofilesystem=host:reset cancels all --filesystem permissions from ++ # lower-precedence layers ++ assert_file_has_content "$HOME/dir/example" hello ++ assert_file_has_content "$TEST_DATA_DIR/dir1/example" hello ++ assert_file_has_content "$HOME/example" hello ++ assert_file_has_content "$TEST_DATA_DIR/dir2/example" hello ++ ++ rm -fr "$HOME/dir" ++ rm -fr "$HOME/example" ++ rm -fr "$TEST_DATA_DIR/dir1" ++ rm -fr "$TEST_DATA_DIR/dir2" ++ ++ ok "runtime override --nofilesystem=host:reset" ++fi +-- +2.33.1 + diff -Nru flatpak-1.10.2/debian/patches/series flatpak-1.10.2/debian/patches/series --- flatpak-1.10.2/debian/patches/series 2021-10-12 23:36:35.000000000 +0000 +++ flatpak-1.10.2/debian/patches/series 2022-01-20 00:10:56.000000000 +0000 @@ -15,3 +15,18 @@ CVE-2021-41133-8.patch CVE-2021-41133-9.patch CVE-2021-41133-10.patch +CVE-2021-43860-1.patch +CVE-2021-43860-2.patch +CVE-2021-43860-3.patch +CVE-2021-43860-4.patch +CVE-2021-43860-5.patch +test-metadata-validation.sh-Ensure-that-mtimes-chang.patch +CVE-2022-21682-1.patch +CVE-2022-21682-2.patch +CVE-2022-21682-3.patch +CVE-2022-21682-4.patch +CVE-2022-21682-5.patch +CVE-2022-21682-6.patch +CVE-2022-21682-7.patch +CVE-2022-21682-8.patch +CVE-2022-21682-9.patch diff -Nru flatpak-1.10.2/debian/patches/test-metadata-validation.sh-Ensure-that-mtimes-chang.patch flatpak-1.10.2/debian/patches/test-metadata-validation.sh-Ensure-that-mtimes-chang.patch --- flatpak-1.10.2/debian/patches/test-metadata-validation.sh-Ensure-that-mtimes-chang.patch 1970-01-01 00:00:00.000000000 +0000 +++ flatpak-1.10.2/debian/patches/test-metadata-validation.sh-Ensure-that-mtimes-chang.patch 2022-01-20 00:10:56.000000000 +0000 @@ -0,0 +1,29 @@ +From eb324b9d827841d101046bbf8c2976e5a8724e64 Mon Sep 17 00:00:00 2001 +From: Simon McVittie +Date: Wed, 12 Jan 2022 17:55:09 +0000 +Subject: test-metadata-validation.sh: Ensure that mtimes change between + iterations + +Our old adversary, 1-second timestamp resolution, strikes again! + +Signed-off-by: Simon McVittie +--- + tests/test-metadata-validation.sh | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/tests/test-metadata-validation.sh b/tests/test-metadata-validation.sh +index 7e3efccb..2ff78a92 100755 +--- a/tests/test-metadata-validation.sh ++++ b/tests/test-metadata-validation.sh +@@ -18,6 +18,8 @@ create_app () { + local OPTIONS="$1" + local DIR=`mktemp -d` + ++ sleep 1 ++ + mkdir ${DIR}/files + echo $COUNTER > ${DIR}/files/counter + let COUNTER=COUNTER+1 +-- +2.33.1 +