[From nobody Sat Apr 18 16:19:05 2026 Received: (at submit) by bugs.debian.org; 7 Apr 2026 21:27:57 +0000 X-Spam-Checker-Version: SpamAssassin 4.0.1-bugs.debian.org_2005_01_02 (2024-03-25) on buxtehude.debian.org X-Spam-Level: X-Spam-Status: No, score=-116.7 required=4.0 tests=BAYES_00, BODY_INCLUDES_PACKAGE,DKIMWL_WL_HIGH,DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,DKIM_VALID_EF,FROMDEVELOPER,HAS_PACKAGE,SPF_HELO_NONE, SPF_NONE,UNPARSEABLE_RELAY,USER_IN_DKIM_WELCOMELIST autolearn=ham autolearn_force=no version=4.0.1-bugs.debian.org_2005_01_02 X-Spam-Bayes: score:0.0000 Tokens: new, 12; hammy, 150; neutral, 75; spammy, 0. spammytokens: hammytokens:0.000-+--Hx-spam-relays-external:sk:stravin, 0.000-+--H*RT:sk:stravin, 0.000-+--Hx-spam-relays-external:311, 0.000-+--H*RT:311, 0.000-+--H*RT:108 Return-path: <smcv@debian.org> Received: from stravinsky.debian.org ([2001:41b8:202:deb::311:108]:54036) by buxtehude.debian.org with esmtps (TLS1.3:ECDHE_SECP256R1__RSA_PSS_RSAE_SHA256__AES_256_GCM:256) (Exim 4.96) (envelope-from <smcv@debian.org>) id 1wADxl-00486I-0J for submit@bugs.debian.org; Tue, 07 Apr 2026 21:27:57 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debian.org; s=smtpauto.stravinsky; h=X-Debian-User:Content-Type:MIME-Version:Message-ID: Subject:To:From:Date:Reply-To:Cc:Content-Transfer-Encoding:Content-ID: Content-Description:In-Reply-To:References; bh=Q4YQO5+EKpiZdd+tgL9pu2n9Bc9JNYc0K86c/+JEM2U=; b=juWT0o6cE6BR51J7x/P1VGvZde mJ0e0RLFjRMnE/dFxRKE9oyGrfQw681P7P9isCaQETRzgJFJD1PAX73tv6njBXpT0rHvDJ1hVA/Vu 4wkEEJDIqioafs3kD2xHMhG/IiJtI3y11vCNwkpxS2tYzXfs5hIkkqpWY2ZvCsHZgCkJ25Ykqu8ec sHljG+WFEE8ML1ClUlB0Jji/OhHy/4npfYR6h7YleRtHNGC8SNJL2vaC38gNlkqZ0LYsVkZUluNKh MJnImGVC7EJiAJbuiTqkojgZWWVubL4ycdZRBfvGZrOzgJdLzdDwy4q/GSAONxwuEU9MDo0F3+U8x X7kMAmBw==; Received: from authenticated user by stravinsky.debian.org with esmtpsa (TLS1.3:ECDHE_SECP256R1__RSA_PSS_RSAE_SHA256__AES_256_GCM:256) (Exim 4.96) (envelope-from <smcv@debian.org>) id 1wADxk-007vjB-20 for submit@bugs.debian.org; Tue, 07 Apr 2026 21:27:55 +0000 Date: Tue, 7 Apr 2026 22:27:52 +0100 From: Simon McVittie <smcv@debian.org> To: Debian Bug Tracking System <submit@bugs.debian.org> Subject: CVE-2026-34078: Sandbox escape involving symlinks passed to flatpak-portal Message-ID: <adV22B_7h0IYq0_r@definition.pseudorandom.co.uk> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline X-Mutt-Fcc: =.lists.debian/ X-Reportbug-Version: 13.2.0 X-Debian-User: smcv Delivered-To: submit@bugs.debian.org Package: flatpak Version: 0.11.4-1 Severity: grave Tags: security Justification: user security hole X-Debbugs-Cc: Debian Security Team <team@security.debian.org> Flatpak older than 1.16.4 has a complete sandbox escape which leads to host file access and code execution in the host context (CVE-2026-34078). I believe all versions since 0.11.4, which added flatpak-portal, are vulnerable. A malicious or compromised Flatpak app could exploit this to achieve arbitrary code execution on the host. For testing/unstable, I am about to upload the new upstream release 1.16.4. This fixes CVE-2026-34078 and some other, less serious security issues for which I will report separate bugs. For trixie, I would like to address this by uploading the new upstream release to trixie-security. It would be easiest to do this if the security team will allow uploading a backport of 1.16.4 from unstable, reverting packaging changes that aren't appropriate. I previously did non-security uploads of Flatpak 1.16.2 and 1.16.3 to trixie in this way, with the release team's approval. I'll prepare a debdiff shortly. For bookworm, because upstream no longer supports 1.14.x, it will be necessary to backport the upstream changes, which is unfortunately rather involved. I've been preparing this under embargo, but I would appreciate it if the security team could either review the backport, or take over responsibility for this release. Thanks, smcv ]