Your message dated Sat, 25 Apr 2026 10:49:08 +0000
with message-id <[email protected]>
and subject line Bug#1132945: fixed in flatpak 1.14.10-1~deb12u2
has caused the Debian Bug report #1132945,
regarding flatpak: GHSA-89xm-3m96-w3jg: cross-user CancelPull orphans another
user's ongoing pull
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1132945: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132945
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: flatpak
Severity: important
Tags: security
X-Debbugs-Cc: Debian Security Team <[email protected]>
Flatpak older than 1.16.4 has an issue in which one local user can
use the CancelPull method to cancel an ongoing download by a second
local user, preventing the second user from subsequently cancelling that
download. This is (at least arguably) a denial of service. No CVE ID has
been assigned: it was not clear whether this is really a security
vulnerability, or just a bug.
I think we should fix this in the same batch as the much more serious
CVE-2026-34078.
Thanks,
smcv
--- End Message ---
--- Begin Message ---
Source: flatpak
Source-Version: 1.14.10-1~deb12u2
Done: Simon McVittie <[email protected]>
We believe that the bug you reported is fixed in the latest version of
flatpak, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Simon McVittie <[email protected]> (supplier of updated flatpak package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 15 Apr 2026 20:27:40 +0100
Source: flatpak
Architecture: source
Version: 1.14.10-1~deb12u2
Distribution: bookworm-security
Urgency: high
Maintainer: Utopia Maintenance Team
<[email protected]>
Changed-By: Simon McVittie <[email protected]>
Closes: 1132943 1132944 1132945 1132946 1132960 1132968
Changes:
flatpak (1.14.10-1~deb12u2) bookworm-security; urgency=high
.
* Security update
* d/p/CVE-2026-34078-prep/*.patch:
Backport libglnx changes required to address CVE-2026-34078
* d/p/CVE-2026-34078/*.patch:
Fix a sandbox escape involving symlinks passed to flatpak-portal.
A malicious or compromised Flatpak app could exploit this to achieve
arbitrary code execution on the host.
(CVE-2026-34078, GHSA-cc2q-qc34-jprg) (Closes: #1132943)
* d/p/CVE-2026-34079/*.patch:
Prevent arbitrary file deletion outside the sandbox by a malicious or
compromised Flatpak app
(CVE-2026-34079, GHSA-p29x-r292-46pp) (Closes: #1132944)
* d/p/GHSA-2fxp-43j9-pwvc/*.patch:
Prevent a local user from reading any file that is readable by the
_flatpak system user. A mitigation is that it would be very unusual
for these files not to be readable by the original local user as well.
(No CVE ID, GHSA-2fxp-43j9-pwvc) (Closes: #1132946)
* d/p/GHSA-89xm-3m96-w3jg/*.patch:
Prevent a local user from making another local user unable to cancel
an ongoing download of apps or runtimes installed system-wide
via the system helper.
(No CVE ID, GHSA-89xm-3m96-w3jg) (Closes: #1132945)
* d/p/portal-Use-G_LOCK_DEFINE_STATIC.patch,
d/p/portal-Don-t-run-method-invocations-in-a-thread.patch:
Add patches from upstream flatpak-1.14.x branch (which never got into a
release before the branch was discontinued), originally from 1.16.1,
fixing a thread-safety issue in flatpak-portal
* d/p/1.16.5/*.patch:
Add regression fixes taken from the upstream 1.16.5 release,
fixing various regressions introduced by fixing CVE-2026-34078
and improving test coverage
(Closes: #1132960)
* d/p/1.16.6/*.patch:
Add regression fixes taken from the upstream 1.16.6 release,
fixing additional regressions introduced by fixing CVE-2026-34078
and improving test coverage
(Closes: #1132968)
- d/control: Add curl(1) to Build-Depends and flatpak-tests Depends
* d/p/1.16.7/bwrap-Clarify-a-comment.patch,
d/p/dir-Silence-a-spurious-warning-when-installing-extra-data.patch:
Silence a spurious warning seen while testing 1.16.6
Checksums-Sha1:
58c0151d0a1373e9f77b3c1cf1236944e01cebad 3901 flatpak_1.14.10-1~deb12u2.dsc
29eda29e492f82aeeb3b670a89d7636267e35cf0 1647100 flatpak_1.14.10.orig.tar.xz
52fcc6407ed227ae632db6625398800d175de844 833 flatpak_1.14.10.orig.tar.xz.asc
5c9d2be5bf7d48a9405611e58d8e14a2dfb4f5ee 78968
flatpak_1.14.10-1~deb12u2.debian.tar.xz
ec4cdb9294c567afa60183906e0ad2015896ce33 12821
flatpak_1.14.10-1~deb12u2_source.buildinfo
Checksums-Sha256:
b38fafad8940c8222a5e7c23e6ccb32b4a67f0ced9ea77667edfa9b96a1d6b92 3901
flatpak_1.14.10-1~deb12u2.dsc
6bbdc7908127350ad85a4a47d70292ca2f4c46e977b32b1fd231c2a719d821cd 1647100
flatpak_1.14.10.orig.tar.xz
86f596ae816c77b6ee2789df177cc194d0a86d5ebd127d2a5c5cf99a627641ca 833
flatpak_1.14.10.orig.tar.xz.asc
ed0c2bed6fcec0642f3824cc14ccc5c22d30d58e029f6c570e2a7ad82c3b4b9c 78968
flatpak_1.14.10-1~deb12u2.debian.tar.xz
9aa808ec6a39e1ed091c7b92fc16c87a7b6417451b62ef8f11ab4d2aab7d4d32 12821
flatpak_1.14.10-1~deb12u2_source.buildinfo
Files:
8541708b99e58ec680c88f60c83fbe1e 3901 admin optional
flatpak_1.14.10-1~deb12u2.dsc
4eb3f96ab7a73b01b408e5bb15630106 1647100 admin optional
flatpak_1.14.10.orig.tar.xz
067ee69526edc3294dcfb3d43fd99de6 833 admin optional
flatpak_1.14.10.orig.tar.xz.asc
58a6c35f6b83bc98fa6be23be65414d3 78968 admin optional
flatpak_1.14.10-1~deb12u2.debian.tar.xz
4518dd7874c84bf826767003fcb7edf3 12821 admin optional
flatpak_1.14.10-1~deb12u2_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEegc60a5pT6Jb/2LlI1wJnT6zMHYFAmnnNDcACgkQI1wJnT6z
MHZ3nA//cjST/seoppo0vkZX8WNRXTBwnv/7k7NXEYavnDWI2SClXWnANXCo47Fq
IwOv5EZqnOiYb8Ytv4ouAAxHVk10TKSlC1hyphiEsZP8NqQYXpV6OBteaPQYgZAa
tyiq5ZDo2tIf8B0he4DRMg+0phIMhK6ES2U/xPHfLyqCc3UqZW7povUFR/HE+EPp
RE7UV4Pib4LB1lJ4/c+tMB3U+lbT2/8X22wo8wKQwsB9OOEijpI0VuoXpn6mBV7e
qIaLj/pi191kKm3M0H3oxsjLQTJzoOENF3Wi9KLOGnUPghMmf9ucCyU79sWAD0kA
4idZt94UwUHWp+zsLrP66PHwliEzhQzWZ0YOXu3QkQEApfF0fNprio9k/w12yQb8
kKgJbSgynycnwSgQ/dROLFTbXr3+c/JeuoLzHE3eq6S+2b/q8BTPDmWuvpY/a8qW
B6IPIeGjETj9BCLlvv/8kK/rt7OuxT2n+feXj/i3tC5RHUXyQFhfD10PzSWfl6oE
PA7qPVnWpi6wESEbuKMJovDNyPsKExTIy6/fZN7QCaDEoPi1+Anb17beNdhZALlI
4R3FvjwTO5hp2ACLdhYx872jMXh2iVAVSsHDi9/6Jeq0AZYo2zH9+DghSLbQdAd8
MNF/fJQokdAB+kU4VtaOcnjbgLsMOUfo1mBZTcs6qDIMPc3wVP4=
=jyUk
-----END PGP SIGNATURE-----
pgp4gWV0xLwBX.pgp
Description: PGP signature
--- End Message ---
_______________________________________________
Pkg-utopia-maintainers mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-utopia-maintainers
