[Pkg-utopia-maintainers] Bug#1132943: CVE-2026-34078: Sandbox escape involving symlinks passed to flatpak-portal
Moritz Mühlenhoff
jmm at inutil.org
Mon Apr 20 22:38:49 BST 2026
Am Wed, Apr 15, 2026 at 11:52:34PM +0100 schrieb Simon McVittie:
> On Fri, 10 Apr 2026 at 21:43:05 +0100, Simon McVittie wrote:
> > I haven't updated the bookworm backport yet (the patch series is going
> > to be rather long).
>
> OK, here it is:
> https://salsa.debian.org/debian/flatpak/-/merge_requests/7
> https://people.debian.org/~smcv/temp/2026/CVE-2026-34078/bookworm/
> (includes filtered debdiff)
Thanks, this looks good to me based on the filtered diff.
> But of course if the security team would rather not, then we can drop those,
> at the cost of re-introducing the relevant bugs.
No, these are all fine to include.
> I tested this together with the xdg-dbus-proxy from #1132939, installing and
> briefly using some of the apps that had regressed on a bookworm GNOME VM: a
> selection of Chromium-based browsers (com.brave.Browser,
> org.chromium.Chromium, com.google.Chrome); org.gnome.Epiphany;
> com.valvesoftware.Steam; and installing the openh264 extension (I didn't
> test this beyond installing it, but it was installing it that had the bug).
Please upload to security-master. I'll also test various applications
in combination with xdg-dbus-proxy in the next days.
Cheers,
Moritz
More information about the Pkg-utopia-maintainers
mailing list