On Tue, 07 Apr 2026 at 22:27:52 +0100, Simon McVittie wrote:
Flatpak older than 1.16.4 has a complete sandbox escape which leads to
host file access and code execution in the host context
(CVE-2026-34078). I believe all versions since 0.11.4, which added
flatpak-portal, are vulnerable.
I don't plan to work on this in Debian LTS myself, but in case someone
in the LTS team might find it useful, upstream maintainer Sebastian Wick
has backported the fixes for this and related CVEs and regressions to
1.12.x for RHEL:
https://github.com/swick/flatpak/tree/backport/1.12/security-issues
That might be a good basis for a backport to 1.10.x in Debian 11 LTS if
someone wants to do that. I haven't reviewed or tested it.
As a summary of the history: the original fixes in 1.16.4 had regressions,
which we fixed in 1.16.5 and .6. Later, I backported those to 1.14.x for
bookworm, and now Sebastian has backported my backports to 1.12.x.
Alternatively, the bookworm security update would probably rebuild
cleanly in bullseye (1.10.x -> 1.14.x), although that version is known
to need either an updated version of src:appstream (0.14.x -> 0.15.3 or
newer) or a backported bug fix.
smcv
_______________________________________________
Pkg-utopia-maintainers mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-utopia-maintainers
