Your message dated Thu, 23 Apr 2026 14:02:58 +0100
with message-id <[email protected]>
and subject line Re: flatpak: GHSA-2fxp-43j9-pwvc, GHSA-89xm-3m96-w3jg
has caused the Debian Bug report #1132946,
regarding flatpak: GHSA-2fxp-43j9-pwvc: Arbitrary read-access to files readable
by _flatpak user
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1132946: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132946
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: flatpak
Severity: minor
Tags: security
X-Debbugs-Cc: Debian Security Team <[email protected]>
In Flatpak older than 1.16.4, a local user can obtain read access to any
file that is readable by the user account running flatpak-system-helper
(in Debian, this is the "_flatpak" user). A mitigation is that usually
that user account can only read files that are world-readable anyway,
and a further mitigation is that this is only possible if a system OCI
repository is configured (rarely done on non-Fedora systems).
No CVE ID has been allocated: it wasn't clear whether this is a security
vulnerability at all, or just a bug, but out of an abundance of caution
it went through the process for dealing with embargoed vulnerabilities.
I think we should fix this in the same batch as the much more serious
CVE-2026-34078.
Thanks,
smcv
--- End Message ---
--- Begin Message ---
Version: 1.14.10-1~deb12u2
https://bugs.debian.org/1132946 / TEMP-1132946-5EDD2C / GHSA-2fxp-43j9-pwvc
In Flatpak older than 1.16.4, a local user can obtain read access to any
file that is readable by the user account running flatpak-system-helper
https://bugs.debian.org/1132945 / TEMP-1132945-4CEFB2 / GHSA-89xm-3m96-w3jg
Flatpak older than 1.16.4 has an issue in which one local user can
use the CancelPull method to cancel an ongoing download by a second
local user
These two non-CVE security issues were fixed in bookworm in the same
upload as CVE-2026-34078 and CVE-2026-34079. Please could the security
team update the security tracker accordingly, if closing the bugs
doesn't automatically do that?
Thanks,
smcv
--- End Message ---
_______________________________________________
Pkg-utopia-maintainers mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-utopia-maintainers
