[Pkg-utopia-maintainers] Bug#1132945: marked as done (flatpak: GHSA-89xm-3m96-w3jg: cross-user CancelPull orphans another user's ongoing pull)

Thu, 23 Apr 2026 06:05:11 -0700 

Your message dated Thu, 23 Apr 2026 14:02:58 +0100
with message-id <[email protected]>
and subject line Re: flatpak: GHSA-2fxp-43j9-pwvc, GHSA-89xm-3m96-w3jg
has caused the Debian Bug report #1132945,
regarding flatpak: GHSA-89xm-3m96-w3jg: cross-user CancelPull orphans another 
user's ongoing pull
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1132945: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132945
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Package: flatpak
Severity: important
Tags: security
X-Debbugs-Cc: Debian Security Team <[email protected]>

Flatpak older than 1.16.4 has an issue in which one local user can 
use the CancelPull method to cancel an ongoing download by a second 
local user, preventing the second user from subsequently cancelling that 
download. This is (at least arguably) a denial of service. No CVE ID has 
been assigned: it was not clear whether this is really a security 
vulnerability, or just a bug.

I think we should fix this in the same batch as the much more serious 
CVE-2026-34078.

Thanks,
    smcv

--- End Message ---
--- Begin Message --- 
Version: 1.14.10-1~deb12u2

https://bugs.debian.org/1132946 / TEMP-1132946-5EDD2C / GHSA-2fxp-43j9-pwvc

In Flatpak older than 1.16.4, a local user can obtain read access to any
file that is readable by the user account running flatpak-system-helper


https://bugs.debian.org/1132945 / TEMP-1132945-4CEFB2 / GHSA-89xm-3m96-w3jg

Flatpak older than 1.16.4 has an issue in which one local user can
use the CancelPull method to cancel an ongoing download by a second
local user
These two non-CVE security issues were fixed in bookworm in the same upload as CVE-2026-34078 and CVE-2026-34079. Please could the security team update the security tracker accordingly, if closing the bugs doesn't automatically do that? 

Thanks,
    smcv

--- End Message ---
_______________________________________________
Pkg-utopia-maintainers mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-utopia-maintainers

Reply via email to