Skip to content

1.2.2
Compare
Choose a tag to compare
@smcv smcv released this 18 Jan 19:02
1.2.2
4e9fb6a

This is a security update to resolve CVE-2022-21682.
Upgrading both Flatpak and flatpak-builder is required.

CVE-2022-21682 is a vulnerability in how flatpak-builder uses flatpak,
which can cause flatpak-builder --mirror-screenshots-url commands to be
allowed to create directories outside the build directory.

flatpak-builder >= 1.2.2 uses a new option --nofilesystem=host:reset
to cancel out filesystem permissions in the application manifest and
overrides. This is only effective when using Flatpak >= 1.12.4, or a
version that has a backport of the --nofilesystem=host:reset feature
(such as 1.10.x versions >= 1.10.7).

When using an older version of Flatpak, this version of flatpak-builder
will still work, but it will show a warning: "Unexpected filesystem
suffix reset, ignoring". In this situation, it is still vulnerable
to CVE-2022-21682.

Other changes:

  • Make FUSE 2 optimizations opt-in.
    By default, this version of flatpak-builder is compatible with versions
    of ostree that have been compiled against either FUSE 2 or FUSE 3.
    Older distributions that use FUSE 2 can configure --with-fuse=2 for better
    performance, but the resulting flatpak-builder executable will not work
    with versions of ostree >= 2022.1 that have been compiled with FUSE 3
    (this is the same behaviour as in 1.2.1).
  • Make the JSON schema introduced in 1.2.1 more complete

sha256:

89fda68e537c1e9de02352690bd89c3217a729164558d35f35b08f79ad84e03e *flatpak-builder-1.2.2.tar.xz
Assets 3
Loading