Your message dated Sat, 18 Apr 2026 15:18:22 +0000
with message-id <[email protected]>
and subject line Bug#1132945: fixed in flatpak 1.16.6-1~deb13u1
has caused the Debian Bug report #1132945,
regarding flatpak: GHSA-89xm-3m96-w3jg: cross-user CancelPull orphans another
user's ongoing pull
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1132945: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132945
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: flatpak
Severity: important
Tags: security
X-Debbugs-Cc: Debian Security Team <[email protected]>
Flatpak older than 1.16.4 has an issue in which one local user can
use the CancelPull method to cancel an ongoing download by a second
local user, preventing the second user from subsequently cancelling that
download. This is (at least arguably) a denial of service. No CVE ID has
been assigned: it was not clear whether this is really a security
vulnerability, or just a bug.
I think we should fix this in the same batch as the much more serious
CVE-2026-34078.
Thanks,
smcv
--- End Message ---
--- Begin Message ---
Source: flatpak
Source-Version: 1.16.6-1~deb13u1
Done: Simon McVittie <[email protected]>
We believe that the bug you reported is fixed in the latest version of
flatpak, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Simon McVittie <[email protected]> (supplier of updated flatpak package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 10 Apr 2026 23:58:31 BST
Source: flatpak
Architecture: source
Version: 1.16.6-1~deb13u1
Distribution: trixie-security
Urgency: high
Maintainer: Utopia Maintenance Team
<[email protected]>
Changed-By: Simon McVittie <[email protected]>
Closes: 1132943 1132944 1132945 1132946
Changes:
flatpak (1.16.6-1~deb13u1) trixie-security; urgency=high
.
* Backport new upstream stable release for Debian 13
- Fix a sandbox escape involving symlinks passed to flatpak-portal.
A malicious or compromised Flatpak app could exploit this to achieve
arbitrary code execution on the host.
(CVE-2026-34078, GHSA-cc2q-qc34-jprg) (Closes: #1132943)
- Prevent arbitrary file deletion outside the sandbox by a malicious or
compromised Flatpak app
(CVE-2026-34079, GHSA-p29x-r292-46pp) (Closes: #1132944)
- Prevent a local user from reading any file that is readable by the
_flatpak system user. A mitigation is that it would be very unusual
for these files not to be readable by the original local user as well.
(No CVE ID, GHSA-2fxp-43j9-pwvc) (Closes: #1132946)
- Prevent a local user from making another local user unable to cancel
an ongoing download of apps or runtimes installed system-wide
via the system helper.
(No CVE ID, GHSA-89xm-3m96-w3jg) (Closes: #1132945)
- Various fixes for regressions caused when fixing CVE-2026-34078
* Revert changes that are not appropriate for a stable update:
- Revert "d/watch: Convert to v5 format, only watch stable
(even-numbered) releases"
- Revert "Standards-Version: 4.7.3"
Checksums-Sha256:
f8693a4ea38466ac3e1dddbe357c9e1e72db88ec650176c5ec0ecc23a692b1b2 3741
flatpak_1.16.6-1~deb13u1.dsc
9cc40d786426b525aaac0a5791bd7e53907e6f4412b885d0d05f3c25fb65bb8d 42712
flatpak_1.16.6-1~deb13u1.debian.tar.xz
d4d40d758e5869bb745f90472995eae5589b2fb681d024bea0c87e53c18136ab 14950
flatpak_1.16.6-1~deb13u1_source.buildinfo
1e63e7f3fe44b602f34d92a6fe46fd8a3bc6be9460c03c2681e57976c658eec3 1242088
flatpak_1.16.6.orig.tar.xz
Checksums-Sha1:
dca489c4f782b537d5886f021b54fb71be2fb403 3741 flatpak_1.16.6-1~deb13u1.dsc
1154e7c0756c558c929e7cdb680ffff37036507c 42712
flatpak_1.16.6-1~deb13u1.debian.tar.xz
450b6aa94af815a4ba6f99700a7a654fcda0b3d8 14950
flatpak_1.16.6-1~deb13u1_source.buildinfo
735ac6e954b284d9eeaadcd260b4a20483534323 1242088 flatpak_1.16.6.orig.tar.xz
Files:
92f5b3bd1f01c69c8bc10f591c8ff4e3 3741 admin optional
flatpak_1.16.6-1~deb13u1.dsc
bfb96ae3f07c04f0671d28bf981eb3a2 42712 admin optional
flatpak_1.16.6-1~deb13u1.debian.tar.xz
fba41629a1efb25e8c08b854742e89b6 14950 admin optional
flatpak_1.16.6-1~deb13u1_source.buildinfo
4c18bbd3a7eb15232030605165b263e3 1242088 admin optional
flatpak_1.16.6.orig.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEegc60a5pT6Jb/2LlI1wJnT6zMHYFAmnZgJ4ACgkQI1wJnT6z
MHbmHg//T2xba9rv+DnSjGQyrarwKiWUFV5rRbbbS7U0TnpAXiAQS+d06iCh3OeT
t+GBWG50lEsW6d2GZ9Cvx4V1ZK/wHGmRPDmcDigjVIy1g4H2S/3/9r2rv9LK+uea
NfMiCfExC1ryhvJACEpR3t6I3xWxIpiLsmbGbgqz2oIR0Yvu+0ookb2Oxeq7IGkZ
/LJTksnNhfbfrj+SwxDxMFvoMKzwDg7NhiNiQ9Va0Y59lxKHIPxA5h5r4xXTRXnL
yTk8PrhxJW7NAjexmfxeIFW5OdTUyTkW97i92w/8TA/XTyAiXQFCtOTQiPb/OI2C
YK5NQ3/hg+hL/1Kj03MsN9yRDGwDz7ipUb/q5dvOyIgLr2HPomwX7nZUEdj4BBQi
4Pk6ZYd4+8ayb5w4bZni4hi3xAYSe0ClM1oupLekHS58xXtgrDMKc0p90+EBhwdt
ILC0PG5fyI4TRnmy0oRrxpItLgixev3Wp9b4PRsEH4OmhkO6T1vDFEHB3xe4MPqp
rvpI5hwlh7d3vEiAQ2ytv2DjSG55QCIZIK8tc7BbNPJ45MBbQokgG5YvEzAG/l8u
+fI7va+gE/44cODW/tculgZil5BYINGSzGY+nyJ3sziKK3zAimXlSKrMKnxZ2r+m
i4PTIPMe6mJDZ5deXXpGz+doCzBWWZZGUnuAcEkDGI8Opo6a+uY=
=/a06
-----END PGP SIGNATURE-----
pgpORNEKq03xl.pgp
Description: PGP signature
--- End Message ---
_______________________________________________
Pkg-utopia-maintainers mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-utopia-maintainers
