[From nobody Wed Apr  8 00:21:09 2026
Received: (at 1132943-close) by bugs.debian.org; 7 Apr 2026 23:19:26 +0000
X-Spam-Checker-Version: SpamAssassin 4.0.1-bugs.debian.org_2005_01_02
 (2024-03-25) on buxtehude.debian.org
X-Spam-Level: 
X-Spam-Status: No, score=-114.1 required=4.0 tests=ALL_TRUSTED,BAYES_00,
 DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FOURLA,
 FVGT_m_MULTI_ODD,HAS_BUG_NUMBER,MD5_SHA1_SUM,PGPSIGNATURE,
 SPF_HELO_PASS,SPF_NONE,USER_IN_DKIM_WELCOMELIST autolearn=ham
 autolearn_force=no version=4.0.1-bugs.debian.org_2005_01_02
X-Spam-Bayes: score:0.0000 Tokens: new, 11; hammy, 150; neutral, 356; spammy,
 0. spammytokens: hammytokens:0.000-+--HX-Debian:DAK,
 0.000-+--H*rp:D*ftp-master.debian.org, 0.000-+--HX-DAK:process-upload,
 0.000-+--UD:debian.tar.xz, 0.000-+--H*r:sk:fasolo.
Return-path: &lt;envelope@ftp-master.debian.org&gt;
Received: from mailly.debian.org ([2001:41b8:202:deb:6564:a62:52c3:4b72]:44940)
 by buxtehude.debian.org with esmtps
 (TLS1.3:ECDHE_SECP256R1__RSA_PSS_RSAE_SHA256__AES_256_GCM:256)
 (Exim 4.96) (envelope-from &lt;envelope@ftp-master.debian.org&gt;)
 id 1wAFhd-004LRd-2t for 1132943-close@bugs.debian.org;
 Tue, 07 Apr 2026 23:19:26 +0000
Received: via submission
 from C=NA, ST=NA, L=Ankh Morpork, O=Debian SMTP, OU=Debian SMTP CA,
 CN=fasolo.debian.org, EMAIL=hostmaster@fasolo.debian.org (verified)
 by mailly.debian.org with esmtps
 (TLS1.3:ECDHE_SECP256R1__RSA_PSS_RSAE_SHA256__AES_256_GCM:256)
 (Exim 4.96) (envelope-from &lt;envelope@ftp-master.debian.org&gt;)
 id 1wAFhc-00G5HM-1a for 1132943-close@bugs.debian.org;
 Tue, 07 Apr 2026 23:19:24 +0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
 d=ftp-master.debian.org; s=smtpauto.fasolo; h=Date:Message-Id:Content-Type:
 Subject:MIME-Version:To:Reply-To:From:Cc:Content-Transfer-Encoding:Content-ID
 :Content-Description:In-Reply-To:References;
 bh=w6Sqt7p5USTvgVROdugS4dry50q6D5cXSs424Xc75ck=; b=ss5Gp+CDTwUkMh55ivhMJ7mBYV
 Nh+pWZEh3PBIkhKq/w47gIa6o6JF6Fi8Bp23qXYbiAmaOwJnSI8Ez6d40Ot6LjpT7FuWKDdt8EvkV
 QStJqJnzbVUB6qMzNjxHbLdOcpCZPbvqA8vzy0QNecOmP1om/3KRuegfWmOE3Q8fPX9qAHbHf6NGe
 lo3EoJw+N1cKbS2XUL5hFxv2vOK17+VN48x4xjgrczIbJ13VZk+mcq8iVJfjRRdR9J6B330//tQq2
 mAQ3lnSOt0X2TGq7ttlghoXZOgu54P0qcgufO3O9GOdcRji5vGw/1q//GK8ZRJtSNTFkRyMfws9az
 g6krg9Qw==;
Received: from dak by fasolo.debian.org with local (Exim 4.98.2)
 (envelope-from &lt;envelope@ftp-master.debian.org&gt;)
 id 1wAFhb-00000006aZw-2OsI; Tue, 07 Apr 2026 23:19:23 +0000
From: Debian FTP Masters &lt;ftpmaster@ftp-master.debian.org&gt;
Reply-To: Simon McVittie &lt;smcv@debian.org&gt;
To: 1132943-close@bugs.debian.org
X-DAK: dak process-upload
X-Debian: DAK
X-Debian-Package: flatpak
Debian: DAK
Debian-Changes: flatpak_1.17.3-2_source.changes
Debian-Source: flatpak
Debian-Version: 1.17.3-2
Debian-Architecture: source
Debian-Suite: experimental
Debian-Archive-Action: accept
MIME-Version: 1.0
Subject: Bug#1132943: fixed in flatpak 1.17.3-2
Content-Type: multipart/signed; micalg=&quot;pgp-sha256&quot;;
 protocol=&quot;application/pgp-signature&quot;;
 boundary=&quot;===============3170321811576352448==&quot;
Message-Id: &lt;E1wAFhb-00000006aZw-2OsI@fasolo.debian.org&gt;
Date: Tue, 07 Apr 2026 23:19:23 +0000
X-CrossAssassin-Score: 2

--===============3170321811576352448==
Content-Type: text/plain; charset=&quot;utf-8&quot;
Content-Transfer-Encoding: quoted-printable

Source: flatpak
Source-Version: 1.17.3-2
Done: Simon McVittie &lt;smcv@debian.org&gt;

We believe that the bug you reported is fixed in the latest version of
flatpak, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1132943@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Simon McVittie &lt;smcv@debian.org&gt; (supplier of updated flatpak package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 07 Apr 2026 23:55:57 +0100
Source: flatpak
Architecture: source
Version: 1.17.3-2
Distribution: experimental
Urgency: high
Maintainer: Utopia Maintenance Team &lt;pkg-utopia-maintainers@lists.alioth.debi=
an.org&gt;
Changed-By: Simon McVittie &lt;smcv@debian.org&gt;
Closes: 1132943 1132944 1132945 1132946
Changes:
 flatpak (1.17.3-2) experimental; urgency=3Dhigh
 .
   * d/p/CVE-2026-34078/*.patch:
     Fix a sandbox escape involving symlinks passed to flatpak-portal.
     A malicious or compromised Flatpak app could exploit this to achieve
     arbitrary code execution on the host.
     (CVE-2026-34078, GHSA-cc2q-qc34-jprg) (Closes: #1132943)
   * d/p/CVE-2026-34079/*.patch:
     Prevent arbitrary file deletion outside the sandbox by a malicious or
     compromised Flatpak app
     (CVE-2026-34079, GHSA-p29x-r292-46pp) (Closes: #1132944)
   * d/p/GHSA-89xm-3m96-w3jg/*.patch:
     Prevent a local user from making another local user unable to cancel
     an ongoing download of apps or runtimes installed system-wide
     via the system helper.
     (No CVE ID, GHSA-89xm-3m96-w3jg) (Closes: #1132945)
   * d/p/GHSA-2fxp-43j9-pwvc/*.patch:
     Prevent a local user from reading any file that is readable by the
     _flatpak system user. A mitigation is that it would be very unusual
     for these files not to be readable by the original local user as well.
     (No CVE ID, GHSA-2fxp-43j9-pwvc) (Closes: #1132946)
   * Merge packaging changes from unstable
   * Standards-Version: 4.7.4 (no changes required)
 .
 flatpak (1.16.4-1) unstable; urgency=3Dhigh
 .
   * New upstream security release
     - Fix a sandbox escape involving symlinks passed to flatpak-portal.
       A malicious or compromised Flatpak app could exploit this to achieve
       arbitrary code execution on the host.
       (CVE-2026-34078, GHSA-cc2q-qc34-jprg)
     - Prevent arbitrary file deletion outside the sandbox by a malicious or
       compromised Flatpak app
       (CVE-2026-34079, GHSA-p29x-r292-46pp)
     - Prevent a local user from reading any file that is readable by the
       _flatpak system user. A mitigation is that it would be very unusual
       for these files not to be readable by the original local user as well.
       (No CVE ID, GHSA-2fxp-43j9-pwvc)
     - Prevent a local user from making another local user unable to cancel
       an ongoing download of apps or runtimes installed system-wide
       via the system helper.
       (No CVE ID, GHSA-89xm-3m96-w3jg)
 .
 flatpak (1.16.3-1) unstable; urgency=3Dmedium
 .
   * New upstream stable release
     - In flatpak-build(1), only provide /run/host/font-dirs.xml if the
       calling process has not already added it, fixing a regression for
       users of GNOME Builder and Foundry (flatpak#6450 upstream)
   * Standards-Version: 4.7.3
     - Remove Priority: optional, unnecessary since Debian 13
   * d/watch: Convert to v5 format
   * d/watch: Only watch stable (even-numbered) releases
     - d/watch.devel: Add a second watch file for development
       (odd-numbered) releases
Checksums-Sha1:
 10d2269ae6be0e47d564600035895c529274f6bf 4040 flatpak_1.17.3-2.dsc
 02ff6446ddf840a9e050dbcef9e010ff1c3f080d 73024 flatpak_1.17.3-2.debian.tar.xz
 ebe3f843dea639c131c90ef1835db661f8bc5a89 6557264 flatpak_1.17.3-2.git.tar.xz
 19272e755e99a4c70dc6d2bc77a530e40dcfe67c 17338 flatpak_1.17.3-2_source.build=
info
Checksums-Sha256:
 4ac1c13e259686207c104a1492f35fd1fd9931332aabf52b9a1105825092b808 4040 flatpa=
k_1.17.3-2.dsc
 8c28394661489f20e6b1bc866ec7157fdcb92cc6672b8ccee38863e5ccb725a9 73024 flatp=
ak_1.17.3-2.debian.tar.xz
 0f19a2f6adc3dcb987ce04686942844ff4fe4d4e83b9bbfed935b705c684998b 6557264 fla=
tpak_1.17.3-2.git.tar.xz
 27c2fa9d3eccd8d0aad188d6072df70bdb862b774f5138317aa114b5ce682be2 17338 flatp=
ak_1.17.3-2_source.buildinfo
Files:
 05800db60fbd59ae9c31bf1e15d67078 4040 admin optional flatpak_1.17.3-2.dsc
 53b10e2bfdc9674907e9b3485a44ec72 73024 admin optional flatpak_1.17.3-2.debia=
n.tar.xz
 ffc3c6694f13cba7f17886eb6c1b6c09 6557264 admin None flatpak_1.17.3-2.git.tar=
.xz
 4c64182d322c0db68f27d9c26ad146e0 17338 admin optional flatpak_1.17.3-2_sourc=
e.buildinfo
Git-Tag-Info: tag=3D46c1c72dff67c46125282c6b2a8a135d2802a537 fp=3D7a073ad1ae6=
94fa25bff62e5235c099d3eb33076
Git-Tag-Tagger: Simon McVittie &lt;smcv@debian.org&gt;

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEN02M5NuW6cvUwJcqYG0ITkaDwHkFAmnVjD8ACgkQYG0ITkaD
wHlVFw//WJXC2NxLY3v5p72BClxxlLYW3D7Yedh2gU8IIoCrUl3stl6DCvNVtziK
08fEP5gTDUJTb6SnDOFSLzXJMJjnOPwFK4lc9JzUyrezFeRV9qg1Qm8yF5GStXQd
TPL2BYyqSI24zafrNizDkexEowlluHb9qRC1mfCqF3DPP5SXaaJvZbv0dnoiuTOv
w+Hv7EAc9SAae4SFOfSJ2quirAfefuJAS45fN8/g/cm4u+nWqYswM2BgHhUXpM+v
hWdSilelfJzb7/Z0ko8f/vn2Qpl4QkxZx2mC83Dh38lQIaMMMp2Z0RQP4GGx+tQU
55RhtOY2QSdwl8y0/sQMbsH62Vj8EVl6cYfHS4GcGA1dLPwF52ZRook8lxjFBL2x
YFTJJWE1evK/2Vb/G/6V/ErbCfJ7KQMmHsEqqF+usSsDxgwxi5+Wu0a1zdOolCVB
DRnHFFAU4oVoMbkvNxuzQl3LX8wZOPSNT9W/pUTjJDrELbJTD9Pgw4IDmbjdm2B2
uCUB+B8ue88LqPsQA7l+OdE1j4/sTwMwLuIE/RJlVGpWeiIw9H9A3W8hNLZdjnnm
PuWBA29x8UH+mQnxI3tqmfsc5lua4i7Uk1A9ltpgFs2Fj0KE0KhGB/rKjiviyh/n
jSRcWU/BdstgyNwIE1r4BndazNOf5FqVh/15rt9dAMWFy8nhL6s=3D
=3DHFsZ
-----END PGP SIGNATURE-----


--===============3170321811576352448==
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----

iHUEABYIAB0WIQTziqJOuF8J+ZI8pJSb9qggYcy5IQUCadWQ+wAKCRCb9qggYcy5
IUzdAQD4rJ/t8ynBTYN7ysgtd+SW9xCYkECIq3Cc5JryXpMu/QEA3Jahb2miA+OR
Qw7BEFG9DnX1PvKHctMWVTSqXQXHow8=
=VIqJ
-----END PGP SIGNATURE-----

--===============3170321811576352448==--
]