[From nobody Mon Apr 13 19:53:06 2026 Received: (at submit) by bugs.debian.org; 8 Apr 2026 10:41:36 +0000 X-Spam-Checker-Version: SpamAssassin 4.0.1-bugs.debian.org_2005_01_02 (2024-03-25) on buxtehude.debian.org X-Spam-Level: X-Spam-Status: No, score=-116.6 required=4.0 tests=BAYES_00, BODY_INCLUDES_PACKAGE,DKIMWL_WL_HIGH,DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,DKIM_VALID_EF,FOURLA,FROMDEVELOPER,HAS_PACKAGE, SPF_HELO_NONE,SPF_NONE,UNPARSEABLE_RELAY,USER_IN_DKIM_WELCOMELIST autolearn=ham autolearn_force=no version=4.0.1-bugs.debian.org_2005_01_02 X-Spam-Bayes: score:0.0000 Tokens: new, 9; hammy, 139; neutral, 36; spammy, 0. spammytokens: hammytokens:0.000-+--Hx-spam-relays-external:sk:stravin, 0.000-+--H*RT:sk:stravin, 0.000-+--Hx-spam-relays-external:311, 0.000-+--H*RT:311, 0.000-+--H*RT:108 Return-path: <smcv@debian.org> Received: from stravinsky.debian.org ([2001:41b8:202:deb::311:108]:39298) by buxtehude.debian.org with esmtps (TLS1.3:ECDHE_SECP256R1__RSA_PSS_RSAE_SHA256__AES_256_GCM:256) (Exim 4.96) (envelope-from <smcv@debian.org>) id 1wAQLn-005elv-25 for submit@bugs.debian.org; Wed, 08 Apr 2026 10:41:35 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debian.org; s=smtpauto.stravinsky; h=X-Debian-User:Content-Type:MIME-Version:Message-ID: Subject:To:From:Date:Reply-To:Cc:Content-Transfer-Encoding:Content-ID: Content-Description:In-Reply-To:References; bh=QC/c3uIqgpUFKApcQLoPr1Lfhimbndxk/c0D+35iMd0=; b=ElDU5Aw0Ks6nvzFo0a04TuqtrS wFgu21LOxEDXbyGKpfLItoWEHCBT2zNMK2pquE8Yn66BNlU2VfUV9eCKp7PJc1Ndl9folp+6A1Ixy /79rRR1xOKfJRbKXsSto3UBIuu1Y9dmv8T1pA6sKxXDID4FDLMNDL32dnVxd80SUkqeNEEh7WF+H/ IFJlbnpvzd3+z4eEO3CgPaeMB93w6mEvdCT1dgUen3qe73xnxjhatzSZDsXhMWpTIuwYyAUw2CxoW qJyoYx7Aqjt+KWePRIeqXDkFrXkKsMuuzGabg+DTi9azb0ifKLbyKBMvyHIPp9Zx3vGru61oy77W3 utEFMW+A==; Received: from authenticated user by stravinsky.debian.org with esmtpsa (TLS1.3:ECDHE_SECP256R1__RSA_PSS_RSAE_SHA256__AES_256_GCM:256) (Exim 4.96) (envelope-from <smcv@debian.org>) id 1wAQLm-008Mg6-0B for submit@bugs.debian.org; Wed, 08 Apr 2026 10:41:34 +0000 Date: Wed, 8 Apr 2026 11:41:32 +0100 From: Simon McVittie <smcv@debian.org> To: Debian Bug Tracking System <submit@bugs.debian.org> Subject: flatpak: regression after fixing CVE-2026-34078 for users of Flatpak-packaged browsers Message-ID: <adYw3CIGT2mx0nrQ@definition.pseudorandom.co.uk> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline X-Mutt-Fcc: =.lists.debian/ X-Reportbug-Version: 13.2.0 X-Debian-User: smcv Delivered-To: submit@bugs.debian.org Package: flatpak Version: 1.16.4-1 Severity: important Tags: upstream Forwarded: https://github.com/flatpak/flatpak/issues/6570 X-Debbugs-Cc: Debian Security Team <team@security.debian.org> There appears to be another regression in the fix for CVE-2026-34078 affecting Chromium/CEF/Electron-based web browsers with internal sandboxing that are packaged as Flatpak apps, such as Vivaldi and Brave. Details at upstream bug link above. No solution is known yet, I will try to upload a fix to unstable ASAP when one is available. Probably there is a file descriptor leak or double-close, or some similar file descriptor book-keeping problem. smcv ]