[From nobody Sat Apr 25 11:50:08 2026
Received: (at 1132944-close) by bugs.debian.org; 25 Apr 2026 10:49:11 +0000
X-Spam-Checker-Version: SpamAssassin 4.0.1-bugs.debian.org_2005_01_02
 (2024-03-25) on buxtehude.debian.org
X-Spam-Level: 
X-Spam-Status: No, score=-113.0 required=4.0 tests=BAYES_00,DKIM_SIGNED,
 DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FOURLA,FVGT_m_MULTI_ODD,
 HAS_BUG_NUMBER,MD5_SHA1_SUM,PGPSIGNATURE,RCVD_IN_DNSWL_MED,
 SPF_HELO_PASS,SPF_PASS,USER_IN_DKIM_WELCOMELIST autolearn=ham
 autolearn_force=no version=4.0.1-bugs.debian.org_2005_01_02
X-Spam-Bayes: score:0.0000 Tokens: new, 6; hammy, 150; neutral, 390; spammy,
 0. spammytokens: hammytokens:0.000-+--HX-Debian:DAK,
 0.000-+--H*rp:D*ftp-master.debian.org, 0.000-+--UD:debian.tar.xz,
 0.000-+--H*r:sk:fasolo., 0.000-+--H*MI:fasolo
Return-path: &lt;envelope@ftp-master.debian.org&gt;
Received: from mitropoulos.debian.org
 ([2001:648:2ffc:deb:216:61ff:fe9d:958d]:55748)
 by buxtehude.debian.org with esmtps
 (TLS1.3:ECDHE_SECP256R1__RSA_PSS_RSAE_SHA256__AES_256_GCM:256)
 (Exim 4.96) (envelope-from &lt;envelope@ftp-master.debian.org&gt;)
 id 1wGaZT-000QYI-1Z for 1132944-close@bugs.debian.org;
 Sat, 25 Apr 2026 10:49:11 +0000
Received: via submission
 from C=NA, ST=NA, L=Ankh Morpork, O=Debian SMTP, OU=Debian SMTP CA,
 CN=fasolo.debian.org, EMAIL=hostmaster@fasolo.debian.org (verified)
 by mitropoulos.debian.org with esmtps
 (TLS1.3:ECDHE_SECP256R1__RSA_PSS_RSAE_SHA256__AES_256_GCM:256)
 (Exim 4.96) (envelope-from &lt;envelope@ftp-master.debian.org&gt;)
 id 1wGaZR-00FiwD-2r for 1132944-close@bugs.debian.org;
 Sat, 25 Apr 2026 10:49:09 +0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
 d=ftp-master.debian.org; s=smtpauto.fasolo; h=Date:Message-Id:Content-Type:
 Subject:MIME-Version:To:Reply-To:From:Cc:Content-Transfer-Encoding:Content-ID
 :Content-Description:In-Reply-To:References;
 bh=3/Jg5hDDj507mv5hbP49unetEn0pC8GwImo+d3VoITo=; b=Sm/UZlvrkmN5UkyEUZLzYXXmga
 ZXYFR9EJycJNEcqFNgTodso3CWvcMVXzej5Z2IPQtKVAFCnOS4bGTZaFRG5gU/8adMUWFM8XFXZCY
 kM2ocQ10aBIDSVXLhpQ4ks65c9WscyyjhvwQea/MCTarqLgmz7kxU0hZ43OL7FQE2kVTvoXnVcIEs
 0QT/oQvpw6uHLCv2qE5GyfLOTnTfoVpR9yhZxkYYjQ0aRktXZjbMcozT6kEo56mJM0X3EUh0m+2aC
 Q/lR4cdPK4Zvyeq/BPC2SjZEzY3I3tXZ9o855ma7DQ2DlUZjlQeBetZeIWPZZ8P7LGvbQSI92qn2A
 YdkhoykA==;
Received: from dak by fasolo.debian.org with local (Exim 4.98.2)
 (envelope-from &lt;envelope@ftp-master.debian.org&gt;)
 id 1wGaZQ-00000009zSS-2tzD; Sat, 25 Apr 2026 10:49:08 +0000
From: Debian FTP Masters &lt;ftpmaster@ftp-master.debian.org&gt;
Reply-To: Simon McVittie &lt;smcv@debian.org&gt;
To: 1132944-close@bugs.debian.org
X-DAK: dak process-policy
X-Debian: DAK
X-Debian-Package: flatpak
Debian: DAK
Debian-Changes: flatpak_1.14.10-1~deb12u2_source.changes
Debian-Source: flatpak
Debian-Version: 1.14.10-1~deb12u2
Debian-Architecture: source
Debian-Suite: oldstable-proposed-updates
Debian-Archive-Action: accept
MIME-Version: 1.0
Subject: Bug#1132944: fixed in flatpak 1.14.10-1~deb12u2
Content-Type: multipart/signed; micalg=&quot;pgp-sha256&quot;;
 protocol=&quot;application/pgp-signature&quot;;
 boundary=&quot;===============8848209841231197074==&quot;
Message-Id: &lt;E1wGaZQ-00000009zSS-2tzD@fasolo.debian.org&gt;
Date: Sat, 25 Apr 2026 10:49:08 +0000
X-CrossAssassin-Score: 5

--===============8848209841231197074==
Content-Type: text/plain; charset=&quot;utf-8&quot;
Content-Transfer-Encoding: quoted-printable

Source: flatpak
Source-Version: 1.14.10-1~deb12u2
Done: Simon McVittie &lt;smcv@debian.org&gt;

We believe that the bug you reported is fixed in the latest version of
flatpak, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1132944@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Simon McVittie &lt;smcv@debian.org&gt; (supplier of updated flatpak package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 15 Apr 2026 20:27:40 +0100
Source: flatpak
Architecture: source
Version: 1.14.10-1~deb12u2
Distribution: bookworm-security
Urgency: high
Maintainer: Utopia Maintenance Team &lt;pkg-utopia-maintainers@lists.alioth.debi=
an.org&gt;
Changed-By: Simon McVittie &lt;smcv@debian.org&gt;
Closes: 1132943 1132944 1132945 1132946 1132960 1132968
Changes:
 flatpak (1.14.10-1~deb12u2) bookworm-security; urgency=3Dhigh
 .
   * Security update
   * d/p/CVE-2026-34078-prep/*.patch:
     Backport libglnx changes required to address CVE-2026-34078
   * d/p/CVE-2026-34078/*.patch:
     Fix a sandbox escape involving symlinks passed to flatpak-portal.
     A malicious or compromised Flatpak app could exploit this to achieve
     arbitrary code execution on the host.
     (CVE-2026-34078, GHSA-cc2q-qc34-jprg) (Closes: #1132943)
   * d/p/CVE-2026-34079/*.patch:
     Prevent arbitrary file deletion outside the sandbox by a malicious or
     compromised Flatpak app
     (CVE-2026-34079, GHSA-p29x-r292-46pp) (Closes: #1132944)
   * d/p/GHSA-2fxp-43j9-pwvc/*.patch:
     Prevent a local user from reading any file that is readable by the
     _flatpak system user. A mitigation is that it would be very unusual
     for these files not to be readable by the original local user as well.
     (No CVE ID, GHSA-2fxp-43j9-pwvc) (Closes: #1132946)
   * d/p/GHSA-89xm-3m96-w3jg/*.patch:
     Prevent a local user from making another local user unable to cancel
     an ongoing download of apps or runtimes installed system-wide
     via the system helper.
     (No CVE ID, GHSA-89xm-3m96-w3jg) (Closes: #1132945)
   * d/p/portal-Use-G_LOCK_DEFINE_STATIC.patch,
     d/p/portal-Don-t-run-method-invocations-in-a-thread.patch:
     Add patches from upstream flatpak-1.14.x branch (which never got into a
     release before the branch was discontinued), originally from 1.16.1,
     fixing a thread-safety issue in flatpak-portal
   * d/p/1.16.5/*.patch:
     Add regression fixes taken from the upstream 1.16.5 release,
     fixing various regressions introduced by fixing CVE-2026-34078
     and improving test coverage
     (Closes: #1132960)
   * d/p/1.16.6/*.patch:
     Add regression fixes taken from the upstream 1.16.6 release,
     fixing additional regressions introduced by fixing CVE-2026-34078
     and improving test coverage
     (Closes: #1132968)
     - d/control: Add curl(1) to Build-Depends and flatpak-tests Depends
   * d/p/1.16.7/bwrap-Clarify-a-comment.patch,
     d/p/dir-Silence-a-spurious-warning-when-installing-extra-data.patch:
     Silence a spurious warning seen while testing 1.16.6
Checksums-Sha1:
 58c0151d0a1373e9f77b3c1cf1236944e01cebad 3901 flatpak_1.14.10-1~deb12u2.dsc
 29eda29e492f82aeeb3b670a89d7636267e35cf0 1647100 flatpak_1.14.10.orig.tar.xz
 52fcc6407ed227ae632db6625398800d175de844 833 flatpak_1.14.10.orig.tar.xz.asc
 5c9d2be5bf7d48a9405611e58d8e14a2dfb4f5ee 78968 flatpak_1.14.10-1~deb12u2.deb=
ian.tar.xz
 ec4cdb9294c567afa60183906e0ad2015896ce33 12821 flatpak_1.14.10-1~deb12u2_sou=
rce.buildinfo
Checksums-Sha256:
 b38fafad8940c8222a5e7c23e6ccb32b4a67f0ced9ea77667edfa9b96a1d6b92 3901 flatpa=
k_1.14.10-1~deb12u2.dsc
 6bbdc7908127350ad85a4a47d70292ca2f4c46e977b32b1fd231c2a719d821cd 1647100 fla=
tpak_1.14.10.orig.tar.xz
 86f596ae816c77b6ee2789df177cc194d0a86d5ebd127d2a5c5cf99a627641ca 833 flatpak=
_1.14.10.orig.tar.xz.asc
 ed0c2bed6fcec0642f3824cc14ccc5c22d30d58e029f6c570e2a7ad82c3b4b9c 78968 flatp=
ak_1.14.10-1~deb12u2.debian.tar.xz
 9aa808ec6a39e1ed091c7b92fc16c87a7b6417451b62ef8f11ab4d2aab7d4d32 12821 flatp=
ak_1.14.10-1~deb12u2_source.buildinfo
Files:
 8541708b99e58ec680c88f60c83fbe1e 3901 admin optional flatpak_1.14.10-1~deb12=
u2.dsc
 4eb3f96ab7a73b01b408e5bb15630106 1647100 admin optional flatpak_1.14.10.orig=
.tar.xz
 067ee69526edc3294dcfb3d43fd99de6 833 admin optional flatpak_1.14.10.orig.tar=
.xz.asc
 58a6c35f6b83bc98fa6be23be65414d3 78968 admin optional flatpak_1.14.10-1~deb1=
2u2.debian.tar.xz
 4518dd7874c84bf826767003fcb7edf3 12821 admin optional flatpak_1.14.10-1~deb1=
2u2_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEegc60a5pT6Jb/2LlI1wJnT6zMHYFAmnnNDcACgkQI1wJnT6z
MHZ3nA//cjST/seoppo0vkZX8WNRXTBwnv/7k7NXEYavnDWI2SClXWnANXCo47Fq
IwOv5EZqnOiYb8Ytv4ouAAxHVk10TKSlC1hyphiEsZP8NqQYXpV6OBteaPQYgZAa
tyiq5ZDo2tIf8B0he4DRMg+0phIMhK6ES2U/xPHfLyqCc3UqZW7povUFR/HE+EPp
RE7UV4Pib4LB1lJ4/c+tMB3U+lbT2/8X22wo8wKQwsB9OOEijpI0VuoXpn6mBV7e
qIaLj/pi191kKm3M0H3oxsjLQTJzoOENF3Wi9KLOGnUPghMmf9ucCyU79sWAD0kA
4idZt94UwUHWp+zsLrP66PHwliEzhQzWZ0YOXu3QkQEApfF0fNprio9k/w12yQb8
kKgJbSgynycnwSgQ/dROLFTbXr3+c/JeuoLzHE3eq6S+2b/q8BTPDmWuvpY/a8qW
B6IPIeGjETj9BCLlvv/8kK/rt7OuxT2n+feXj/i3tC5RHUXyQFhfD10PzSWfl6oE
PA7qPVnWpi6wESEbuKMJovDNyPsKExTIy6/fZN7QCaDEoPi1+Anb17beNdhZALlI
4R3FvjwTO5hp2ACLdhYx872jMXh2iVAVSsHDi9/6Jeq0AZYo2zH9+DghSLbQdAd8
MNF/fJQokdAB+kU4VtaOcnjbgLsMOUfo1mBZTcs6qDIMPc3wVP4=3D
=3DjyUk
-----END PGP SIGNATURE-----


--===============8848209841231197074==
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----

iHUEABYIAB0WIQTziqJOuF8J+ZI8pJSb9qggYcy5IQUCaeycJAAKCRCb9qggYcy5
IbOgAQDqXRAOrqWyjzLusxR9RAlE5z5QweWoPJBKFzxt4KxGTAEAoGn/3CkC30tj
qBIfU43LXv2ajHyZksT6HkGujexfNQ0=
=Obtl
-----END PGP SIGNATURE-----

--===============8848209841231197074==--
]