forked from flatpak/flatpak
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
dir: Fix an edge case of resolving collection-refs
In flatpak_dir_do_resolve_p2p_refs() after pulling a ref we use ostree_repo_resolve_rev() and pass a refspec with the remote from which the ref originated. This has a couple side effects, one good and one bad: 1) The good side effect is that the attack I speculated about in this comment[1] is not exploitable. Because if the ref in question is pulled from any remote other than its origin (or a LAN/USB source using another remote's keyring) it will not be found by ostree_repo_resolve_rev() and the malicious commit will not be used. 2) The bad side effect is that there are some legitimate reasons a ref could be pulled from another remote (say, a configured mirror), and in those cases the pulled ref will not be found. So if I have remote A and remote B both configured with the same collection ID, a ref installed from one could be pulled from the other. See this issue[2] for a concrete example. The solution is to use OSTREE_REPO_PULL_FLAGS_MIRROR for the pull and use ostree_repo_resolve_collection_ref() to resolve the ref. This is done in the caller as well for consistency (flatpak_dir_resolve_p2p_refs()). This fixes the bad side effect described above and brings us a step closer to fixing issue flatpak#1832. This also means the attack from flatpak#1447 is exploitable, but that is addressed in a subsequent commit. This change is conditional on a version check for OSTree 2019.2 because we need this bug fix[3]. Also, add a helper function flatpak_repo_resolve_rev() which falls back to using ostree_repo_resolve_rev() when ostree_repo_resolve_collection_ref() fails, so we start to move toward using /refs/mirrors/ but maintain backwards compatibility for /refs/remotes/. A subsequent commit will make wider use of flatpak_repo_resolve_rev() across the codebase; for now just use it for the case described above. [1] flatpak#1447 (comment) [2] flatpak#1832 [3] ostreedev/ostree#1821
- Loading branch information
Showing
3 changed files
with
68 additions
and
6 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters