build: Require a version of bubblewrap with the --bind-fd option

We need this for the --bind-fd option, which will close a race condition in our solution to CVE-2024-42472. In the bundled subproject, upgrade bubblewrap to version 0.6.3, which has a backport from 0.10.0 of the required option. For this stable branch, check the --help output for a --bind-fd option instead of requiring a specific version number, to accommodate possible backports in LTS distributions. Signed-off-by: Simon McVittie <smcv@collabora.com>
2026-04-02 14:27:00 -04:00 · 2024-08-12 19:48:18 +01:00
parent db3a785241
commit 847dfb88ce
2 changed files with 4 additions and 1 deletions
--- a/configure.ac
+++ b/configure.ac
@@ -175,6 +175,9 @@ if test "x$BWRAP" != xfalse; then
   BWRAP_VERSION=`$BWRAP --version | sed 's,.*\ \([0-9]*\.[0-9]*\.[0-9]*\)$,\1,'`
   AX_COMPARE_VERSION([$SYSTEM_BWRAP_REQS],[gt],[$BWRAP_VERSION],
                      [AC_MSG_ERROR([You need at least version $SYSTEM_BWRAP_REQS of bubblewrap to use the system installed version])])
+   AS_IF([$BWRAP --help | grep '@<:@-@:>@-bind-fd' >/dev/null],
+         [:],
+         [AC_MSG_ERROR([$BWRAP does not list required option --bind-fd in its --help])])
   AM_CONDITIONAL([WITH_SYSTEM_BWRAP], [true])
 else
   AC_CHECK_LIB(cap, cap_from_text, CAP_LIB=-lcap)
--- a/subprojects/bubblewrap
+++ b/subprojects/bubblewrap