On Fri, 10 Apr 2026 at 21:43:05 +0100, Simon McVittie wrote:
I haven't updated the bookworm backport yet (the patch series is going
to be rather long).
OK, here it is:
https://salsa.debian.org/debian/flatpak/-/merge_requests/7
https://people.debian.org/~smcv/temp/2026/CVE-2026-34078/bookworm/
(includes filtered debdiff)
Please review/test carefully, I think this is correct but the diffstat
is quite significant. (I do wonder whether bookworm would get a lower
regression risk by taking flatpak 1.16.x from trixie, but perhaps not,
since there were some behaviour changes between bookworm's 1.14.x and
trixie's 1.16.x - but I did update the bookworm-backports version of
flatpak, and if I still had any desktop systems stuck on bookworm I'd
probably be using that one on them.)
In the debdiff I filtered out the actual patches, leaving only the diff
that results from applying them, in an attempt to reduce the noise.
In addition to the security and regression fixes backported from 1.16.6,
I'm suggesting that we include:
- d/p/portal-Use-G_LOCK_DEFINE_STATIC.patch,
d/p/portal-Don-t-run-method-invocations-in-a-thread.patch:
Fix a thread-safety issue in flatpak-portal. This was applied to the
flatpak-1.14.x branch by upstream before end-of-life for the 1.14.x
series, but never made it into a release. It's a backport from 1.16.1.
It seems like good hardening to try to avoid thread issues in the
portal, since the portal is security-sensitive.
- d/p/1.16.7/bwrap-Clarify-a-comment.patch,
d/p/dir-Silence-a-spurious-warning-when-installing-extra-data.patch:
Fix the warnings that Alberto saw while testing the trixie version.
I fixed this upstream (slightly differently) after 1.16.6, but that
change hasn't reached trixie or unstable. I'll aim to include it in a
trixie stable update after the next upstream bugfix release.
But of course if the security team would rather not, then we can drop
those, at the cost of re-introducing the relevant bugs.
I tested this together with the xdg-dbus-proxy from #1132939, installing
and briefly using some of the apps that had regressed on a bookworm
GNOME VM: a selection of Chromium-based browsers (com.brave.Browser,
org.chromium.Chromium, com.google.Chrome); org.gnome.Epiphany;
com.valvesoftware.Steam; and installing the openh264 extension (I didn't
test this beyond installing it, but it was installing it that had the
bug).
I backported the new test coverage where it was straightforward to do
so, but I didn't go to heroic efforts to backport automated tests (and
in particular I didn't backport the new tests in libglnx, which would
have required connecting them up to its old Autotools build system).
smcv
_______________________________________________
Pkg-utopia-maintainers mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-utopia-maintainers
