Bug#1132943: CVE-2026-34078: Sandbox escape involving symlinks passed to flatpak-portal

Fri, 10 Apr 2026 13:45:23 -0700 

On Tue, 07 Apr 2026 at 23:31:37 +0100, Simon McVittie wrote:

On Tue, 07 Apr 2026 at 22:27:52 +0100, Simon McVittie wrote:

For testing/unstable, I am about to upload the new upstream release
1.16.4. This fixes CVE-2026-34078 and some other, less serious security
issues for which I will report separate bugs.



Unfortunately this had regressions for several popular apps, including 
Steam and Chromium-based web browsers. I've now uploaded 1.16.6, which 
we believe fixes all the regressions.



For trixie, I would like to address this by uploading the new upstream
release to trixie-security.



I'd still prefer to do this, rather than applying 99% of it as patches 
and having a subtly different version that hasn't been tested upstream.


Updated merge request:
https://salsa.debian.org/debian/flatpak/-/merge_requests/6

Updated source package (updated debdiff is in the same directory):
https://people.debian.org/~smcv/temp/2026/CVE-2026-34078/

Binary test-build (identical except for the changelog):
https://people.debian.org/~smcv/temp/2026/CVE-2026-34078/testbuild/

I tried this successfully with some of the apps that regressed:

* org.chromium.Chromium, com.brave.Browser
* org.gnome.Epiphany
* com.valvesoftware.Steam
* installing org.freedesktop.Platform.openh264//2.5.1


and there is targeted automatic test coverage for the root causes of the 
regressions with Chromium, Steam and openh264 (currently no specific 
test coverage for the Epiphany regression though).



The same upstream source has also been tested briefly with 
io.github.ungoogled_software.ungoogled_chromium and com.vivaldi.Vivaldi, 
but I didn't re-test those on trixie since they had the same failure 
mode as Chromium.



It would be great if someone not me could confirm these test results on 
trixie before issuing a security update.



I haven't updated the bookworm backport yet (the patch series is going 
to be rather long). I'll try to get to that tomorrow, unless someone 
else gets there first (any help gratefully received). The changes to 
backport would be what's already in 
https://salsa.debian.org/debian/flatpak/-/merge_requests/7, plus more or 
less everything from 1.16.4..1.16.6 upstream except the version number 
bump.


Thanks,
    smcv























					Reply via email to