new file mode 100644
@@ -0,0 +1,169 @@
+From 2055273613350df0e6a7fa30d38d4ce6bc8079ca Mon Sep 17 00:00:00 2001
+From: Alexander Larsson <alexl@redhat.com>
+Date: Mon, 3 Jun 2024 12:22:30 +0200
+Subject: [PATCH] Don't follow symlinks when mounting persisted directories
+
+These directories are in a location under application control, so we
+can't trust them to not be a symlink outside of the files accessibe to
+the application.
+
+Continue to treat --persist=/foo as --persist=foo for backwards compat,
+since this is how it (accidentally) worked before, but print a warning.
+
+Don't allow ".." elements in persist paths: these would not be useful
+anyway, and are unlikely to be in use, however they could potentially
+be used to confuse the persist path handling.
+
+This partially addresses CVE-2024-42472. If only one instance of the
+malicious or compromised app is run at a time, the vulnerability
+is avoided. If two instances can run concurrently, there is a
+time-of-check/time-of-use issue remaining, which can only be resolved
+with changes to bubblewrap; this will be resolved in a separate commit,
+because the bubblewrap dependency might be more difficult to provide in
+LTS distributions.
+
+Helps: CVE-2024-42472, GHSA-7hgv-f2j8-xw87
+[smcv: Make whitespace consistent]
+[smcv: Use g_warning() if unable to create --persist paths]
+[smcv: Use stat() to detect symlinks and warn about them]
+Co-authored-by: Simon McVittie <smcv@collabora.com>
+Signed-off-by: Simon McVittie <smcv@collabora.com>
+
+CVE: CVE-2024-42472
+Upstream-Status: Backport [https://github.com/flatpak/flatpak/commit/3caeb16c31a3ed62d744e2aaf01d684f7991051a]
+(cherry picked from commit 3caeb16c31a3ed62d744e2aaf01d684f7991051a)
+Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
+---
+ common/flatpak-context.c | 109 +++++++++++++++++++++++++++++++++++++--
+ 1 file changed, 105 insertions(+), 4 deletions(-)
+
+diff --git a/common/flatpak-context.c b/common/flatpak-context.c
+index 297a89ef..98dac5ee 100644
+--- a/common/flatpak-context.c
++++ b/common/flatpak-context.c
+@@ -2860,6 +2860,90 @@ flatpak_context_apply_env_appid (FlatpakBwrap *bwrap,
+ flatpak_bwrap_set_env (bwrap, "HOST_XDG_STATE_HOME", g_getenv ("XDG_STATE_HOME"), TRUE);
+ }
+
++/* This creates zero or more directories unders base_fd+basedir, each
++ * being guaranteed to either exist and be a directory (no symlinks)
++ * or be created as a directory. The last directory is opened
++ * and the fd is returned.
++ */
++static gboolean
++mkdir_p_open_nofollow_at (int base_fd,
++ const char *basedir,
++ int mode,
++ const char *subdir,
++ int *out_fd,
++ GError **error)
++{
++ glnx_autofd int parent_fd = -1;
++
++ if (g_path_is_absolute (subdir))
++ {
++ const char *skipped_prefix = subdir;
++
++ while (*skipped_prefix == '/')
++ skipped_prefix++;
++
++ g_warning ("--persist=\"%s\" is deprecated, treating it as --persist=\"%s\"", subdir, skipped_prefix);
++ subdir = skipped_prefix;
++ }
++
++ g_autofree char *subdir_dirname = g_path_get_dirname (subdir);
++
++ if (strcmp (subdir_dirname, ".") == 0)
++ {
++ /* It is ok to open basedir with follow=true */
++ if (!glnx_opendirat (base_fd, basedir, TRUE, &parent_fd, error))
++ return FALSE;
++ }
++ else if (strcmp (subdir_dirname, "..") == 0)
++ {
++ return glnx_throw (error, "'..' not supported in --persist paths");
++ }
++ else
++ {
++ if (!mkdir_p_open_nofollow_at (base_fd, basedir, mode,
++ subdir_dirname, &parent_fd, error))
++ return FALSE;
++ }
++
++ g_autofree char *subdir_basename = g_path_get_basename (subdir);
++
++ if (strcmp (subdir_basename, ".") == 0)
++ {
++ *out_fd = glnx_steal_fd (&parent_fd);
++ return TRUE;
++ }
++ else if (strcmp (subdir_basename, "..") == 0)
++ {
++ return glnx_throw (error, "'..' not supported in --persist paths");
++ }
++
++ if (!glnx_shutil_mkdir_p_at (parent_fd, subdir_basename, mode, NULL, error))
++ return FALSE;
++
++ int fd = openat (parent_fd, subdir_basename, O_PATH | O_NONBLOCK | O_DIRECTORY | O_CLOEXEC | O_NOCTTY | O_NOFOLLOW);
++ if (fd == -1)
++ {
++ int saved_errno = errno;
++ struct stat stat_buf;
++
++ /* If it's a symbolic link, that could be a user trying to offload
++ * large data to another filesystem, but it could equally well be
++ * a malicious or compromised app trying to exploit GHSA-7hgv-f2j8-xw87.
++ * Produce a clearer error message in this case.
++ * Unfortunately the errno we get in this case is ENOTDIR, so we have
++ * to ask again to find out whether it's really a symlink. */
++ if (saved_errno == ENOTDIR &&
++ fstatat (parent_fd, subdir_basename, &stat_buf, AT_SYMLINK_NOFOLLOW) == 0 &&
++ S_ISLNK (stat_buf.st_mode))
++ return glnx_throw (error, "Symbolic link \"%s\" not allowed to avoid sandbox escape", subdir_basename);
++
++ return glnx_throw_errno_prefix (error, "openat(%s)", subdir_basename);
++ }
++
++ *out_fd = fd;
++ return TRUE;
++}
++
+ void
+ flatpak_context_append_bwrap_filesystem (FlatpakContext *context,
+ FlatpakBwrap *bwrap,
+@@ -2883,13 +2967,30 @@ flatpak_context_append_bwrap_filesystem (FlatpakContext *context,
+ while (g_hash_table_iter_next (&iter, &key, NULL))
+ {
+ const char *persist = key;
+- g_autofree char *src = g_build_filename (g_get_home_dir (), ".var/app", app_id, persist, NULL);
++ g_autofree char *appdir = g_build_filename (g_get_home_dir (), ".var/app", app_id, NULL);
+ g_autofree char *dest = g_build_filename (g_get_home_dir (), persist, NULL);
++ g_autoptr(GError) local_error = NULL;
++
++ if (g_mkdir_with_parents (appdir, 0755) != 0)
++ {
++ g_warning ("Unable to create directory %s", appdir);
++ continue;
++ }
++
++ /* Don't follow symlinks from the persist directory, as it is under user control */
++ glnx_autofd int src_fd = -1;
++ if (!mkdir_p_open_nofollow_at (AT_FDCWD, appdir, 0755,
++ persist, &src_fd,
++ &local_error))
++ {
++ g_warning ("Failed to create persist path %s: %s", persist, local_error->message);
++ continue;
++ }
+
+- if (g_mkdir_with_parents (src, 0755) != 0)
+- g_info ("Unable to create directory %s", src);
++ g_autofree char *src_via_proc = g_strdup_printf ("/proc/self/fd/%d", src_fd);
+
+- flatpak_bwrap_add_bind_arg (bwrap, "--bind", src, dest);
++ flatpak_bwrap_add_fd (bwrap, g_steal_fd (&src_fd));
++ flatpak_bwrap_add_bind_arg (bwrap, "--bind", src_via_proc, dest);
+ }
+ }
+
new file mode 100644
@@ -0,0 +1,44 @@
+From dd8a68c126b8f73a58a37353b34ec25179859d79 Mon Sep 17 00:00:00 2001
+From: Alexander Larsson <alexl@redhat.com>
+Date: Tue, 18 Jun 2024 11:31:05 +0200
+Subject: [PATCH] persist directories: Pass using new bwrap --bind-fd option
+
+Instead of passing a /proc/self/fd bind mount we use --bind-fd, which
+has two advantages:
+ * bwrap closes the fd when used, so it doesn't leak into the started app
+ * bwrap ensures that what was mounted was the passed in fd (same dev/ino),
+ as there is a small (required) gap between symlink resolve and mount
+ where the target path could be replaced.
+
+Please note that this change requires an updated version of bubblewrap.
+
+Resolves: CVE-2024-42472, GHSA-7hgv-f2j8-xw87
+[smcv: Make whitespace consistent]
+Co-authored-by: Simon McVittie <smcv@collabora.com>
+Signed-off-by: Simon McVittie <smcv@collabora.com>
+
+CVE: CVE-2024-42472
+Upstream-Status: Backport [https://github.com/flatpak/flatpak/commit/6bd603f6836e9b38b9b937d3b78f3fbf36e7ff75]
+(cherry picked from commit 6bd603f6836e9b38b9b937d3b78f3fbf36e7ff75)
+Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
+---
+ common/flatpak-context.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/common/flatpak-context.c b/common/flatpak-context.c
+index 98dac5ee..24150daa 100644
+--- a/common/flatpak-context.c
++++ b/common/flatpak-context.c
+@@ -2987,10 +2987,10 @@ flatpak_context_append_bwrap_filesystem (FlatpakContext *context,
+ continue;
+ }
+
+- g_autofree char *src_via_proc = g_strdup_printf ("/proc/self/fd/%d", src_fd);
++ g_autofree char *src_via_proc = g_strdup_printf ("%d", src_fd);
+
+ flatpak_bwrap_add_fd (bwrap, g_steal_fd (&src_fd));
+- flatpak_bwrap_add_bind_arg (bwrap, "--bind", src_via_proc, dest);
++ flatpak_bwrap_add_bind_arg (bwrap, "--bind-fd", src_via_proc, dest);
+ }
+ }
+
@@ -6,6 +6,8 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=4fbd65380cdd255951079008b364516c"
SRC_URI = " \
gitsm://github.com/flatpak/flatpak;protocol=https;branch=main \
file://0001-flatpak-pc-add-pc_sysrootdir.patch \
+ file://CVE-2024-42472_1.patch \
+ file://CVE-2024-42472_2.patch \
"
SRCREV = "925c80f913d69e7ca424428823e1431c4ffb0deb"