[Pkg-utopia-maintainers] Bug#1133099: flatpak-builder: CVE-2026-39977: path traversal leading to arbitrary file read on host when installing licence files
Simon McVittie
smcv at debian.org
Thu Apr 9 22:27:45 BST 2026
Package: flatpak-builder
Version: 1.4.5-1
Severity: important
Tags: upstream
Forwarded: https://github.com/flatpak/flatpak-builder/security/advisories/GHSA-6gm9-3g7m-3965
X-Debbugs-Cc: Debian Security Team <team at security.debian.org>
If flatpak-builder is used to build a Flatpak app from a malicious
manifest or source code, a path traversal vulnerability in versions
1.4.5+ can be used to copy sensitive/secret files from the host system
into the app.
Luckily trixie and older are not believed to have the vulnerable
feature (trixie has flatpak-builder 1.4.4).
A mitigation is that if you only build Flatpak apps that you trust (the
most likely use case) there is no problem, so I've reported this as
non-RC (but please escalate to RC if the security team disagrees).
This is mainly a problem for centralized services like Flathub that want
to build untrusted or only-semi-trusted Flatpak apps from source.
smcv
More information about the Pkg-utopia-maintainers
mailing list