Your message dated Tue, 07 Apr 2026 23:19:23 +0000
with message-id <[email protected]>
and subject line Bug#1132944: fixed in flatpak 1.17.3-2
has caused the Debian Bug report #1132944,
regarding flatpak: CVE-2026-34079: Arbitrary file deletion on the host
filesystem
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1132944: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132944
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: flatpak
Severity: important
Tags: security
X-Debbugs-Cc: Debian Security Team <[email protected]>
Flatpak older than 1.16.4 has an issue in which the caching for
ld.so removes outdated cache files without properly checking that the
app-controlled path to the outdated cache is in the cache directory. A
malicious or compromised Flatpak app could use this to delete arbitrary
files on the host system, a denial of service vulnerability (denying
availability).
I think we should fix this in the same batch as the much more serious
CVE-2026-34078.
Thanks,
smcv
--- End Message ---
--- Begin Message ---
Source: flatpak
Source-Version: 1.17.3-2
Done: Simon McVittie <[email protected]>
We believe that the bug you reported is fixed in the latest version of
flatpak, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Simon McVittie <[email protected]> (supplier of updated flatpak package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 07 Apr 2026 23:55:57 +0100
Source: flatpak
Architecture: source
Version: 1.17.3-2
Distribution: experimental
Urgency: high
Maintainer: Utopia Maintenance Team
<[email protected]>
Changed-By: Simon McVittie <[email protected]>
Closes: 1132943 1132944 1132945 1132946
Changes:
flatpak (1.17.3-2) experimental; urgency=high
.
* d/p/CVE-2026-34078/*.patch:
Fix a sandbox escape involving symlinks passed to flatpak-portal.
A malicious or compromised Flatpak app could exploit this to achieve
arbitrary code execution on the host.
(CVE-2026-34078, GHSA-cc2q-qc34-jprg) (Closes: #1132943)
* d/p/CVE-2026-34079/*.patch:
Prevent arbitrary file deletion outside the sandbox by a malicious or
compromised Flatpak app
(CVE-2026-34079, GHSA-p29x-r292-46pp) (Closes: #1132944)
* d/p/GHSA-89xm-3m96-w3jg/*.patch:
Prevent a local user from making another local user unable to cancel
an ongoing download of apps or runtimes installed system-wide
via the system helper.
(No CVE ID, GHSA-89xm-3m96-w3jg) (Closes: #1132945)
* d/p/GHSA-2fxp-43j9-pwvc/*.patch:
Prevent a local user from reading any file that is readable by the
_flatpak system user. A mitigation is that it would be very unusual
for these files not to be readable by the original local user as well.
(No CVE ID, GHSA-2fxp-43j9-pwvc) (Closes: #1132946)
* Merge packaging changes from unstable
* Standards-Version: 4.7.4 (no changes required)
.
flatpak (1.16.4-1) unstable; urgency=high
.
* New upstream security release
- Fix a sandbox escape involving symlinks passed to flatpak-portal.
A malicious or compromised Flatpak app could exploit this to achieve
arbitrary code execution on the host.
(CVE-2026-34078, GHSA-cc2q-qc34-jprg)
- Prevent arbitrary file deletion outside the sandbox by a malicious or
compromised Flatpak app
(CVE-2026-34079, GHSA-p29x-r292-46pp)
- Prevent a local user from reading any file that is readable by the
_flatpak system user. A mitigation is that it would be very unusual
for these files not to be readable by the original local user as well.
(No CVE ID, GHSA-2fxp-43j9-pwvc)
- Prevent a local user from making another local user unable to cancel
an ongoing download of apps or runtimes installed system-wide
via the system helper.
(No CVE ID, GHSA-89xm-3m96-w3jg)
.
flatpak (1.16.3-1) unstable; urgency=medium
.
* New upstream stable release
- In flatpak-build(1), only provide /run/host/font-dirs.xml if the
calling process has not already added it, fixing a regression for
users of GNOME Builder and Foundry (flatpak#6450 upstream)
* Standards-Version: 4.7.3
- Remove Priority: optional, unnecessary since Debian 13
* d/watch: Convert to v5 format
* d/watch: Only watch stable (even-numbered) releases
- d/watch.devel: Add a second watch file for development
(odd-numbered) releases
Checksums-Sha1:
10d2269ae6be0e47d564600035895c529274f6bf 4040 flatpak_1.17.3-2.dsc
02ff6446ddf840a9e050dbcef9e010ff1c3f080d 73024 flatpak_1.17.3-2.debian.tar.xz
ebe3f843dea639c131c90ef1835db661f8bc5a89 6557264 flatpak_1.17.3-2.git.tar.xz
19272e755e99a4c70dc6d2bc77a530e40dcfe67c 17338
flatpak_1.17.3-2_source.buildinfo
Checksums-Sha256:
4ac1c13e259686207c104a1492f35fd1fd9931332aabf52b9a1105825092b808 4040
flatpak_1.17.3-2.dsc
8c28394661489f20e6b1bc866ec7157fdcb92cc6672b8ccee38863e5ccb725a9 73024
flatpak_1.17.3-2.debian.tar.xz
0f19a2f6adc3dcb987ce04686942844ff4fe4d4e83b9bbfed935b705c684998b 6557264
flatpak_1.17.3-2.git.tar.xz
27c2fa9d3eccd8d0aad188d6072df70bdb862b774f5138317aa114b5ce682be2 17338
flatpak_1.17.3-2_source.buildinfo
Files:
05800db60fbd59ae9c31bf1e15d67078 4040 admin optional flatpak_1.17.3-2.dsc
53b10e2bfdc9674907e9b3485a44ec72 73024 admin optional
flatpak_1.17.3-2.debian.tar.xz
ffc3c6694f13cba7f17886eb6c1b6c09 6557264 admin None flatpak_1.17.3-2.git.tar.xz
4c64182d322c0db68f27d9c26ad146e0 17338 admin optional
flatpak_1.17.3-2_source.buildinfo
Git-Tag-Info: tag=46c1c72dff67c46125282c6b2a8a135d2802a537
fp=7a073ad1ae694fa25bff62e5235c099d3eb33076
Git-Tag-Tagger: Simon McVittie <[email protected]>
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEN02M5NuW6cvUwJcqYG0ITkaDwHkFAmnVjD8ACgkQYG0ITkaD
wHlVFw//WJXC2NxLY3v5p72BClxxlLYW3D7Yedh2gU8IIoCrUl3stl6DCvNVtziK
08fEP5gTDUJTb6SnDOFSLzXJMJjnOPwFK4lc9JzUyrezFeRV9qg1Qm8yF5GStXQd
TPL2BYyqSI24zafrNizDkexEowlluHb9qRC1mfCqF3DPP5SXaaJvZbv0dnoiuTOv
w+Hv7EAc9SAae4SFOfSJ2quirAfefuJAS45fN8/g/cm4u+nWqYswM2BgHhUXpM+v
hWdSilelfJzb7/Z0ko8f/vn2Qpl4QkxZx2mC83Dh38lQIaMMMp2Z0RQP4GGx+tQU
55RhtOY2QSdwl8y0/sQMbsH62Vj8EVl6cYfHS4GcGA1dLPwF52ZRook8lxjFBL2x
YFTJJWE1evK/2Vb/G/6V/ErbCfJ7KQMmHsEqqF+usSsDxgwxi5+Wu0a1zdOolCVB
DRnHFFAU4oVoMbkvNxuzQl3LX8wZOPSNT9W/pUTjJDrELbJTD9Pgw4IDmbjdm2B2
uCUB+B8ue88LqPsQA7l+OdE1j4/sTwMwLuIE/RJlVGpWeiIw9H9A3W8hNLZdjnnm
PuWBA29x8UH+mQnxI3tqmfsc5lua4i7Uk1A9ltpgFs2Fj0KE0KhGB/rKjiviyh/n
jSRcWU/BdstgyNwIE1r4BndazNOf5FqVh/15rt9dAMWFy8nhL6s=
=HFsZ
-----END PGP SIGNATURE-----
pgp5lB2rZQAjX.pgp
Description: PGP signature
--- End Message ---
_______________________________________________
Pkg-utopia-maintainers mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-utopia-maintainers
