[Pkg-utopia-maintainers] Bug#1132943: CVE-2026-34078: Sandbox escape involving symlinks passed to flatpak-portal

Tue Apr 7 23:31:34 BST 2026

Control: fixed 1132943 1.16.4-1
Control: fixed 1132944 1.16.4-1
Control: fixed 1132945 1.16.4-1
Control: fixed 1132946 1.16.4-1

On Tue, 07 Apr 2026 at 22:27:52 +0100, Simon McVittie wrote:
>For testing/unstable, I am about to upload the new upstream release
>1.16.4. This fixes CVE-2026-34078 and some other, less serious security
>issues for which I will report separate bugs.

Uploaded.

>For trixie, I would like to address this by uploading the new upstream
>release to trixie-security. It would be easiest to do this if the
>security team will allow uploading a backport of 1.16.4 from unstable,
>reverting packaging changes that aren't appropriate. I previously did
>non-security uploads of Flatpak 1.16.2 and 1.16.3 to trixie in this way,
>with the release team's approval. I'll prepare a debdiff shortly.

Proposed in: https://salsa.debian.org/debian/flatpak/-/merge_requests/6

The security team is welcome to do this as a sponsored upload if that 
would be helpful, or I can prepare and upload a signed .dsc. Unsigned 
version at https://people.debian.org/~smcv/temp/2026/CVE-2026-34078/ for 
consistency checking (there's also a lightly filtered debdiff there).

All of this new upstream release was to address CVE-2026-34078 and 
CVE-2026-34079, together with two maybe-security-maybe-not issues, 
GHSA-89xm-3m96-w3jg and GHSA-2fxp-43j9-pwvc.

The vast majority of the diff is necessary to fix CVE-2026-34078 
(#1132943), the most serious of the bugs addressed here. Unfortunately 
while reviewing an earlier, more minimal attempt at fixing 
CVE-2026-34078 I realised that it contained time-of-check/time-of-use 
vulnerabilities, and to address those it was necessary to implement some 
new helper functions for dealing with O_PATH fds.

Exceptions:

- The part in common/flatpak-context.c is not strictly necessary, but the
   fix for CVE-2026-34078 used a helper function factored out from here.

- The part in common/flatpak-oci-registry.c (one line plus comments)
   is for GHSA-2fxp-43j9-pwvc (#1132946).

- The part in common/flatpak-utils.c is CVE-2026-34079 (#1132944),
   except for flatpak_parse_fd() which is for CVE-2026-34078.

- l10n files (po/*.po) were updated during the upstream release process.

- subprojects/libglnx is a "copylib" containing backports from GLib,
   and Linux-specific utility code.
   + The backport of g_clear_fd() is not needed for trixie, but will be
     needed in bookworm.
   + glnx_chaseat() and glnx_fd_reopen() are needed for CVE-2026-34078.
   + glnx_statx() and glnx_chase_and_statxat() likewise.
   + The changes in subprojects/libglnx/glnx-fdio.c involving
     proc_self_fd_slash are not strictly related to any of this, but
     they fix an undefined-behaviour situation diagnosed by clang, and
     seem harmless.
   + The change in subprojects/libglnx/glnx-local-alloc.h is just
     deleting a duplicate macro definition.
   + The change in subprojects/libglnx/glnx-lockfile.c adds a
     precondition check for valid parameters. I checked that none of the
     calls to this function in Flatpak will trigger this.
   + The syscall glue in subprojects/libglnx/glnx-missing-syscall.h might
     not be needed for trixie, but is probably needed in bookworm, for
     compatibility with older glibc.

- The part in system-helper/flatpak-system-helper.c is for
   GHSA-89xm-3m96-w3jg (#1132945).

I'm also preparing a bookworm update but that's more difficult, so I 
haven't got as far as testing it yet.

     smcv