[From nobody Sat Apr 18 16:19:05 2026 Received: (at submit) by bugs.debian.org; 7 Apr 2026 21:38:58 +0000 X-Spam-Checker-Version: SpamAssassin 4.0.1-bugs.debian.org_2005_01_02 (2024-03-25) on buxtehude.debian.org X-Spam-Level: X-Spam-Status: No, score=-116.6 required=4.0 tests=BAYES_00, BODY_INCLUDES_PACKAGE,DKIMWL_WL_HIGH,DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,DKIM_VALID_EF,FOURLA,FROMDEVELOPER,HAS_PACKAGE, SPF_HELO_NONE,SPF_NONE,UNPARSEABLE_RELAY,USER_IN_DKIM_WELCOMELIST autolearn=ham autolearn_force=no version=4.0.1-bugs.debian.org_2005_01_02 X-Spam-Bayes: score:0.0000 Tokens: new, 9; hammy, 119; neutral, 34; spammy, 0. spammytokens: hammytokens:0.000-+--Hx-spam-relays-external:sk:stravin, 0.000-+--H*RT:sk:stravin, 0.000-+--Hx-spam-relays-external:311, 0.000-+--H*RT:311, 0.000-+--H*RT:108 Return-path: <smcv@debian.org> Received: from stravinsky.debian.org ([2001:41b8:202:deb::311:108]:33306) by buxtehude.debian.org with esmtps (TLS1.3:ECDHE_SECP256R1__RSA_PSS_RSAE_SHA256__AES_256_GCM:256) (Exim 4.96) (envelope-from <smcv@debian.org>) id 1wAE8Q-0049iV-0U for submit@bugs.debian.org; Tue, 07 Apr 2026 21:38:58 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debian.org; s=smtpauto.stravinsky; h=X-Debian-User:Content-Type:MIME-Version:Message-ID: Subject:To:From:Date:Reply-To:Cc:Content-Transfer-Encoding:Content-ID: Content-Description:In-Reply-To:References; bh=oZXj/+VYx+xZ+hBGdYqe1PyIxvIKyOSqSPvbMlrIlgY=; b=ALQoiiY3sfWFh3UxShRkdIMiHX vPRdBDtmrblvFWIOHBhkKJeaiXijN6xjIyLa7ms3pZtw324krIJ0IwL55LTvSaoD7YFdbvcQYx/oe CxKNB5QftDrGtCr1a+Ho28OtU7qNs4vN9NutlzL31wGq7ZAavnWJQjxBGil32tQE73HCnR+NR2Vyq +g1cZAuN+DNEqc7GO1IwA8tkvBrhl0W6ZPw/eR1SqMjesqhMFZfVGT/71IG9Y5fiSKygf9QmuUpy4 rlDmexLNibEFIC9K7aXjK32qlYSV+YYbDm3fjVPohHGaopW1/2adMpxG/y0I6RyEXlDsCo7p5fxPW lg9JNSmw==; Received: from authenticated user by stravinsky.debian.org with esmtpsa (TLS1.3:ECDHE_SECP256R1__RSA_PSS_RSAE_SHA256__AES_256_GCM:256) (Exim 4.96) (envelope-from <smcv@debian.org>) id 1wAE8Q-007w8h-00 for submit@bugs.debian.org; Tue, 07 Apr 2026 21:38:56 +0000 Date: Tue, 7 Apr 2026 22:38:55 +0100 From: Simon McVittie <smcv@debian.org> To: Debian Bug Tracking System <submit@bugs.debian.org> Subject: flatpak: GHSA-89xm-3m96-w3jg: cross-user CancelPull orphans another user's ongoing pull Message-ID: <adV5b99wWj8QErHP@definition.pseudorandom.co.uk> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline X-Debian-User: smcv Delivered-To: submit@bugs.debian.org Package: flatpak Severity: important Tags: security X-Debbugs-Cc: Debian Security Team <team@security.debian.org> Flatpak older than 1.16.4 has an issue in which one local user can use the CancelPull method to cancel an ongoing download by a second local user, preventing the second user from subsequently cancelling that download. This is (at least arguably) a denial of service. No CVE ID has been assigned: it was not clear whether this is really a security vulnerability, or just a bug. I think we should fix this in the same batch as the much more serious CVE-2026-34078. Thanks, smcv ]