From 847dfb88cebbdf8825332730b837489684dfb91e Mon Sep 17 00:00:00 2001
From: Simon McVittie <smcv@collabora.com>
Date: Mon, 12 Aug 2024 19:48:18 +0100
Subject: [PATCH] build: Require a version of bubblewrap with the --bind-fd
 option

We need this for the --bind-fd option, which will close a race
condition in our solution to CVE-2024-42472.

In the bundled subproject, upgrade bubblewrap to version 0.6.3, which
has a backport from 0.10.0 of the required option.

For this stable branch, check the --help output for a --bind-fd option
instead of requiring a specific version number, to accommodate possible
backports in LTS distributions.

Signed-off-by: Simon McVittie <smcv@collabora.com>
---
 configure.ac           | 3 +++
 subprojects/bubblewrap | 2 +-
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/configure.ac b/configure.ac
index 038585b9..07b4c1bb 100644
--- a/configure.ac
+++ b/configure.ac
@@ -175,6 +175,9 @@ if test "x$BWRAP" != xfalse; then
    BWRAP_VERSION=`$BWRAP --version | sed 's,.*\ \([0-9]*\.[0-9]*\.[0-9]*\)$,\1,'`
    AX_COMPARE_VERSION([$SYSTEM_BWRAP_REQS],[gt],[$BWRAP_VERSION],
                       [AC_MSG_ERROR([You need at least version $SYSTEM_BWRAP_REQS of bubblewrap to use the system installed version])])
+   AS_IF([$BWRAP --help | grep '@<:@-@:>@-bind-fd' >/dev/null],
+         [:],
+         [AC_MSG_ERROR([$BWRAP does not list required option --bind-fd in its --help])])
    AM_CONDITIONAL([WITH_SYSTEM_BWRAP], [true])
 else
    AC_CHECK_LIB(cap, cap_from_text, CAP_LIB=-lcap)
diff --git a/subprojects/bubblewrap b/subprojects/bubblewrap
index c54bbc6d..c4209bf5 160000
--- a/subprojects/bubblewrap
+++ b/subprojects/bubblewrap
@@ -1 +1 @@
-Subproject commit c54bbc6d7b78e7a45016efe0c4ac8af9d209aa20
+Subproject commit c4209bf5cd4eea208699c288dff8800dd8905536