[From nobody Thu Apr 9 23:21:03 2026 Received: (at submit) by bugs.debian.org; 9 Apr 2026 21:27:49 +0000 X-Spam-Checker-Version: SpamAssassin 4.0.1-bugs.debian.org_2005_01_02 (2024-03-25) on buxtehude.debian.org X-Spam-Level: X-Spam-Status: No, score=-116.6 required=4.0 tests=BAYES_00, BODY_INCLUDES_PACKAGE,DKIMWL_WL_HIGH,DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,DKIM_VALID_EF,FOURLA,FROMDEVELOPER,HAS_PACKAGE, SPF_HELO_NONE,SPF_NONE,UNPARSEABLE_RELAY,USER_IN_DKIM_WELCOMELIST autolearn=ham autolearn_force=no version=4.0.1-bugs.debian.org_2005_01_02 X-Spam-Bayes: score:0.0000 Tokens: new, 16; hammy, 149; neutral, 37; spammy, 1. spammytokens:0.886-+--secret hammytokens:0.000-+--Hx-spam-relays-external:sk:stravin, 0.000-+--H*RT:sk:stravin, 0.000-+--Hx-spam-relays-external:311, 0.000-+--H*RT:311, 0.000-+--H*RT:108 Return-path: <smcv@debian.org> Received: from stravinsky.debian.org ([2001:41b8:202:deb::311:108]:46696) by buxtehude.debian.org with esmtps (TLS1.3:ECDHE_SECP256R1__RSA_PSS_RSAE_SHA256__AES_256_GCM:256) (Exim 4.96) (envelope-from <smcv@debian.org>) id 1wAwuj-00A5Q9-1m for submit@bugs.debian.org; Thu, 09 Apr 2026 21:27:49 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debian.org; s=smtpauto.stravinsky; h=X-Debian-User:Content-Type:MIME-Version:Message-ID: Subject:To:From:Date:Reply-To:Cc:Content-Transfer-Encoding:Content-ID: Content-Description:In-Reply-To:References; bh=jeVvDYbRuyhTNjEQIGIDMOL86aYNUL6yq+X1LspjRMk=; b=TZXv7WhP7JKJ0kSZd3Q/cP+Y+q GI1dwVZgeVPNueeT7TEqKq/ogDHK3wpyo3GvuUACuaAN1u8IpzQLOp0aJWxQ9geefvrleWXOhOnPt roYK7qEEFgHIbqGMym9gF8COkV8h8txBKL4T6Rybdo5cSnkidf48vRjnZ2+m9h86sJdCz5nhIGOYA I5oL6G/1CvVGPZRA5HCA+LxN8RBw2dvnr+vl8RK7vnuE6nyHi3KXxRPKfmHLkW4UsleCquHNc6dgY FMN7KdPYl2k6tZ5VLoShYI5dYc8mVhgheGR6HISTPo/D+mccy3rRTFhx/3RT/AdyS+j4mZt4z/axa gC5CZu/Q==; Received: from authenticated user by stravinsky.debian.org with esmtpsa (TLS1.3:ECDHE_SECP256R1__RSA_PSS_RSAE_SHA256__AES_256_GCM:256) (Exim 4.96) (envelope-from <smcv@debian.org>) id 1wAwuh-009UNA-2U for submit@bugs.debian.org; Thu, 09 Apr 2026 21:27:48 +0000 Date: Thu, 9 Apr 2026 22:27:45 +0100 From: Simon McVittie <smcv@debian.org> To: Debian Bug Tracking System <submit@bugs.debian.org> Subject: flatpak-builder: CVE-2026-39977: path traversal leading to arbitrary file read on host when installing licence files Message-ID: <adgZ0dr9sOSut5J6@definition.pseudorandom.co.uk> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline X-Mutt-Fcc: =.lists.debian/ X-Reportbug-Version: 13.2.0 X-Debian-User: smcv Delivered-To: submit@bugs.debian.org Package: flatpak-builder Version: 1.4.5-1 Severity: important Tags: upstream Forwarded: https://github.com/flatpak/flatpak-builder/security/advisories/GHSA-6gm9-3g7m-3965 X-Debbugs-Cc: Debian Security Team <team@security.debian.org> If flatpak-builder is used to build a Flatpak app from a malicious manifest or source code, a path traversal vulnerability in versions 1.4.5+ can be used to copy sensitive/secret files from the host system into the app. Luckily trixie and older are not believed to have the vulnerable feature (trixie has flatpak-builder 1.4.4). A mitigation is that if you only build Flatpak apps that you trust (the most likely use case) there is no problem, so I've reported this as non-RC (but please escalate to RC if the security team disagrees). This is mainly a problem for centralized services like Flathub that want to build untrusted or only-semi-trusted Flatpak apps from source. smcv ]