[Pkg-utopia-maintainers] Bug#1132943: CVE-2026-34078: Sandbox escape involving symlinks passed to flatpak-portal
Simon McVittie
smcv at debian.org
Fri Apr 10 21:43:05 BST 2026
On Tue, 07 Apr 2026 at 23:31:37 +0100, Simon McVittie wrote:
>On Tue, 07 Apr 2026 at 22:27:52 +0100, Simon McVittie wrote:
>>For testing/unstable, I am about to upload the new upstream release
>>1.16.4. This fixes CVE-2026-34078 and some other, less serious security
>>issues for which I will report separate bugs.
Unfortunately this had regressions for several popular apps, including
Steam and Chromium-based web browsers. I've now uploaded 1.16.6, which
we believe fixes all the regressions.
>>For trixie, I would like to address this by uploading the new upstream
>>release to trixie-security.
I'd still prefer to do this, rather than applying 99% of it as patches
and having a subtly different version that hasn't been tested upstream.
Updated merge request:
https://salsa.debian.org/debian/flatpak/-/merge_requests/6
Updated source package (updated debdiff is in the same directory):
https://people.debian.org/~smcv/temp/2026/CVE-2026-34078/
Binary test-build (identical except for the changelog):
https://people.debian.org/~smcv/temp/2026/CVE-2026-34078/testbuild/
I tried this successfully with some of the apps that regressed:
* org.chromium.Chromium, com.brave.Browser
* org.gnome.Epiphany
* com.valvesoftware.Steam
* installing org.freedesktop.Platform.openh264//2.5.1
and there is targeted automatic test coverage for the root causes of the
regressions with Chromium, Steam and openh264 (currently no specific
test coverage for the Epiphany regression though).
The same upstream source has also been tested briefly with
io.github.ungoogled_software.ungoogled_chromium and com.vivaldi.Vivaldi,
but I didn't re-test those on trixie since they had the same failure
mode as Chromium.
It would be great if someone not me could confirm these test results on
trixie before issuing a security update.
I haven't updated the bookworm backport yet (the patch series is going
to be rather long). I'll try to get to that tomorrow, unless someone
else gets there first (any help gratefully received). The changes to
backport would be what's already in
https://salsa.debian.org/debian/flatpak/-/merge_requests/7, plus more or
less everything from 1.16.4..1.16.6 upstream except the version number
bump.
Thanks,
smcv
More information about the Pkg-utopia-maintainers
mailing list