commit b7c1a558e58aaeb1d007d29529bbb270dc4ff11e
Author: Alexander Larsson <alexl@redhat.com>
Date:   Mon Apr 15 16:10:36 2024 +0200

    When starting non-static command using bwrap use "--"

    This ensures that the command is not taken to be a bwrap option.

    Resolves: CVE-2024-32462
    Resolves: GHSA-phv6-cpc2-2fgj
    Signed-off-by: Alexander Larsson <alexl@redhat.com>
    [smcv: Fix DISABLE_SANDBOXED_TRIGGERS code path]
    [smcv: Make flatpak_run_maybe_start_dbus_proxy() more obviously correct]
    Signed-off-by: Simon McVittie <smcv@collabora.com>

diff -Nura flatpak-1.4.2/app/flatpak-builtins-build.c flatpak-1.4.2_new/app/flatpak-builtins-build.c
--- flatpak-1.4.2/app/flatpak-builtins-build.c	2019-06-28 19:06:56.000000000 +0800
+++ flatpak-1.4.2_new/app/flatpak-builtins-build.c	2024-04-29 01:42:58.371460648 +0800
@@ -572,7 +572,8 @@
   if (!flatpak_bwrap_bundle_args (bwrap, 1, -1, FALSE, error))
     return FALSE;
 
-  flatpak_bwrap_add_args (bwrap, command, NULL);
+  flatpak_bwrap_add_args (bwrap, "--", command, NULL);
+
   flatpak_bwrap_append_argsv (bwrap,
                               &argv[rest_argv_start + 2],
                               rest_argc - 2);
diff -Nura flatpak-1.4.2/common/flatpak-dir.c flatpak-1.4.2_new/common/flatpak-dir.c
--- flatpak-1.4.2/common/flatpak-dir.c	2019-06-28 19:06:56.000000000 +0800
+++ flatpak-1.4.2_new/common/flatpak-dir.c	2024-04-29 01:44:06.375747571 +0800
@@ -6236,6 +6236,7 @@
                                   "--proc", "/proc",
                                   "--dev", "/dev",
                                   "--bind", basedir, basedir,
+                                  "--",
                                   NULL);
 #endif
           flatpak_bwrap_add_args (bwrap,
diff -Nura flatpak-1.4.2/common/flatpak-run.c flatpak-1.4.2_new/common/flatpak-run.c
--- flatpak-1.4.2/common/flatpak-run.c	2024-04-29 01:40:04.541727222 +0800
+++ flatpak-1.4.2_new/common/flatpak-run.c	2024-04-29 01:46:00.500229080 +0800
@@ -795,6 +795,9 @@
   if (!flatpak_bwrap_bundle_args (bwrap, 1, -1, FALSE, error))
     return FALSE;
 
+  /* End of options: the next argument will be the executable name */
+  flatpak_bwrap_add_arg (bwrap, "--");
+
   return TRUE;
 }
 
@@ -3534,7 +3537,7 @@
   if (!flatpak_bwrap_bundle_args (bwrap, 1, -1, FALSE, error))
     return FALSE;
 
-  flatpak_bwrap_add_arg (bwrap, command);
+  flatpak_bwrap_add_args (bwrap, "--", command, NULL);
 
   if (!add_rest_args (bwrap, app_ref_parts[1],
                       exports, (flags & FLATPAK_RUN_FLAG_FILE_FORWARDING) != 0,