Bug#993396: bullseye-pu: package flatpak/1.10.3-0+deb11u1

[Simon McVittie]

Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu

[ Reason ]
Sync up with upstream to make future stable/security updates easier.
Fix a bug affecting users who set XDG_RUNTIME_DIR to an unusual value.

[ Impact ]
If not accepted, future stable/security updates will take longer to
prepare (backporting fixes to an old upstream release) or longer to
review (the first time we pull in a new upstream stable release, the diff
will look like this one).

Additionally, users with an unusual XDG_RUNTIME_DIR will find that Wayland,
Pipewire and similar protocols don't work in a Flatpak sandbox. Most users
of systemd-logind or elogind, or users who do not have an XDG_RUNTIME_DIR
at all, are unaffected by this. This was a regression in 1.8.5/1.10.0.

[ Tests ]
Flatpak has fairly thorough autopkgtests. They can't be run on
ci.debian.net due to conflicts between LXC and Flatpak containers,
but I run them under qemu-system-x86_64 before each upload. I've also
done some manual testing on bullseye GNOME desktop/laptop systems and
will continue to do so.

[ Risks ]
It's a high-visibility and security-sensitive package, but the code has
hardly changed since stable. All changes are backports from unstable
(either the development release 1.11.3, or post-release fixes in 1.11.3-2
which resulted from me testing 1.11.3 under autopkgtest).

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  - It's a filtered git diff rather than a debdiff, but I upload with
dgit, so what's in git has to match what's uploaded. I did a diff
between patched trees, because the majority of the upstream code
changes were previously in debian/patches.
  [x] the issue is verified as fixed in unstable

[ Changes ]
common/flatpak-run.c: Make sure user's custom XDG_RUNTIME_DIR is overwritten
with the one Flatpak sets up, as intended. Previously, the XDG_RUNTIME_DIR
inside the sandbox was only correct for users of systemd-logind or
elogind (Flatpak deliberately makes its path consistent with those),
or users who do not have that variable set at all.

tests/test-run.sh: Assert that the XDG_RUNTIME_DIR bug is fixed.

Other files: new upstream stable release (NEWS, version number,
Autotools noise).

[ Other info ]
I would like to keep tracking Flatpak stable releases in bullseye if
possible. From its security history and position at a sandbox boundary,
I expect to see CVEs during the lifetime of bullseye.

Thanks,
smcv

Bug#993396: bullseye-pu: package flatpak/1.10.3-0+deb11u1

[Simon McVittie]

On Tue, 31 Aug 2021 at 20:10:17 +0100, Simon McVittie wrote:
>   [x] attach debdiff against the package in (old)stable
>   - It's a filtered git diff rather than a debdiff, but I upload with
> dgit, so what's in git has to match what's uploaded. I did a diff
> between patched trees, because the majority of the upstream code
> changes were previously in debian/patches.

Sorry, I was sure I'd attached the diff but it must have got lost. See
attached.

smcv
git diff patch-queue/debian/bullseye-r0..patch-queue/debian/bullseye |
filterdiff -p1 -xMakefile.in -xaclocal.m4 -xcompile -xconfig.guess \
 -xconfig.sub -xconfig.h.in -xconfigure -xdepcomp -x'*/Makefile.in' \
 -xinstall-sh -xltmain.sh -xm4/libtool.m4 -xmissing -x'po/*.pot' \
 -x'debian/patches/*.patch' -x'doc/reference/html/*' -x'po/*.po' \
 -xtest-driver

diff --git a/NEWS b/NEWS
index 06f6a2603..1a791f4a1 100644
--- a/NEWS
+++ b/NEWS
@@ -1,3 +1,22 @@
+Changes in 1.10.3
+~
+Released: 2021-08-31
+
+This is a maintenance update with various bug fixes backported from 1.11.x.
+
+* Don't inherit an unusual $XDG_RUNTIME_DIR setting into the sandbox, fixing
+  a regression introduced when CVE-2021-21261 was fixed in 1.8.5 and 1.10.0
+* Fix various memory and file descriptor leaks, in particular with
+  flatpak-spawn --env=...
+* Fix fd confusion in flatpak-spawn --env=... --forward-fd=..., resolving a
+  regression introduced in 1.8.5 and 1.10.0
+* Fix deploys of local remotes in system-helper, possibly involving newer
+  GLib versions
+* Fix test failures on non-x86_64 systems
+* create-usb: Skip copying extra-data flatpaks
+* Improve test coverage on Debian derivatives by ensuring /sbin is in
+  tests' PATH
+
 Changes in 1.10.2
 ~
 Released: 2021-03-10
diff --git a/common/flatpak-run.c b/common/flatpak-run.c
index f48f402a9..81ead1e60 100644
--- a/common/flatpak-run.c
+++ b/common/flatpak-run.c
@@ -1525,6 +1525,10 @@ static const ExportData default_exports[] = {
   {"XDG_DATA_DIRS", "/app/share:/usr/share"},
   {"SHELL", "/bin/sh"},
   {"TMPDIR", NULL}, /* Unset TMPDIR as it may not exist in the sandbox */
+  /* We always use /run/user/UID, even if the user's XDG_RUNTIME_DIR
+   * outside the sandbox is somewhere else. Don't allow a different
+   * setting from outside the sandbox to overwrite this. */
+  {"XDG_RUNTIME_DIR", NULL},
 
   /* Some env vars are common enough and will affect the sandbox badly
  if set on the host. We clear these always. */
diff --git a/common/flatpak-version-macros.h b/common/flatpak-version-macros.h
index 2971afee0..210faa4c9 100644
--- a/common/flatpak-version-macros.h
+++ b/common/flatpak-version-macros.h
@@ -45,7 +45,7 @@
  *
  * The micro version.
  */
-#define FLATPAK_MICRO_VERSION (2)
+#define FLATPAK_MICRO_VERSION (3)
 
 /**
  * FLATPAK_CHECK_VERSION:
diff --git a/configure.ac b/configure.ac
index c879e472d..ad5d17d77 100644
--- a/configure.ac
+++ b/configure.ac
@@ -15,7 +15,7 @@ AC_PREREQ([2.63])
 
 m4_define([flatpak_major_version], [1])
 m4_define([flatpak_minor_version], [10])
-m4_define([flatpak_micro_version], [2])
+m4_define([flatpak_micro_version], [3])
 m4_define([flatpak_extra_version], [])
 m4_define([flatpak_interface_age], [0])
 m4_define([flatpak_binary_age],
diff --git a/debian/changelog b/debian/changelog
index 061ced8f9..8fc2067e1 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,16 @@
+flatpak (1.10.3-1) UNRELEASED; urgency=medium
+
+  * New upstream stable release
+- Don't inherit an unusual $XDG_RUNTIME_DIR setting into the sandbox
+  (regression in 1.8.5 and 1.10.0)
+- Improve unit test coverage
+- Various other changes that were already in earlier releases to Debian
+  * Drop all patches, applied upstream
+  * d/gbp.conf, d/control: Branch for bullseye
+  * d/watch: Restrict to 1.10.x versions for bullseye
+
+ -- Simon McVittie   Thu, 26 Aug 2021 12:01:16 +0100
+
 flatpak (1.10.2-3) unstable; urgency=medium
 
   * d/patches: Align with upstream flatpak-1.10.x branch, making this
diff --git a/debian/control b/debian/control
index f60402586..c1e35889f 100644
--- a/debian/control
+++ b/debian/control
@@ -62,7 +62,7 @@ Build-Depends-Indep:
  libostree-doc,
 Standards-Version: 4.5.1
 Homepage: https://flatpak.org/
-Vcs-Git: https://salsa.debian.org/debian/flatpak.git
+Vcs-Git: https://salsa.debian.org/debian/flatpak.git -b debian/bullseye
 Vcs-Browser: https://salsa.debian.org/debian/flatpak
 Rules-Requires-Root: no
 
diff --git a/debian/gbp.conf b/debian/gbp.conf
index f331df1a9..dd1cde049 100644
--- a/debian/gbp.conf
+++ b/debian/gbp.conf
@@ -1,7 +1,7 @@
 [DEFAULT]
 pristine-tar = True
 compression = xz
-debian-branch = debian/unstable
+debian-branch = debian/bullseye
 upstream-branch = upstream/1.10.x
 patch-numbers = False
 upstream-vcs-tag = %(version)s
diff --git a/debian/patches/series b/debian/patches/series
deleted file mode 100644
index 0ab2b98a6..0
--- a/debian/patches/series
+++ /dev/null
@

Bug#993396: bullseye-pu: package flatpak/1.10.3-0+deb11u1

[Adam D. Barratt]

Control: tags -1 + confirmed

On Fri, 2021-09-10 at 18:00 +0100, Simon McVittie wrote:
> On Tue, 31 Aug 2021 at 20:10:17 +0100, Simon McVittie wrote:
> >   [x] attach debdiff against the package in (old)stable
> >   - It's a filtered git diff rather than a debdiff, but I
> > upload with
> > dgit, so what's in git has to match what's uploaded. I did
> > a diff
> > between patched trees, because the majority of the upstream
> > code
> > changes were previously in debian/patches.
> 
> Sorry, I was sure I'd attached the diff but it must have got lost.
> See
> attached.
> 

Please go ahead; thanks.

Regards,

Adam