From 9a61d2c44f0a58cebcb9b2787ae88db07ca68bb0 Mon Sep 17 00:00:00 2001 From: Simon McVittie Date: Mon, 18 Jan 2021 17:52:13 +0000 Subject: [PATCH] build: Convert environment into a sequence of bwrap arguments This means we can systematically pass the environment variables through bwrap(1), even if it is setuid and thus is filtering out security-sensitive environment variables. bwrap itself ends up being run with an empty environment instead. This fixes a regression when CVE-2021-21261 was fixed: before the CVE fixes, LD_LIBRARY_PATH would have been passed through like this and appeared in the `flatpak build` shell, but during the CVE fixes, the special case that protected LD_LIBRARY_PATH was removed in favour of the more general flatpak_bwrap_envp_to_args(). That reasoning only works if we use flatpak_bwrap_envp_to_args(), consistently, everywhere that we run the potentially-setuid bwrap. Fixes: 6d1773d2 "run: Convert all environment variables into bwrap arguments" Resolves: https://github.com/flatpak/flatpak/issues/4080 Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=980323 Signed-off-by: Simon McVittie --- app/flatpak-builtins-build.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/app/flatpak-builtins-build.c b/app/flatpak-builtins-build.c index 5c4d9055..c0b12dbc 100644 --- a/app/flatpak-builtins-build.c +++ b/app/flatpak-builtins-build.c @@ -571,6 +571,8 @@ flatpak_builtin_build (int argc, char **argv, GCancellable *cancellable, GError NULL); } + flatpak_bwrap_envp_to_args (bwrap); + if (!flatpak_bwrap_bundle_args (bwrap, 1, -1, FALSE, error)) return FALSE;