From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp11.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms5.migadu.com with LMTPS id cBSwAippY2JJbQEAbAwnHQ (envelope-from ) for ; Sat, 23 Apr 2022 04:49:14 +0200 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp11.migadu.com with LMTPS id 8NWvAippY2J3KQEA9RJhRA (envelope-from ) for ; Sat, 23 Apr 2022 04:49:14 +0200 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 43B423F6E1 for ; Sat, 23 Apr 2022 04:49:13 +0200 (CEST) Received: from localhost ([::1]:43582 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1ni5pf-0007Cl-BB for larch@yhetil.org; Fri, 22 Apr 2022 22:49:11 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:40804) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1ni5oY-0005eE-DS for guix-patches@gnu.org; Fri, 22 Apr 2022 22:48:02 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:32813) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1ni5oY-0006ur-38 for guix-patches@gnu.org; Fri, 22 Apr 2022 22:48:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1ni5oX-0003ld-V4 for guix-patches@gnu.org; Fri, 22 Apr 2022 22:48:01 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#55072] [PATCH]: Do not leak GDK_PIXBUF_MODULE_FILE into the sandbox. Resent-From: Zhu Zihao Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Sat, 23 Apr 2022 02:48:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 55072 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 55072@debbugs.gnu.org X-Debbugs-Original-To: guix-patches@gnu.org Received: via spool by submit@debbugs.gnu.org id=B.165068203514277 (code B ref -1); Sat, 23 Apr 2022 02:48:01 +0000 Received: (at submit) by debbugs.gnu.org; 23 Apr 2022 02:47:15 +0000 Received: from localhost ([127.0.0.1]:54943 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ni5nh-0003i5-40 for submit@debbugs.gnu.org; Fri, 22 Apr 2022 22:47:15 -0400 Received: from lists.gnu.org ([209.51.188.17]:49302) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ni5nc-0003ht-M6 for submit@debbugs.gnu.org; Fri, 22 Apr 2022 22:47:08 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:40782) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1ni5nb-0004f5-FZ for guix-patches@gnu.org; Fri, 22 Apr 2022 22:47:03 -0400 Received: from mail-m973.mail.163.com ([123.126.97.3]:21647) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1ni5nR-0006mP-Uu for guix-patches@gnu.org; Fri, 22 Apr 2022 22:46:57 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=163.com; s=s110527; h=From:Subject:Date:Message-ID:MIME-Version; bh=m48sJ 4vDgddmu3Yys63Uu5LewFLs8wBlWwNw/ToQ27E=; b=o+CUQ3mE1ZkKObK7Bbay+ sICkyNTlHXcRxqyMrXH6DjeeVVP3oDMWxnY5PBpdBsTAJNsYFZhYUDMPjH+8gJ26 zl54wDh4n0ONu8grGmPKDVa+WP6eLx71LnfRYD7+JKx162VwzijhyFZYZrqFFG+I pl9PqzUFEp0vrjFC/kOoj0= Received: from asus-laptop (unknown [163.125.202.140]) by smtp3 (Coremail) with SMTP id G9xpCgB3DZCMaGNislHCCg--.16237S2; Sat, 23 Apr 2022 10:46:38 +0800 (CST) User-agent: mu4e 1.6.10; emacs 27.2 From: Zhu Zihao Date: Sat, 23 Apr 2022 10:45:47 +0800 Message-ID: <86ilr0o6t4.fsf@163.com> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="=-=-=" X-CM-TRANSID: G9xpCgB3DZCMaGNislHCCg--.16237S2 X-Coremail-Antispam: 1Uf129KBjDUn29KB7ZKAUJUUUUU529EdanIXcx71UUUUU7v73 VFW2AGmfu7bjvjm3AaLaJ3UbIYCTnIWIevJa73UjIFyTuYvjxU0lkVDUUUU X-Originating-IP: [163.125.202.140] X-CM-SenderInfo: pdoosuxxwbztlvw6il2tof0z/xtbBPQ7rr2AY-9FqdgAAs9 Received-SPF: pass client-ip=123.126.97.3; envelope-from=all_but_last@163.com; helo=mail-m973.mail.163.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+larch=yhetil.org@gnu.org Sender: "Guix-patches" X-Migadu-Flow: FLOW_IN X-Migadu-To: larch@yhetil.org X-Migadu-Country: US ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1650682153; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type:resent-cc:resent-from:resent-sender: resent-message-id:list-id:list-help:list-unsubscribe:list-subscribe: list-post:dkim-signature; bh=m48sJ4vDgddmu3Yys63Uu5LewFLs8wBlWwNw/ToQ27E=; b=QCcr8nTn0Ma1z+1T/5PKu2xivwOyYgiY0oV53/XVAEtOiQERpISveyt1jmRp3OnaRArrR7 GKilc92a6D4NmCPN6z383C+Dxaobu2hONu7A/H9OEBwIdQSb7ZZ1DW7JHfWHjlwBD8E3C1 rWHZgoSjIPdrN+BIS9vZUwqI7yna4sJdUaoOzBaB/fD3HcPAVfvs/kzaEdYGWt0ybk5lat S86Q1l8BtwD9CjY6AdxABcxejKTqEWHe5xtEpPapA7+CG9wgi775tQAA5yDoUV7q/S7Vkq +R3lt2HpncndvP7wMm44E+vI6ggLa1H8T12WJGYeHAMfRXG4vRwD/szqzuDoiw== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1650682153; a=rsa-sha256; cv=none; b=SrS5iG+NnYXypfwgn6HrIFRwtRo+r9+lYaluBeohn7ToyYm65MrjPF6+r7WQk199ziUXvr sHR/qPwT2PTTQE4Jxxolef3jV2dSpNf0pGPhnhRsjqG/juq3FhVEQTedEMjwgaQdmEDq72 UGTnalHq9rtPh9fNCKE9ZlN8ntUV/dBi0YobNam1Mw1RXCzkyW+d/BLEhC1C4YAuPSt/wU pCs9rN0U3F7n9f+mn6syeRBMwB50mUxazViXEHOU3qWdM4AyywJuGZIPUI+niQ4z3g+mqM Fcs3wOBf6ZAWF5w7vprCXwYX77SrM/Muz/FRIlAHpkCh1uFH3/wWvLOyuInHWA== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=163.com header.s=s110527 header.b=o+CUQ3mE; dmarc=fail reason="SPF not aligned (relaxed)" header.from=163.com (policy=none); spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org" X-Migadu-Spam-Score: 2.27 Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=163.com header.s=s110527 header.b=o+CUQ3mE; dmarc=fail reason="SPF not aligned (relaxed)" header.from=163.com (policy=none); spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org" X-Migadu-Queue-Id: 43B423F6E1 X-Spam-Score: 2.27 X-Migadu-Scanner: scn0.migadu.com X-TUID: EjWbvpueWPUK --=-=-= Content-Type: multipart/signed; boundary="==-=-="; micalg=pgp-sha256; protocol="application/pgp-signature" --==-=-= Content-Type: text/plain --==-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iIsEARYIADMWIQRefA5qkqvnKdl/GTlmOX+E92aT+QUCYmNohxUcYWxsX2J1dF9s YXN0QDE2My5jb20ACgkQZjl/hPdmk/l+qwEAnDgfdFUzH1nnXFlxPFJ4bKxx5FTk eYexdAnvEaIxw0kBAPTZI2txd3pUJTi1INrmFDthGAJQczjXf0hPumj8EkgN =jT8/ -----END PGP SIGNATURE----- --==-=-=-- --=-=-= Content-Type: text/x-patch; charset=utf-8 Content-Disposition: inline; filename=0001-gnu-bubblewrap-Update-to-0.6.1.patch Content-Transfer-Encoding: quoted-printable >From affd34d0f0bf6bf04110b595ce77ed8e9448b2c7 Mon Sep 17 00:00:00 2001 From: Zhu Zihao Date: Thu, 21 Apr 2022 18:48:51 +0800 Subject: [PATCH 1/3] gnu: bubblewrap: Update to 0.6.1. * gnu/packages/virtualization.scm (bubblewrap): Update to 0.6.1. --- gnu/packages/virtualization.scm | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/gnu/packages/virtualization.scm b/gnu/packages/virtualization.= scm index f3396e7c94..3f7c6312f2 100644 --- a/gnu/packages/virtualization.scm +++ b/gnu/packages/virtualization.scm @@ -27,6 +27,7 @@ ;;; Copyright =C2=A9 2022 Oleg Pykhalov ;;; Copyright =C2=A9 2022 Ekaitz Zarraga ;;; Copyright =C2=A9 2022 Arun Isaac +;;; Copyright =C2=A9 2022 Zhu Zihao ;;; ;;; This file is part of GNU Guix. ;;; @@ -1950,7 +1951,7 @@ (define-public python-vagrant (define-public bubblewrap (package (name "bubblewrap") - (version "0.5.0") + (version "0.6.1") (source (origin (method url-fetch) (uri (string-append "https://github.com/containers/bubblewra= p/" @@ -1958,7 +1959,7 @@ (define-public bubblewrap version ".tar.xz")) (sha256 (base32 - "0608l2sjwhnb1c0mslah1h6yjvqr17wk60by6i710qwxg4rszz8n")) + "10ij62jg7p2scwdx0pm141ss7p2gjdkbbymb56y8miib2vfcf2cn")) (patches (search-patches "bubblewrap-fix-locale-in-tests.pa= tch")))) (build-system gnu-build-system) (arguments --=20 2.35.1 --=-=-= Content-Type: text/x-patch Content-Disposition: inline; filename=0002-gnu-flatpak-Use-G-expressions.patch >From 3432b64e34d5df329c31b1a09f476ff01a743245 Mon Sep 17 00:00:00 2001 From: Zhu Zihao Date: Thu, 21 Apr 2022 18:52:21 +0800 Subject: [PATCH 2/3] gnu: flatpak: Use G-expressions. * gnu/packages/package-management.scm (flatpak): Fix indentation. [arguments]: Use G-expressions. --- gnu/packages/package-management.scm | 183 ++++++++++++++-------------- 1 file changed, 92 insertions(+), 91 deletions(-) diff --git a/gnu/packages/package-management.scm b/gnu/packages/package-management.scm index 9c5db0d608..2ea639d376 100644 --- a/gnu/packages/package-management.scm +++ b/gnu/packages/package-management.scm @@ -1795,103 +1795,104 @@ (define-public libostree (define-public flatpak (package - (name "flatpak") - (version "1.12.7") - (source - (origin - (method url-fetch) - (uri (string-append "https://github.com/flatpak/flatpak/releases/download/" - version "/flatpak-" version ".tar.xz")) - (sha256 - (base32 "05lkpbjiwp69q924i1jfyk5frcqbdbv9kyzbqwm2hy723i9jmdbd")) - (patches (search-patches "flatpak-fix-path.patch")))) + (name "flatpak") + (version "1.12.7") + (source + (origin + (method url-fetch) + (uri (string-append "https://github.com/flatpak/flatpak/releases/download/" + version "/flatpak-" version ".tar.xz")) + (sha256 + (base32 "05lkpbjiwp69q924i1jfyk5frcqbdbv9kyzbqwm2hy723i9jmdbd")) + (patches (search-patches "flatpak-fix-path.patch")))) - ;; Wrap 'flatpak' so that GIO_EXTRA_MODULES is set, thereby allowing GIO to - ;; find the TLS backend in glib-networking. - (build-system glib-or-gtk-build-system) + ;; Wrap 'flatpak' so that GIO_EXTRA_MODULES is set, thereby allowing GIO to + ;; find the TLS backend in glib-networking. + (build-system glib-or-gtk-build-system) - (arguments - '(#:configure-flags - (list - "--enable-documentation=no" ;; FIXME - "--enable-system-helper=no" - "--localstatedir=/var" - (string-append "--with-system-bubblewrap=" - (assoc-ref %build-inputs "bubblewrap") - "/bin/bwrap") - (string-append "--with-system-dbus-proxy=" - (assoc-ref %build-inputs "xdg-dbus-proxy") - "/bin/xdg-dbus-proxy")) + (arguments + (list + #:configure-flags + #~(list + "--enable-documentation=no" ;; FIXME + "--enable-system-helper=no" + "--localstatedir=/var" + (string-append "--with-system-bubblewrap=" + (assoc-ref %build-inputs "bubblewrap") + "/bin/bwrap") + (string-append "--with-system-dbus-proxy=" + (assoc-ref %build-inputs "xdg-dbus-proxy") + "/bin/xdg-dbus-proxy")) #:phases - (modify-phases %standard-phases - (add-after 'unpack 'fix-tests - (lambda* (#:key inputs #:allow-other-keys) - (copy-recursively - (search-input-directory inputs "lib/locale") - "/tmp/locale") - (for-each make-file-writable (find-files "/tmp")) - (substitute* "tests/make-test-runtime.sh" - (("cp `which.*") "echo guix\n") - (("cp -r /usr/lib/locale/C\\.\\*") - (string-append "mkdir ${DIR}/usr/lib/locale/en_US; \ + #~(modify-phases %standard-phases + (add-after 'unpack 'fix-tests + (lambda* (#:key inputs #:allow-other-keys) + (copy-recursively + (search-input-directory inputs "lib/locale") + "/tmp/locale") + (for-each make-file-writable (find-files "/tmp")) + (substitute* "tests/make-test-runtime.sh" + (("cp `which.*") "echo guix\n") + (("cp -r /usr/lib/locale/C\\.\\*") + (string-append "mkdir ${DIR}/usr/lib/locale/en_US; \ cp -r /tmp/locale/*/en_US.*"))) - (substitute* "tests/libtest.sh" - (("/bin/kill") (which "kill")) - (("/usr/bin/python3") (which "python3"))) - #t)) - (add-after 'unpack 'p11-kit-fix - (lambda* (#:key inputs #:allow-other-keys) - (let ((p11-path (search-input-file inputs "/bin/p11-kit"))) - (substitute* "session-helper/flatpak-session-helper.c" - (("\"p11-kit\",") - (string-append "\"" p11-path "\",")) - (("if \\(g_find_program_in_path \\(\"p11-kit\"\\)\\)") - (string-append "if (g_find_program_in_path (\"" - p11-path "\"))")))))) - ;; Many tests fail for unknown reasons, so we just run a few basic - ;; tests. - (replace 'check - (lambda _ - (setenv "HOME" "/tmp") - (invoke "make" "check" - "TESTS=tests/test-basic.sh tests/test-config.sh testcommon")))))) - (native-inputs - (list bison - dbus ; for dbus-daemon - gettext-minimal - `(,glib "bin") ; for glib-mkenums + gdbus-codegen - glibc-utf8-locales - gobject-introspection - libcap - pkg-config - python - python-pyparsing - socat - which)) - (inputs - (list appstream-glib - bubblewrap - dconf - fuse - gdk-pixbuf - gpgme - json-glib - libarchive - libostree - libseccomp - libsoup-minimal-2 - libxau - libxml2 - p11-kit-next - util-linux - xdg-dbus-proxy)) - (propagated-inputs (list glib-networking gnupg gsettings-desktop-schemas)) - (home-page "https://flatpak.org") - (synopsis "System for building, distributing, and running sandboxed desktop + (substitute* "tests/libtest.sh" + (("/bin/kill") (which "kill")) + (("/usr/bin/python3") (which "python3"))) + #t)) + (add-after 'unpack 'p11-kit-fix + (lambda* (#:key inputs #:allow-other-keys) + (let ((p11-path (search-input-file inputs "/bin/p11-kit"))) + (substitute* "session-helper/flatpak-session-helper.c" + (("\"p11-kit\",") + (string-append "\"" p11-path "\",")) + (("if \\(g_find_program_in_path \\(\"p11-kit\"\\)\\)") + (string-append "if (g_find_program_in_path (\"" + p11-path "\"))")))))) + ;; Many tests fail for unknown reasons, so we just run a few basic + ;; tests. + (replace 'check + (lambda _ + (setenv "HOME" "/tmp") + (invoke "make" "check" + "TESTS=tests/test-basic.sh tests/test-config.sh testcommon")))))) + (native-inputs + (list bison + dbus ; for dbus-daemon + gettext-minimal + `(,glib "bin") ; for glib-mkenums + gdbus-codegen + glibc-utf8-locales + gobject-introspection + libcap + pkg-config + python + python-pyparsing + socat + which)) + (inputs + (list appstream-glib + bubblewrap + dconf + fuse + gdk-pixbuf + gpgme + json-glib + libarchive + libostree + libseccomp + libsoup-minimal-2 + libxau + libxml2 + p11-kit-next + util-linux + xdg-dbus-proxy)) + (propagated-inputs (list glib-networking gnupg gsettings-desktop-schemas)) + (home-page "https://flatpak.org") + (synopsis "System for building, distributing, and running sandboxed desktop applications") - (description "Flatpak is a system for building, distributing, and running + (description "Flatpak is a system for building, distributing, and running sandboxed desktop applications on GNU/Linux.") - (license license:lgpl2.1+))) + (license license:lgpl2.1+))) (define-public akku (package -- 2.35.1 --=-=-= Content-Type: text/x-patch Content-Disposition: inline; filename=0003-gnu-flatpak-Do-not-leak-GDK_PIXBUF_MODULE_FILE-into-.patch >From 5f1369f8731cc1b35c3c80aac6ad7ebd89d3cb10 Mon Sep 17 00:00:00 2001 From: Zhu Zihao Date: Sat, 23 Apr 2022 10:39:32 +0800 Subject: [PATCH 3/3] gnu: flatpak: Do not leak GDK_PIXBUF_MODULE_FILE into the sandbox. Fixes https://issues.guix.gnu.org/54784. * gnu/packages/patches/flatpak-unset-gdk-pixbuf-for-sandbox.patch: New file. * gnu/local.mk (dist_patch_DATA): Add corresponding entry. * gnu/packages/package-management.scm (flatpak)[source]: Use patch. --- gnu/local.mk | 1 + gnu/packages/package-management.scm | 4 +++- ...flatpak-unset-gdk-pixbuf-for-sandbox.patch | 19 +++++++++++++++++++ 3 files changed, 23 insertions(+), 1 deletion(-) create mode 100644 gnu/packages/patches/flatpak-unset-gdk-pixbuf-for-sandbox.patch diff --git a/gnu/local.mk b/gnu/local.mk index 9bad87710c..ce25b0f21e 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1070,6 +1070,7 @@ dist_patch_DATA = \ %D%/packages/patches/findutils-localstatedir.patch \ %D%/packages/patches/flann-cmake-3.11.patch \ %D%/packages/patches/flatpak-fix-path.patch \ + %D%/packages/patches/flatpak-unset-gdk-pixbuf-for-sandbox.patch \ %D%/packages/patches/fontconfig-cache-ignore-mtime.patch \ %D%/packages/patches/foobillard++-pkg-config.patch \ %D%/packages/patches/foomatic-filters-CVE-2015-8327.patch \ diff --git a/gnu/packages/package-management.scm b/gnu/packages/package-management.scm index 2ea639d376..1ab293e2dd 100644 --- a/gnu/packages/package-management.scm +++ b/gnu/packages/package-management.scm @@ -1804,7 +1804,9 @@ (define-public flatpak version "/flatpak-" version ".tar.xz")) (sha256 (base32 "05lkpbjiwp69q924i1jfyk5frcqbdbv9kyzbqwm2hy723i9jmdbd")) - (patches (search-patches "flatpak-fix-path.patch")))) + (patches + (search-patches "flatpak-fix-path.patch" + "flatpak-unset-gdk-pixbuf-for-sandbox.patch")))) ;; Wrap 'flatpak' so that GIO_EXTRA_MODULES is set, thereby allowing GIO to ;; find the TLS backend in glib-networking. diff --git a/gnu/packages/patches/flatpak-unset-gdk-pixbuf-for-sandbox.patch b/gnu/packages/patches/flatpak-unset-gdk-pixbuf-for-sandbox.patch new file mode 100644 index 0000000000..79fec8e526 --- /dev/null +++ b/gnu/packages/patches/flatpak-unset-gdk-pixbuf-for-sandbox.patch @@ -0,0 +1,19 @@ +Most Guix system setup with desktop evironment will install GDK_PIXBUF_MODULE_FILE +environment variable in the system profile, and it'll be leaked into the sandbox +environment of flatpak, so the applications in sandbox may fail to find correct +GdkPixbuf loaders. + +This patch unset the GDK_PIXBUF_MODULE_FILE environment variable before running +the sandboxed applications, prevents it to load GdkPixbuf loaders from the path +of host system. + +--- a/common/flatpak-run.c ++++ b/common/flatpak-run.c +@@ -1853,6 +1853,7 @@ static const ExportData default_exports[] = { + {"GST_PTP_HELPER", NULL}, + {"GST_PTP_HELPER_1_0", NULL}, + {"GST_INSTALL_PLUGINS_HELPER", NULL}, ++ {"GDK_PIXBUF_MODULE_FILE", NULL}, + }; + + static const ExportData no_ld_so_cache_exports[] = { -- 2.35.1 --=-=-= Content-Type: text/plain -- Retrieve my PGP public key: gpg --recv-keys D47A9C8B2AE3905B563D9135BE42B352A9F6821F Zihao --=-=-=--