-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 15 Apr 2026 20:27:40 +0100
Source: flatpak
Binary: flatpak flatpak-dbgsym flatpak-tests flatpak-tests-dbgsym gir1.2-flatpak-1.0 libflatpak-dev libflatpak0 libflatpak0-dbgsym
Architecture: amd64
Version: 1.14.10-1~deb12u2
Distribution: bookworm-security
Urgency: high
Maintainer: amd64 / i386 Build Daemon (x86-ubc-01) <buildd_amd64-x86-ubc-01@buildd.debian.org>
Changed-By: Simon McVittie <smcv@debian.org>
Description:
 flatpak    - Application deployment framework for desktop apps
 flatpak-tests - Application deployment framework for desktop apps (tests)
 gir1.2-flatpak-1.0 - Application deployment framework for desktop apps (introspection)
 libflatpak-dev - Application deployment framework for desktop apps (development)
 libflatpak0 - Application deployment framework for desktop apps (library)
Closes: 1132943 1132944 1132945 1132946 1132960 1132968
Changes:
 flatpak (1.14.10-1~deb12u2) bookworm-security; urgency=high
 .
   * Security update
   * d/p/CVE-2026-34078-prep/*.patch:
     Backport libglnx changes required to address CVE-2026-34078
   * d/p/CVE-2026-34078/*.patch:
     Fix a sandbox escape involving symlinks passed to flatpak-portal.
     A malicious or compromised Flatpak app could exploit this to achieve
     arbitrary code execution on the host.
     (CVE-2026-34078, GHSA-cc2q-qc34-jprg) (Closes: #1132943)
   * d/p/CVE-2026-34079/*.patch:
     Prevent arbitrary file deletion outside the sandbox by a malicious or
     compromised Flatpak app
     (CVE-2026-34079, GHSA-p29x-r292-46pp) (Closes: #1132944)
   * d/p/GHSA-2fxp-43j9-pwvc/*.patch:
     Prevent a local user from reading any file that is readable by the
     _flatpak system user. A mitigation is that it would be very unusual
     for these files not to be readable by the original local user as well.
     (No CVE ID, GHSA-2fxp-43j9-pwvc) (Closes: #1132946)
   * d/p/GHSA-89xm-3m96-w3jg/*.patch:
     Prevent a local user from making another local user unable to cancel
     an ongoing download of apps or runtimes installed system-wide
     via the system helper.
     (No CVE ID, GHSA-89xm-3m96-w3jg) (Closes: #1132945)
   * d/p/portal-Use-G_LOCK_DEFINE_STATIC.patch,
     d/p/portal-Don-t-run-method-invocations-in-a-thread.patch:
     Add patches from upstream flatpak-1.14.x branch (which never got into a
     release before the branch was discontinued), originally from 1.16.1,
     fixing a thread-safety issue in flatpak-portal
   * d/p/1.16.5/*.patch:
     Add regression fixes taken from the upstream 1.16.5 release,
     fixing various regressions introduced by fixing CVE-2026-34078
     and improving test coverage
     (Closes: #1132960)
   * d/p/1.16.6/*.patch:
     Add regression fixes taken from the upstream 1.16.6 release,
     fixing additional regressions introduced by fixing CVE-2026-34078
     and improving test coverage
     (Closes: #1132968)
     - d/control: Add curl(1) to Build-Depends and flatpak-tests Depends
   * d/p/1.16.7/bwrap-Clarify-a-comment.patch,
     d/p/dir-Silence-a-spurious-warning-when-installing-extra-data.patch:
     Silence a spurious warning seen while testing 1.16.6
Checksums-Sha1:
 0ff19d797ea9f8b62cdb7bb4fe1705cc165bdbe5 6733012 flatpak-dbgsym_1.14.10-1~deb12u2_amd64.deb
 0e26405120c494bd5ea2e2027258dc2e10560702 10554456 flatpak-tests-dbgsym_1.14.10-1~deb12u2_amd64.deb
 c4c5080c4248b7033c8a082dc5a6de3c6b9e6436 1198080 flatpak-tests_1.14.10-1~deb12u2_amd64.deb
 5221143bb5d88f85f42e354ef1598026255885f5 14997 flatpak_1.14.10-1~deb12u2_amd64-buildd.buildinfo
 db8977937022c238d90fe44453b57c19f6ac201c 1405448 flatpak_1.14.10-1~deb12u2_amd64.deb
 eed9d1485a2d85899d132235cb9bcb2d71b4ce60 25912 gir1.2-flatpak-1.0_1.14.10-1~deb12u2_amd64.deb
 344d44add5b0d68a818b8ecb3f606d0f11c07c2b 69328 libflatpak-dev_1.14.10-1~deb12u2_amd64.deb
 3d1e59fac9b1d0f9b2e9dc9997c52fb6df4cd3ff 1566096 libflatpak0-dbgsym_1.14.10-1~deb12u2_amd64.deb
 1917a869fc8bd33204450251f1522dc0b0ff3797 369492 libflatpak0_1.14.10-1~deb12u2_amd64.deb
Checksums-Sha256:
 0baa8b166d478f682d71eb0cd4d6d79b4ff7afadb46acea4ddad901f2aa7c847 6733012 flatpak-dbgsym_1.14.10-1~deb12u2_amd64.deb
 373b2d7a79f954abf2b06133fd84d75d785a88480f5c9226df822f15c8d3ef15 10554456 flatpak-tests-dbgsym_1.14.10-1~deb12u2_amd64.deb
 f474326afcccdd9df867439da11b11d3c9f985eff5898ede250f3cca24e20b17 1198080 flatpak-tests_1.14.10-1~deb12u2_amd64.deb
 b0e4e38edef13923d45946e99b44598221aa4afb59eac47c573c3625d93caeb2 14997 flatpak_1.14.10-1~deb12u2_amd64-buildd.buildinfo
 8addbc287f77fb90d55896e758a567cda20150b5937a8579373b25750fedbf57 1405448 flatpak_1.14.10-1~deb12u2_amd64.deb
 0297baca5269fc8c431ea170efc3c778dc0b800aada6990151f589c5c4da3919 25912 gir1.2-flatpak-1.0_1.14.10-1~deb12u2_amd64.deb
 367473883afeaa7f374867e1d36d1328741967cc862f41c63cff880a8cc39d81 69328 libflatpak-dev_1.14.10-1~deb12u2_amd64.deb
 1eb8a6391b91678375bb5e34adde02df1d121820c4d0e3894796c44057af3cd1 1566096 libflatpak0-dbgsym_1.14.10-1~deb12u2_amd64.deb
 9717960c34a6b359b6dc0890346523b14ff6bc77b0e808f9a67dd32031afe854 369492 libflatpak0_1.14.10-1~deb12u2_amd64.deb
Files:
 a4a32f649289d0cb0d05003e06d6db79 6733012 debug optional flatpak-dbgsym_1.14.10-1~deb12u2_amd64.deb
 bf06cf50dd436c3c362970118ccd2921 10554456 debug optional flatpak-tests-dbgsym_1.14.10-1~deb12u2_amd64.deb
 e8d6b814f7c382d85bb3ba5643a84718 1198080 misc optional flatpak-tests_1.14.10-1~deb12u2_amd64.deb
 94b2c46cbcb69d37a85dbcb5808211da 14997 admin optional flatpak_1.14.10-1~deb12u2_amd64-buildd.buildinfo
 56599b9dc2414b1767b413d7f497fde9 1405448 admin optional flatpak_1.14.10-1~deb12u2_amd64.deb
 50b582268c21910cc24d0f9d5c76229d 25912 introspection optional gir1.2-flatpak-1.0_1.14.10-1~deb12u2_amd64.deb
 fe31d9002d0321685827fc01307587e5 69328 libdevel optional libflatpak-dev_1.14.10-1~deb12u2_amd64.deb
 9d507ba0646dbfc78b3d72bcaf6c257c 1566096 debug optional libflatpak0-dbgsym_1.14.10-1~deb12u2_amd64.deb
 34ee4f733085ce3b06c3a75aae8a9d6d 369492 libs optional libflatpak0_1.14.10-1~deb12u2_amd64.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEmtr4KUMaso2EQ6NrTwt/65ON6zcFAmnnO6kACgkQTwt/65ON
6zdIew//VW8CjOgI05FkHSe3ixNOyES9BNpYVPC00QLeNc5bgIlEYf7UDftZgUPc
rKsa1L9EHx+ZpASBBXsWToRBRpa2SuSruptqfw6VK86mPlT55V6/6lmv3zlj+Dnc
iTRoCSh81Vnxngk+4PZc6AFSNzTb4dg75KOOGOXiB/EWBE3tMlMuj12Z8Ibi4Ipt
pUAx9JCk5xZ/A4vwyU5id6hH//mKNKnIO570j+ik6fpjFvG/WnnA3T7NG23JFUeP
KHXfT5zLoILhaMZfAnk1BACR1e00bgPTli7rmquXCpvh0Cq6fZi6yqxZ1Xz7Ee+y
+lV9dsOuq4+zkkjiPtCX+YoJ2ShzNeve7+BQ1ck6ebWAwEgG/rswS98xvqu7aF+/
/kBXInPC6loCWdGBCUmeTHDR2E9fZMKmQ6KYiT4XjrcCAy2cch4UTx/GG2M0bQVY
OODmIWWBJoSujuf2ZU+VLye5H5QtWhqyBQfphgExWoZb8ODw3rXjrmYEVp1IKx4Q
jr39Ot78Urn2Ir31u8FMIcmDIO3WK0dfyDadnvkUgYALNAcmFKEi0COHxVNzqAuZ
ZbtLXdaLNmVd1/AZwwYhpbVlsJZCC2ld3pioCA4FpClJxKO0+6evAMhtZWOl4IIO
egk5ZUJbGEVJ9SVqScFE26xat66nP6jv0bChVIYjfu50IDI+ck0=
=eM5D
-----END PGP SIGNATURE-----