Control: fixed 1132943 1.16.4-1
Control: fixed 1132944 1.16.4-1
Control: fixed 1132945 1.16.4-1
Control: fixed 1132946 1.16.4-1
On Tue, 07 Apr 2026 at 22:27:52 +0100, Simon McVittie wrote:
For testing/unstable, I am about to upload the new upstream release
1.16.4. This fixes CVE-2026-34078 and some other, less serious security
issues for which I will report separate bugs.
Uploaded.
For trixie, I would like to address this by uploading the new upstream
release to trixie-security. It would be easiest to do this if the
security team will allow uploading a backport of 1.16.4 from unstable,
reverting packaging changes that aren't appropriate. I previously did
non-security uploads of Flatpak 1.16.2 and 1.16.3 to trixie in this way,
with the release team's approval. I'll prepare a debdiff shortly.
Proposed in: https://salsa.debian.org/debian/flatpak/-/merge_requests/6
The security team is welcome to do this as a sponsored upload if that
would be helpful, or I can prepare and upload a signed .dsc. Unsigned
version at https://people.debian.org/~smcv/temp/2026/CVE-2026-34078/ for
consistency checking (there's also a lightly filtered debdiff there).
All of this new upstream release was to address CVE-2026-34078 and
CVE-2026-34079, together with two maybe-security-maybe-not issues,
GHSA-89xm-3m96-w3jg and GHSA-2fxp-43j9-pwvc.
The vast majority of the diff is necessary to fix CVE-2026-34078
(#1132943), the most serious of the bugs addressed here. Unfortunately
while reviewing an earlier, more minimal attempt at fixing
CVE-2026-34078 I realised that it contained time-of-check/time-of-use
vulnerabilities, and to address those it was necessary to implement some
new helper functions for dealing with O_PATH fds.
Exceptions:
- The part in common/flatpak-context.c is not strictly necessary, but the
fix for CVE-2026-34078 used a helper function factored out from here.
- The part in common/flatpak-oci-registry.c (one line plus comments)
is for GHSA-2fxp-43j9-pwvc (#1132946).
- The part in common/flatpak-utils.c is CVE-2026-34079 (#1132944),
except for flatpak_parse_fd() which is for CVE-2026-34078.
- l10n files (po/*.po) were updated during the upstream release process.
- subprojects/libglnx is a "copylib" containing backports from GLib,
and Linux-specific utility code.
+ The backport of g_clear_fd() is not needed for trixie, but will be
needed in bookworm.
+ glnx_chaseat() and glnx_fd_reopen() are needed for CVE-2026-34078.
+ glnx_statx() and glnx_chase_and_statxat() likewise.
+ The changes in subprojects/libglnx/glnx-fdio.c involving
proc_self_fd_slash are not strictly related to any of this, but
they fix an undefined-behaviour situation diagnosed by clang, and
seem harmless.
+ The change in subprojects/libglnx/glnx-local-alloc.h is just
deleting a duplicate macro definition.
+ The change in subprojects/libglnx/glnx-lockfile.c adds a
precondition check for valid parameters. I checked that none of the
calls to this function in Flatpak will trigger this.
+ The syscall glue in subprojects/libglnx/glnx-missing-syscall.h might
not be needed for trixie, but is probably needed in bookworm, for
compatibility with older glibc.
- The part in system-helper/flatpak-system-helper.c is for
GHSA-89xm-3m96-w3jg (#1132945).
I'm also preparing a bookworm update but that's more difficult, so I
haven't got as far as testing it yet.
smcv
