Package: flatpak
Version: 0.11.4-1
Severity: grave
Tags: security
Justification: user security hole
X-Debbugs-Cc: Debian Security Team <[email protected]>
Flatpak older than 1.16.4 has a complete sandbox escape which leads to
host file access and code execution in the host context
(CVE-2026-34078). I believe all versions since 0.11.4, which added
flatpak-portal, are vulnerable.
A malicious or compromised Flatpak app could exploit this to achieve
arbitrary code execution on the host.
For testing/unstable, I am about to upload the new upstream release
1.16.4. This fixes CVE-2026-34078 and some other, less serious security
issues for which I will report separate bugs.
For trixie, I would like to address this by uploading the new upstream
release to trixie-security. It would be easiest to do this if the
security team will allow uploading a backport of 1.16.4 from unstable,
reverting packaging changes that aren't appropriate. I previously did
non-security uploads of Flatpak 1.16.2 and 1.16.3 to trixie in this way,
with the release team's approval. I'll prepare a debdiff shortly.
For bookworm, because upstream no longer supports 1.14.x, it will be
necessary to backport the upstream changes, which is unfortunately
rather involved. I've been preparing this under embargo, but I would
appreciate it if the security team could either review the backport, or
take over responsibility for this release.
Thanks,
smcv
