Accepting request 1169130 from home:rfrohl:branches:GNOME:Factory

Update to 1.15.8: as the CVE looks quite problematic I thought I would try and
help to speed up the update. Please have a close look if this seems okay.

Somewhat unsure about the meson options used.

OBS-URL: https://build.opensuse.org/request/show/1169130
OBS-URL: https://build.opensuse.org/package/show/GNOME:Factory/flatpak?expand=0&rev=193

flatpak-1.15.6.tar.xz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:8eb68189eb4850a34752feb29827cc2cc744c1981b8915e280ec1cf5bc387962
-size 1315036

flatpak-1.15.8.tar.xz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:e89bcf42fd1eb0fadf14c8b5845bc31cb78a2624f3bdc9bcdd007cc75022e4d3
+size 1300484

flatpak.changes

@@ -1,3 +1,51 @@
+-------------------------------------------------------------------
+Fri Apr 19 08:05:28 UTC 2024 - Robert Frohl <rfrohl@suse.com>
+
+- Update to version 1.15.8:
+  + Security fixes:
+    - Don't allow an executable name to be misinterpreted as a command-line
+      option for bwrap(1). This prevents a sandbox escape where a malicious
+      or compromised app could ask xdg-desktop-portal to generate a .desktop
+      file with access to files outside the sandbox. (CVE-2024-32462, boo#1223110)
+  + Other bug fixes:
+    - Pass the -export-dynamic linker option as -Wl,-export-dynamic,
+      fixing build failures with clang 18 and lld 18
+    - Fix a double-free when installation is cancelled
+    - Fix installed-tests failure with "FUSERMOUNT: unbound variable"
+    - Translation updates: pt_BR, tr
+
+- Update to version 1.15.7:
+  + New features:
+    - Automatically remove obsolete driver versions and other autopruned refs
+    - --socket=inherit-wayland-socket
+    - Automatically reload D-Bus session bus configuration after installing
+     or upgrading apps, to pick up any exported D-Bus services
+  + Bug fixes:
+    - Don't parse <developer><name/></developer> as the application name
+    - Don't refuse to start apps when there is no D-Bus system bus available
+    - Don't try to repeat migration of apps whose data was migrated to a new
+      name and then deleted
+    - Improve handling of mixed locales on systems with systemd-localed
+    - Improve display of ellipsized columns in wide terminals
+    - Make flatpak info -e look for extensions in all installations
+    - Fix warnings from newer GLib versions
+    - Always set the container environment variable
+    - Always let the app inherit redirected file descriptors
+    - In flatpak ps, add xdg-desktop-portal-gnome to the list of backends
+      we'll use to learn which apps are running in the background
+    - Don't use WAYLAND_SOCKET unless given --socket=inherit-wayland-socket
+    - Use fusermount3 if compiled with FUSE 3, overridable with -Dsystem_fusermount compile-time option
+    - Avoid leaking a temporary variable from /etc/profile.d/flatpak.sh into the shell environment
+    - Improve async-signal safety
+    - Fix various memory leaks
+    - Avoid undefined behaviour of signed left-shift when storing object IDs in a hash table
+    - Detect the correct gtk-doc when cross-compiling
+    - Detect the correct wayland-scanner when cross-compiling
+    - Documentation improvements
+    - Skip more tests when FUSE isn't available
+    - Translation updates
+- add libglnx.patch to fix meson function detection
+
 -------------------------------------------------------------------
 Tue Mar 19 08:06:34 UTC 2024 - Antonio Larrosa <alarrosa@suse.com>
 

flatpak.spec

@@ -35,7 +35,7 @@
 %define support_environment_generators 1
 %endif
 Name:           flatpak
-Version:        1.15.6
+Version:        1.15.8
 Release:        0
 Summary:        OSTree based application bundles management
 License:        LGPL-2.1-or-later
@@ -49,9 +49,12 @@ Source4:        update-user-flatpaks.timer
 Source5:        https://flathub.org/repo/flathub.flatpakrepo
 # PATCH-FEATURE-OPENSUSE polkit_rules_usability.patch -- Make the rules comply with openSUSE expectations
 Patch0:         polkit_rules_usability.patch
+# PATCH-FIX-UPSTREAM libglnx.patch https://gitlab.gnome.org/GNOME/libglnx/-/merge_requests/57
+Patch1:         libglnx.patch
 
 BuildRequires:  bison
 BuildRequires:  bubblewrap >= %{bubblewrap_version}
+BuildRequires:  cmake
 BuildRequires:  docbook-xsl-stylesheets
 BuildRequires:  gtk-doc
 BuildRequires:  intltool >= 0.35.0
@@ -59,9 +62,12 @@ BuildRequires:  libcap-devel
 BuildRequires:  libgpg-error-devel
 BuildRequires:  libgpgme-devel >= 1.1.8
 BuildRequires:  libtool
+BuildRequires:  malcontent-devel
+BuildRequires:  meson
 BuildRequires:  pkgconfig
 BuildRequires:  python3-pyparsing
 BuildRequires:  selinux-policy-devel
+BuildRequires:  socat
 BuildRequires:  systemd-rpm-macros
 BuildRequires:  sysuser-tools
 BuildRequires:  xdg-dbus-proxy >= %{xdg_dbus_proxy_version}
@@ -163,8 +169,8 @@ more information.
 Summary:        Add Flathub repository to system flatpak
 Group:          System/Packages
 Requires:       flatpak
-Requires(postun): flatpak
+Requires(postun):flatpak
-Requires(postun): sed
+Requires(postun):sed
 %if 0%{?suse_version} > 1600
 Supplements:    flatpak
 %endif
@@ -204,27 +210,23 @@ fi
 sed -i -e '1s,#!%{_bindir}/env python3,#!%{_bindir}/python3,' scripts/flatpak-*
 
 %build
-./autogen.sh
+%meson \
-%configure \
+        -Dsystem_bubblewrap=bwrap \
-	--disable-silent-rules \
+        -Dhttp_backend=curl \
-	--with-system-bubblewrap \
+        -Ddbus_config_dir=%{_dbusconfigdir} \
-	--with-curl \
+        -Dsystem_dbus_proxy=%{_bindir}/xdg-dbus-proxy \
-	--with-priv-mode=none \
-	--with-dbus-config-dir=%{_dbusconfigdir} \
-	--with-system-dbus-proxy=%{_bindir}/xdg-dbus-proxy \
 %if !%{support_environment_generators}
-	--enable-gdm-env-file \
+        -Dgdm_env_file=enabled \
 %endif
-	--enable-documentation \
+        -Dgtkdoc=enabled \
-	--enable-gtk-doc \
+        -Dwayland_security_context=enabled \
-	--with-wayland-security-context=yes \
+        -Dselinux_module=enabled \
-        --with-selinux_module=yes \
+        %{nil}
-	%{nil}
+%meson_build
-%make_build
 %sysusers_generate_pre system-helper/flatpak.conf system-user-flatpak flatpak.conf
 
 %install
-%make_install
+%meson_install
 find %{buildroot} -type f -name "*.la" -delete -print
 mkdir -p %{buildroot}%{_sbindir}
 ln -s service %{buildroot}%{_sbindir}/rcflatpak-system-helper
@@ -331,7 +333,9 @@ fi;
 %{_mandir}/man1/%{name}*.1%{?ext_man}
 %{_mandir}/man5/flatpak-metadata.5%{?ext_man}
 %{_mandir}/man5/flatpak-flatpakref.5%{?ext_man}
+%{_mandir}/man5/flatpakref.5%{?ext_man}
 %{_mandir}/man5/flatpak-flatpakrepo.5%{?ext_man}
+%{_mandir}/man5/flatpakrepo.5%{?ext_man}
 %{_mandir}/man5/flatpak-installation.5%{?ext_man}
 %{_mandir}/man5/flatpak-remote.5%{?ext_man}
 %{_datadir}/%{name}/

libglnx.patch

@@ -0,0 +1,13 @@
+Index: flatpak-1.15.8/subprojects/libglnx/meson.build
+===================================================================
+--- flatpak-1.15.8.orig/subprojects/libglnx/meson.build
++++ flatpak-1.15.8/subprojects/libglnx/meson.build
+@@ -40,7 +40,7 @@ foreach check_function : check_functions
+     #include <linux/random.h>
+     #include <sys/mman.h>
+ 
+-    int func (void) {
++    void func (void) {
+       (void) ''' + check_function + ''';
+     }
+     ''',