[From nobody Wed Apr 8 00:21:08 2026 Received: (at submit) by bugs.debian.org; 7 Apr 2026 21:36:44 +0000 X-Spam-Checker-Version: SpamAssassin 4.0.1-bugs.debian.org_2005_01_02 (2024-03-25) on buxtehude.debian.org X-Spam-Level: X-Spam-Status: No, score=-116.7 required=4.0 tests=BAYES_00, BODY_INCLUDES_PACKAGE,DKIMWL_WL_HIGH,DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,DKIM_VALID_EF,FROMDEVELOPER,HAS_PACKAGE,SPF_HELO_NONE, SPF_NONE,UNPARSEABLE_RELAY,USER_IN_DKIM_WELCOMELIST autolearn=ham autolearn_force=no version=4.0.1-bugs.debian.org_2005_01_02 X-Spam-Bayes: score:0.0000 Tokens: new, 11; hammy, 125; neutral, 26; spammy, 0. spammytokens: hammytokens:0.000-+--Hx-spam-relays-external:sk:stravin, 0.000-+--H*RT:sk:stravin, 0.000-+--Hx-spam-relays-external:311, 0.000-+--H*RT:311, 0.000-+--H*RT:108 Return-path: <smcv@debian.org> Received: from stravinsky.debian.org ([2001:41b8:202:deb::311:108]:54338) by buxtehude.debian.org with esmtps (TLS1.3:ECDHE_SECP256R1__RSA_PSS_RSAE_SHA256__AES_256_GCM:256) (Exim 4.96) (envelope-from <smcv@debian.org>) id 1wAE6F-0049EL-2x for submit@bugs.debian.org; Tue, 07 Apr 2026 21:36:43 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debian.org; s=smtpauto.stravinsky; h=X-Debian-User:Content-Type:MIME-Version:Message-ID: Subject:To:From:Date:Reply-To:Cc:Content-Transfer-Encoding:Content-ID: Content-Description:In-Reply-To:References; bh=6tYml/MXChiy1adjQgcmq69ttG002qZFjxYn4gmgGCc=; b=aNNRmv6PzXL7W/CA2YEBf9hw+T ElyErNOvR5ITfMk9GifT4cjw1RjJcDK89CdYaZiHpx6WMTrBKFoZjKuqnvk3YLmnhd2bg8IiyMcMU e5rSTDHnp91h9LTpTSuQuH0YAq6Y4GQiSa85n3EkF8WPu3O1bw0pzO0qV0gfq4rBEz800pr521PEm v3+CPyLfgGwoQzkr9d1DPOU6XbZYax6oPpgH+XmjW5EZtVpbUvIHYfV0uPTMb6FVj4VSldab7vjzM RLBqqNr6bsBSPXUMSAIvscgny6am2kEiRPDtp16cPq46VspN/Vugalyy4ukEHZzU0QJ5kAyql8Vxt e0lIzk0Q==; Received: from authenticated user by stravinsky.debian.org with esmtpsa (TLS1.3:ECDHE_SECP256R1__RSA_PSS_RSAE_SHA256__AES_256_GCM:256) (Exim 4.96) (envelope-from <smcv@debian.org>) id 1wAE6F-007w19-2X for submit@bugs.debian.org; Tue, 07 Apr 2026 21:36:42 +0000 Date: Tue, 7 Apr 2026 22:36:41 +0100 From: Simon McVittie <smcv@debian.org> To: Debian Bug Tracking System <submit@bugs.debian.org> Subject: flatpak: CVE-2026-34079: Arbitrary file deletion on the host filesystem Message-ID: <adV46UueG0Qxwvbp@definition.pseudorandom.co.uk> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline X-Debian-User: smcv Delivered-To: submit@bugs.debian.org Package: flatpak Severity: important Tags: security X-Debbugs-Cc: Debian Security Team <team@security.debian.org> Flatpak older than 1.16.4 has an issue in which the caching for ld.so removes outdated cache files without properly checking that the app-controlled path to the outdated cache is in the cache directory. A malicious or compromised Flatpak app could use this to delete arbitrary files on the host system, a denial of service vulnerability (denying availability). I think we should fix this in the same batch as the much more serious CVE-2026-34078. Thanks, smcv ]