[Pkg-utopia-maintainers] Bug#1132943: flatpak CVE-2026-34078: Sandbox escape involving symlinks passed to flatpak-portal
Simon McVittie
smcv at debian.org
Fri May 8 12:47:46 BST 2026
On Tue, 07 Apr 2026 at 22:27:52 +0100, Simon McVittie wrote:
>Flatpak older than 1.16.4 has a complete sandbox escape which leads to
>host file access and code execution in the host context
>(CVE-2026-34078). I believe all versions since 0.11.4, which added
>flatpak-portal, are vulnerable.
I don't plan to work on this in Debian LTS myself, but in case someone
in the LTS team might find it useful, upstream maintainer Sebastian Wick
has backported the fixes for this and related CVEs and regressions to
1.12.x for RHEL:
https://github.com/swick/flatpak/tree/backport/1.12/security-issues
That might be a good basis for a backport to 1.10.x in Debian 11 LTS if
someone wants to do that. I haven't reviewed or tested it.
As a summary of the history: the original fixes in 1.16.4 had regressions,
which we fixed in 1.16.5 and .6. Later, I backported those to 1.14.x for
bookworm, and now Sebastian has backported my backports to 1.12.x.
Alternatively, the bookworm security update would probably rebuild
cleanly in bullseye (1.10.x -> 1.14.x), although that version is known
to need either an updated version of src:appstream (0.14.x -> 0.15.3 or
newer) or a backported bug fix.
smcv
More information about the Pkg-utopia-maintainers
mailing list