Your message dated Sat, 23 Jan 2021 15:47:09 +0000 with message-id <[email protected]> and subject line Bug#980323: fixed in flatpak 1.2.5-0+deb10u3 has caused the Debian Bug report #980323, regarding flatpak: LD_LIBRARY_PATH is not set under flatpak-builder to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 980323: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=980323 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: flatpak Version: 1.2.5-0+deb10u2 Severity: important Dear Maintainer, With flatpak 1.2.5-0+deb10u2, LD_LIBRARY_PATH is not set when invoked over flatpak-builder. This became apparent when I was reviewing [1], where a contributor intends to add the Jansson library to be shipped alongside GNU Emacs in the /app/lib directory. Usually the build environment provided by flatpak-builder would have this directory referred to by LD_LIBRARY_PATH. With this latest security update, the environment variable is entirely absent. If I test with the older release, flatpak=1.2.5-0+deb10u1, running flatpak-builder like this: flatpak-builder --force-clean --build-shell=emacs ./build2 org.gnu.emacs.json I get into a shell with LD_LIBRARY_PATH set to /app/lib:/usr/lib/x86_64-linux-gnu/GL/default/lib:/usr/lib/x86_64-linux-gnu/openh264/extra With this software version, building the flatpak under review will succeed if I simply omit the --build-shell option. I am not thoroughly familiar with the Flathub ecosystem, but I would suspect that there are other flatpaks which can not be built on systems that have 1.2.5-0+deb10u2 installed. I would still expect that flatpak 1.2.5-0+deb10u2 can run the same flatpaks when consumed prebuilt from e.g. flathub. The mechanism for linker paths is not based on LD_LIBRARY_PATH when flatpak is simply run, as opposed to building. [1] https://github.com/flathub/org.gnu.emacs/pull/36 -- System Information: Debian Release: 10.7 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.19.0-13-amd64 (SMP w/8 CPU cores) Locale: LANG=fi_FI.UTF-8, LC_CTYPE=fi_FI.UTF-8 (charmap=UTF-8), LANGUAGE=fi_FI.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages flatpak depends on: ii bubblewrap 0.3.1-4 ii libappstream-glib8 0.7.14-1+deb10u1 ii libarchive13 3.3.3-4+deb10u1 ii libc6 2.28-10 ii libdconf1 0.30.1-2 ii libgdk-pixbuf2.0-0 2.38.1+dfsg-1 ii libglib2.0-0 2.58.3-2+deb10u2 ii libgpgme11 1.12.0-6 ii libjson-glib-1.0-0 1.4.4-2 ii libostree-1-1 2019.1-1 ii libpolkit-agent-1-0 0.105-25 ii libpolkit-gobject-1-0 0.105-25 ii libseccomp2 2.3.3-4 ii libsoup2.4-1 2.64.2-2 ii libsystemd0 241-7~deb10u5 ii libxau6 1:1.0.8-1+b2 ii libxml2 2.9.4+dfsg1-7+deb10u1 ii xdg-dbus-proxy 0.1.1-1 ii xdg-desktop-portal 1.2.0-1 Versions of packages flatpak recommends: ii desktop-file-utils 0.23-4 ii gtk-update-icon-cache 3.24.5-1 ii hicolor-icon-theme 0.17-2 ii libpam-systemd 241-7~deb10u5 ii p11-kit 0.23.15-2+deb10u1 ii policykit-1 0.105-25 ii shared-mime-info 1.10-1 ii xdg-desktop-portal-gtk [xdg-desktop-portal-backend] 1.2.0-1 Versions of packages flatpak suggests: ii avahi-daemon 0.7-4+b1 -- no debconf information
--- End Message ---
--- Begin Message ---Source: flatpak Source-Version: 1.2.5-0+deb10u3 Done: Simon McVittie <[email protected]> We believe that the bug you reported is fixed in the latest version of flatpak, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [email protected], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Simon McVittie <[email protected]> (supplier of updated flatpak package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [email protected]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Thu, 21 Jan 2021 13:57:39 +0000 Source: flatpak Architecture: source Version: 1.2.5-0+deb10u3 Distribution: buster-security Urgency: medium Maintainer: Utopia Maintenance Team <[email protected]> Changed-By: Simon McVittie <[email protected]> Closes: 980323 Changes: flatpak (1.2.5-0+deb10u3) buster-security; urgency=medium . * Fix regressions in DSA 4830-1 - Add patch from upstream to fix a regression in 'flatpak build'. The patches to resolve CVE-2021-21261 caused a regression in which 'flatpak build' wouldn't set the LD_LIBRARY_PATH that it should. (Closes: #980323) - Add a patch from upstream to fix possible regressions in extra-data. The extra-data mechanism, used to download large or proprietary components out-of-band, could suffer from a regression similar to #980323 if the app or runtime's apply_extra entry point relies on LD_LIBRARY_PATH. * Add CVE-2021-21261 reference to previous changelog entry Checksums-Sha1: 6e74a17fde951d0cc449b1b1a252b98131e38f0b 3362 flatpak_1.2.5-0+deb10u3.dsc 9e0971814229ebb5d459ab6b8b47da9267a8c913 35080 flatpak_1.2.5-0+deb10u3.debian.tar.xz 0cb7caef1e3e7d9e7af92aafb8b02dcd45071a83 12701 flatpak_1.2.5-0+deb10u3_source.buildinfo Checksums-Sha256: 49a6cb953ffae1fbe97d5b0ce66a2a76dd6f71ee0fcacfe33830542df9b62c73 3362 flatpak_1.2.5-0+deb10u3.dsc e65ee718b30ae4da5f767af0bda3e2f64feb00403d51e0161c1a32888ea1159e 35080 flatpak_1.2.5-0+deb10u3.debian.tar.xz 3622e8561581607e8b9888c4655464689702a95074ec81dc19d30a688abfc1e1 12701 flatpak_1.2.5-0+deb10u3_source.buildinfo Files: 877b335812934cf48ce1d67c14cc968c 3362 admin optional flatpak_1.2.5-0+deb10u3.dsc 6fd3ac87beab2229a0b86ef6aa0c0568 35080 admin optional flatpak_1.2.5-0+deb10u3.debian.tar.xz 4ea652fdef7026b5f491abda40ec5aad 12701 admin optional flatpak_1.2.5-0+deb10u3_source.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEENuxaZEik9e95vv6Y4FrhR4+BTE8FAmAKplMACgkQ4FrhR4+B TE9miQ//VrkPZhbdT6ztPAxS/dHVHtiL9AATqm1+nifsmRaIuvCe+4DdorgoOQuC ZDga9W1WmNY6EZ+Mz8wd+ff3vuUSscKRhfsE148DhI/NyVBrkPWAMWTTjRdUUOTr EpFeMwTzI47dPSyArv8AZUOb6g3sI5mNmmEisHfu+2PM78fTrLqoWcTaNg5grSzU wedhHn6vnFs8LjyM7XXB0m7/8IQ0ffpDui23GuUH41vxvS/s/GKbfgDGthpui28b wZfECDDNcV6u5UCyA4W3vwwXZhEQsBlgBDREohJKx3HMKTLXQgZqGYkenR2Xv5Wh KKjRz8QJDHeJPE2XnBk3yfNz1uk8qmFsHlBLqjGgEpQjju/jtkuqbm0a79Bj68nW jXYwbr5uuHF+aMol5Y9+S5crre5Qgg70koaw99zwAL4iv22XI87i4eXO08woIZsc RuPfek0MekcJfi21nq2RDWdW5iNvxCvgMnL5XcA1pE/lQRd7yGkU+cUbdZDqhhMN zCErPt3T+qIdy6/2O0jPlpuEzVaA/IHaV3Zb2D4NFc2aUB19DIZafHzZBmeNZQ5l L8ZyXEwwds3nx745lOdBhxTkGBADoRuSbQ9Y44BelP5XTIdZM1iezHmD7dRpHCno fPeOlgWY9ELi1uK3hMFIJ+6LUJ1h6ar50sYzJ5jn10kfzYm+uEE= =qjN6 -----END PGP SIGNATURE-----
--- End Message ---
_______________________________________________ Pkg-utopia-maintainers mailing list [email protected] https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-utopia-maintainers
