[Pkg-utopia-maintainers] Bug#1033078: unblock: flatpak/1.14.4-1

[Simon McVittie]

Package: release.debian.org
Severity: normal
User: release.debian.org at packages.debian.org
Usertags: unblock
X-Debbugs-Cc: flatpak at packages.debian.org, security at debian.org
Control: affects -1 + src:flatpak

Please unblock package flatpak

[ Reason ]
New upstream stable release fixing a security issue.

[ Impact ]
CVE-2023-28101: A malicious Flatpak app could prevent the flatpak(1) CLI
from displaying its permissions as intended, by having crafted permissions
or other metadata containing terminal escape sequences or other special
characters.

CVE-2023-28100: A malicious Flatpak app could execute code outside the
sandbox if run from a Linux virtual console. (Mitigation: I'm fairly
sure nobody actually does this, because Flatpak is intended to be used
in a Wayland or X11 environment; running it from an xterm or equivalent
is not vulnerable.)

[ Tests ]
The automated test suite is run at build-time and by autopkgtest, and
still passes. It includes tests for the two CVE issues. Coverage on buildds
and lxc is not great, because we're unable to actually run Flatpak apps in
that environment, but I ran the autopkgtest in qemu before upload and that
also passes.

[ Risks ]
Low risk, targeted fixes only. The only non-security change is a
translation update.

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

[ Other info ]
As with bullseye, I'm involved in upstream release management, and I'd
like to make use of upstream stable releases for stable/security updates
in preference to forking the upstream codebase for Debian.

unblock flatpak/1.14.4-1
-------------- next part --------------
A non-text attachment was scrubbed...
Name: flatpak_1.14.4-1.diff
Type: text/x-diff
Size: 32208 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-utopia-maintainers/attachments/20230316/4133cd82/attachment-0001.diff>