[Pkg-utopia-maintainers] Bug#1132943: CVE-2026-34078: Sandbox escape involving symlinks passed to flatpak-portal

Wed Apr 15 23:52:34 BST 2026

On Fri, 10 Apr 2026 at 21:43:05 +0100, Simon McVittie wrote:
>I haven't updated the bookworm backport yet (the patch series is going 
>to be rather long).

OK, here it is:
https://salsa.debian.org/debian/flatpak/-/merge_requests/7
https://people.debian.org/~smcv/temp/2026/CVE-2026-34078/bookworm/
(includes filtered debdiff)

Please review/test carefully, I think this is correct but the diffstat 
is quite significant. (I do wonder whether bookworm would get a lower 
regression risk by taking flatpak 1.16.x from trixie, but perhaps not, 
since there were some behaviour changes between bookworm's 1.14.x and 
trixie's 1.16.x - but I did update the bookworm-backports version of 
flatpak, and if I still had any desktop systems stuck on bookworm I'd 
probably be using that one on them.)

In the debdiff I filtered out the actual patches, leaving only the diff 
that results from applying them, in an attempt to reduce the noise.

In addition to the security and regression fixes backported from 1.16.6, 
I'm suggesting that we include:

- d/p/portal-Use-G_LOCK_DEFINE_STATIC.patch,
   d/p/portal-Don-t-run-method-invocations-in-a-thread.patch:
Fix a thread-safety issue in flatpak-portal. This was applied to the 
flatpak-1.14.x branch by upstream before end-of-life for the 1.14.x 
series, but never made it into a release. It's a backport from 1.16.1.  
It seems like good hardening to try to avoid thread issues in the 
portal, since the portal is security-sensitive.

- d/p/1.16.7/bwrap-Clarify-a-comment.patch,
   d/p/dir-Silence-a-spurious-warning-when-installing-extra-data.patch:
Fix the warnings that Alberto saw while testing the trixie version. 
I fixed this upstream (slightly differently) after 1.16.6, but that 
change hasn't reached trixie or unstable. I'll aim to include it in a 
trixie stable update after the next upstream bugfix release.

But of course if the security team would rather not, then we can drop 
those, at the cost of re-introducing the relevant bugs.

I tested this together with the xdg-dbus-proxy from #1132939, installing 
and briefly using some of the apps that had regressed on a bookworm 
GNOME VM: a selection of Chromium-based browsers (com.brave.Browser, 
org.chromium.Chromium, com.google.Chrome); org.gnome.Epiphany; 
com.valvesoftware.Steam; and installing the openh264 extension (I didn't 
test this beyond installing it, but it was installing it that had the 
bug).

I backported the new test coverage where it was straightforward to do 
so, but I didn't go to heroic efforts to backport automated tests (and 
in particular I didn't backport the new tests in libglnx, which would 
have required connecting them up to its old Autotools build system).

     smcv