mirror of
https://git.in.rschanz.org/ryan77627/guix.git
synced 2024-12-24 21:38:07 -05:00
d115af1bcc
fixes CVE-2024-32462. see https://nvd.nist.gov/vuln/detail/CVE-2024-32462. * gnu/packages/package-management.scm (flatpak): Update to 1.14.6. [arguments]: Add '--with-curl' [inputs]: Add libcap, polkit, zstd. Use fuse replace fuse-2. * gnu/packages/patches/flatpak-unset-gdk-pixbuf-for-sandbox.patch: Adjust patch. Signed-off-by: Zheng Junjie <zhengjunjie@iscas.ac.cn> Change-Id: Idc9b8159f0d6c6d037852792c0dc284c70c7462e
21 lines
809 B
Diff
21 lines
809 B
Diff
Most Guix system setup with desktop evironment will install GDK_PIXBUF_MODULE_FILE
|
|
environment variable in the system profile, and it'll be leaked into the sandbox
|
|
environment of flatpak, so the applications in sandbox may fail to find correct
|
|
GdkPixbuf loaders.
|
|
|
|
This patch unset the GDK_PIXBUF_MODULE_FILE environment variable before running
|
|
the sandboxed applications, prevents it to load GdkPixbuf loaders from the path
|
|
of host system.
|
|
|
|
--- a/common/flatpak-run.c
|
|
+++ b/common/flatpak-run.c
|
|
@@ -1900,8 +1900,9 @@ static const ExportData default_exports[] = {
|
|
{"XKB_CONFIG_ROOT", NULL},
|
|
{"GIO_EXTRA_MODULES", NULL},
|
|
{"GDK_BACKEND", NULL},
|
|
+ {"GDK_PIXBUF_MODULE_FILE", NULL},
|
|
{"VK_DRIVER_FILES", NULL},
|
|
{"VK_ICD_FILENAMES", NULL},
|
|
};
|
|
|
|
static const ExportData no_ld_so_cache_exports[] = {
|