-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Wed, 15 Apr 2026 20:27:40 +0100 Source: flatpak Binary: libflatpak-doc Architecture: all Version: 1.14.10-1~deb12u2 Distribution: bookworm-security Urgency: high Maintainer: all Build Daemon (x86-csail-02) Changed-By: Simon McVittie Description: libflatpak-doc - Application deployment framework for desktop apps (documentation) Closes: 1132943 1132944 1132945 1132946 1132960 1132968 Changes: flatpak (1.14.10-1~deb12u2) bookworm-security; urgency=high . * Security update * d/p/CVE-2026-34078-prep/*.patch: Backport libglnx changes required to address CVE-2026-34078 * d/p/CVE-2026-34078/*.patch: Fix a sandbox escape involving symlinks passed to flatpak-portal. A malicious or compromised Flatpak app could exploit this to achieve arbitrary code execution on the host. (CVE-2026-34078, GHSA-cc2q-qc34-jprg) (Closes: #1132943) * d/p/CVE-2026-34079/*.patch: Prevent arbitrary file deletion outside the sandbox by a malicious or compromised Flatpak app (CVE-2026-34079, GHSA-p29x-r292-46pp) (Closes: #1132944) * d/p/GHSA-2fxp-43j9-pwvc/*.patch: Prevent a local user from reading any file that is readable by the _flatpak system user. A mitigation is that it would be very unusual for these files not to be readable by the original local user as well. (No CVE ID, GHSA-2fxp-43j9-pwvc) (Closes: #1132946) * d/p/GHSA-89xm-3m96-w3jg/*.patch: Prevent a local user from making another local user unable to cancel an ongoing download of apps or runtimes installed system-wide via the system helper. (No CVE ID, GHSA-89xm-3m96-w3jg) (Closes: #1132945) * d/p/portal-Use-G_LOCK_DEFINE_STATIC.patch, d/p/portal-Don-t-run-method-invocations-in-a-thread.patch: Add patches from upstream flatpak-1.14.x branch (which never got into a release before the branch was discontinued), originally from 1.16.1, fixing a thread-safety issue in flatpak-portal * d/p/1.16.5/*.patch: Add regression fixes taken from the upstream 1.16.5 release, fixing various regressions introduced by fixing CVE-2026-34078 and improving test coverage (Closes: #1132960) * d/p/1.16.6/*.patch: Add regression fixes taken from the upstream 1.16.6 release, fixing additional regressions introduced by fixing CVE-2026-34078 and improving test coverage (Closes: #1132968) - d/control: Add curl(1) to Build-Depends and flatpak-tests Depends * d/p/1.16.7/bwrap-Clarify-a-comment.patch, d/p/dir-Silence-a-spurious-warning-when-installing-extra-data.patch: Silence a spurious warning seen while testing 1.16.6 Checksums-Sha1: 90c359168af56ee9e78f40e7d7dbf7688bbb3103 12891 flatpak_1.14.10-1~deb12u2_all-buildd.buildinfo f534d76b307682f702507d7f18724f9c7fb609ed 130920 libflatpak-doc_1.14.10-1~deb12u2_all.deb Checksums-Sha256: 48d080ce5138e5b293cc37891dad114254017f56c27dc7c7fd4f146e3a5a7375 12891 flatpak_1.14.10-1~deb12u2_all-buildd.buildinfo 141e2c20c0a053f129b71437d322ed869ea5757cf7028fea3181c7b6c996eb2c 130920 libflatpak-doc_1.14.10-1~deb12u2_all.deb Files: 331e354b359b35340ebc0d5318e6279e 12891 admin optional flatpak_1.14.10-1~deb12u2_all-buildd.buildinfo 792cf5f28e51b048884e9cbd6c0a5c5e 130920 doc optional libflatpak-doc_1.14.10-1~deb12u2_all.deb -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEXLxUpUHQBQBTDtd4aBVi67oXtfkFAmnnOeUACgkQaBVi67oX tfnt9BAAvssvU3Yl55421mIcY4JGtKK9OV6RfiZQNQ/RA8M2QAvUhSdxufadGtjY rx0KjRe1EqjSwOeGpHXAj8mGiNrbUjCrDzjxhGgww9OyXIxRn7FNQsWkiF6XfzrN m7otftmIcsU0V3eYBbnmewYmIRGWeXU5XmpK+2ln732KFT+oqdUo2/IHAPUE8xA8 XV4CROHFvYdiUVomrXWY+O/3pbsI0ISpYOKQ3XqBsbYL5t1bmLLGcbnQJKO+cC5W gOAJ7jgYAWANqHf4UHeQEAULzXY0pyvgK2uMZwkyZm1DtieVlovm7zQFDC6gCi5D mhWdm3/HyDmI1jiLFpFl1AnILyXcbXJFtWIFkzc73C+8gl9BzGAsMy2C2ZROEqbU xiiI0lvLfshr5FD/oln2YKmtENA9s79hmlR8PHPVYKfT/3AQuckUduDCvp7ozA7p T73QfXgH70FrcVMoMRGDwawbwHN9oTNhCVmUvhEnvYh5cLk3uL606KPpnLTUnM1W 8bz0K7CDSSWCmQULL6fTW9FNiSxTus5/A+KuDsrKxWaAikwXvgphSsuSY5dwf52V iDnduzfWIudFyITIoS/i9aZc7K8joZlr5YQT4rXHyTtLBx8Ce3VkCvKIFBFISzEL qbzAmPflF8asWuHuUVpCDd3caN6fGb6G7gWTHNV6iy9RHVuCd5s= =I4v9 -----END PGP SIGNATURE-----