[From nobody Sat Apr 18 16:19:07 2026 Received: (at submit) by bugs.debian.org; 7 Apr 2026 21:42:20 +0000 X-Spam-Checker-Version: SpamAssassin 4.0.1-bugs.debian.org_2005_01_02 (2024-03-25) on buxtehude.debian.org X-Spam-Level: X-Spam-Status: No, score=-116.6 required=4.0 tests=BAYES_00, BODY_INCLUDES_PACKAGE,DKIMWL_WL_HIGH,DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,DKIM_VALID_EF,FOURLA,FROMDEVELOPER,HAS_PACKAGE, SPF_HELO_NONE,SPF_NONE,UNPARSEABLE_RELAY,USER_IN_DKIM_WELCOMELIST autolearn=ham autolearn_force=no version=4.0.1-bugs.debian.org_2005_01_02 X-Spam-Bayes: score:0.0000 Tokens: new, 18; hammy, 133; neutral, 29; spammy, 0. spammytokens: hammytokens:0.000-+--Hx-spam-relays-external:sk:stravin, 0.000-+--H*RT:sk:stravin, 0.000-+--Hx-spam-relays-external:311, 0.000-+--H*RT:311, 0.000-+--H*RT:108 Return-path: <smcv@debian.org> Received: from stravinsky.debian.org ([2001:41b8:202:deb::311:108]:46992) by buxtehude.debian.org with esmtps (TLS1.3:ECDHE_SECP256R1__RSA_PSS_RSAE_SHA256__AES_256_GCM:256) (Exim 4.96) (envelope-from <smcv@debian.org>) id 1wAEBg-0049u8-1e for submit@bugs.debian.org; Tue, 07 Apr 2026 21:42:20 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debian.org; s=smtpauto.stravinsky; h=X-Debian-User:Content-Type:MIME-Version:Message-ID: Subject:To:From:Date:Reply-To:Cc:Content-Transfer-Encoding:Content-ID: Content-Description:In-Reply-To:References; bh=XJL8ZtPoJMVQaR8TgThRqFhpiR8k9nlJRBgIYv33C2E=; b=G3WVvxvjAh+UzPu+/EqeFF6nQm MTPoeXZ7wIhKCYVcLeiJoT/cVlCsEvxSZv2oL3hRtjDhtT46bleanyV4CCXsV/5ItfHpdbgyHUWe0 4p01pDXjKShgWHkmWA/ZUSeVBvXVeC2Sg9Ki94nhGz+j/bv828WyPZbmn+WvoBkfzVfER+ocwP6mD BcX16mO97TowaFsuyEkT2Ce0xSyLabWvxirO7JtgxWZHf+KNF8wukUSs/+Sw6tW2mrtEcsvl5nEqA mYkz2wa3kD+YEoG4hi6uSq1Nr4vbHHBCAld9kauxFngcSEKzbnvsAXRK2eeeX5RqSPplTJ8DDKPP6 EVsY8zjA==; Received: from authenticated user by stravinsky.debian.org with esmtpsa (TLS1.3:ECDHE_SECP256R1__RSA_PSS_RSAE_SHA256__AES_256_GCM:256) (Exim 4.96) (envelope-from <smcv@debian.org>) id 1wAEBg-007wBi-1W for submit@bugs.debian.org; Tue, 07 Apr 2026 21:42:19 +0000 Date: Tue, 7 Apr 2026 22:42:17 +0100 From: Simon McVittie <smcv@debian.org> To: Debian Bug Tracking System <submit@bugs.debian.org> Subject: flatpak: GHSA-2fxp-43j9-pwvc: Arbitrary read-access to files readable by _flatpak user Message-ID: <adV6OeQqm63fzRBR@definition.pseudorandom.co.uk> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline X-Debian-User: smcv Delivered-To: submit@bugs.debian.org Package: flatpak Severity: minor Tags: security X-Debbugs-Cc: Debian Security Team <team@security.debian.org> In Flatpak older than 1.16.4, a local user can obtain read access to any file that is readable by the user account running flatpak-system-helper (in Debian, this is the "_flatpak" user). A mitigation is that usually that user account can only read files that are world-readable anyway, and a further mitigation is that this is only possible if a system OCI repository is configured (rarely done on non-Fedora systems). No CVE ID has been allocated: it wasn't clear whether this is a security vulnerability at all, or just a bug, but out of an abundance of caution it went through the process for dealing with embargoed vulnerabilities. I think we should fix this in the same batch as the much more serious CVE-2026-34078. Thanks, smcv ]