-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 15 Apr 2026 20:27:40 +0100
Source: flatpak
Binary: flatpak flatpak-dbgsym flatpak-tests flatpak-tests-dbgsym gir1.2-flatpak-1.0 libflatpak-dev libflatpak0 libflatpak0-dbgsym
Architecture: arm64
Version: 1.14.10-1~deb12u2
Distribution: bookworm-security
Urgency: high
Maintainer: arm Build Daemon (arm-ubc-05) <buildd_arm64-arm-ubc-05@buildd.debian.org>
Changed-By: Simon McVittie <smcv@debian.org>
Description:
 flatpak    - Application deployment framework for desktop apps
 flatpak-tests - Application deployment framework for desktop apps (tests)
 gir1.2-flatpak-1.0 - Application deployment framework for desktop apps (introspection)
 libflatpak-dev - Application deployment framework for desktop apps (development)
 libflatpak0 - Application deployment framework for desktop apps (library)
Closes: 1132943 1132944 1132945 1132946 1132960 1132968
Changes:
 flatpak (1.14.10-1~deb12u2) bookworm-security; urgency=high
 .
   * Security update
   * d/p/CVE-2026-34078-prep/*.patch:
     Backport libglnx changes required to address CVE-2026-34078
   * d/p/CVE-2026-34078/*.patch:
     Fix a sandbox escape involving symlinks passed to flatpak-portal.
     A malicious or compromised Flatpak app could exploit this to achieve
     arbitrary code execution on the host.
     (CVE-2026-34078, GHSA-cc2q-qc34-jprg) (Closes: #1132943)
   * d/p/CVE-2026-34079/*.patch:
     Prevent arbitrary file deletion outside the sandbox by a malicious or
     compromised Flatpak app
     (CVE-2026-34079, GHSA-p29x-r292-46pp) (Closes: #1132944)
   * d/p/GHSA-2fxp-43j9-pwvc/*.patch:
     Prevent a local user from reading any file that is readable by the
     _flatpak system user. A mitigation is that it would be very unusual
     for these files not to be readable by the original local user as well.
     (No CVE ID, GHSA-2fxp-43j9-pwvc) (Closes: #1132946)
   * d/p/GHSA-89xm-3m96-w3jg/*.patch:
     Prevent a local user from making another local user unable to cancel
     an ongoing download of apps or runtimes installed system-wide
     via the system helper.
     (No CVE ID, GHSA-89xm-3m96-w3jg) (Closes: #1132945)
   * d/p/portal-Use-G_LOCK_DEFINE_STATIC.patch,
     d/p/portal-Don-t-run-method-invocations-in-a-thread.patch:
     Add patches from upstream flatpak-1.14.x branch (which never got into a
     release before the branch was discontinued), originally from 1.16.1,
     fixing a thread-safety issue in flatpak-portal
   * d/p/1.16.5/*.patch:
     Add regression fixes taken from the upstream 1.16.5 release,
     fixing various regressions introduced by fixing CVE-2026-34078
     and improving test coverage
     (Closes: #1132960)
   * d/p/1.16.6/*.patch:
     Add regression fixes taken from the upstream 1.16.6 release,
     fixing additional regressions introduced by fixing CVE-2026-34078
     and improving test coverage
     (Closes: #1132968)
     - d/control: Add curl(1) to Build-Depends and flatpak-tests Depends
   * d/p/1.16.7/bwrap-Clarify-a-comment.patch,
     d/p/dir-Silence-a-spurious-warning-when-installing-extra-data.patch:
     Silence a spurious warning seen while testing 1.16.6
Checksums-Sha1:
 c882c1c26823d6acd4325ec5e631f9d3c87c26ae 6665384 flatpak-dbgsym_1.14.10-1~deb12u2_arm64.deb
 ca161b2461c957cb9d9bf9d40ba1e2ee3c6f1c4a 10437032 flatpak-tests-dbgsym_1.14.10-1~deb12u2_arm64.deb
 855a45188b2fba66894f99c33d826c924bcb77bc 1113012 flatpak-tests_1.14.10-1~deb12u2_arm64.deb
 5b462b8afed405d220adc7a281e450ad66d65a39 14996 flatpak_1.14.10-1~deb12u2_arm64-buildd.buildinfo
 461231917a5a9d14fcd79f466b03571e4d1bb4ac 1328864 flatpak_1.14.10-1~deb12u2_arm64.deb
 0b790f45471d0179b163ef3eb9ab23a63dbfc3d6 25912 gir1.2-flatpak-1.0_1.14.10-1~deb12u2_arm64.deb
 647a87cd600213321eedd1e1e2c203de9c76e22b 69332 libflatpak-dev_1.14.10-1~deb12u2_arm64.deb
 fe9f97d81c3b08fe162dd960eadcc5043a028789 1554672 libflatpak0-dbgsym_1.14.10-1~deb12u2_arm64.deb
 d6c44ec2f039d2f34fdf53d44401d1545c25f1b5 327808 libflatpak0_1.14.10-1~deb12u2_arm64.deb
Checksums-Sha256:
 09a6e9427f66da46cd7ad12ec25d18fdda0cda498aeba24c97c596c948848683 6665384 flatpak-dbgsym_1.14.10-1~deb12u2_arm64.deb
 d2b86182d47038429a29ede8fa0b8a03c0dd873603c0eccaa226096fa719bac4 10437032 flatpak-tests-dbgsym_1.14.10-1~deb12u2_arm64.deb
 2c5321238b78060fc57984f29d0bc05eaf62f601b10b8bef1d331e70c5cbc788 1113012 flatpak-tests_1.14.10-1~deb12u2_arm64.deb
 664d31bb66a9b266f7d6aba6d6f012ed101c1cc3afa7fed3d83f9f8d0b616828 14996 flatpak_1.14.10-1~deb12u2_arm64-buildd.buildinfo
 a52e21e6f34337ca129ee8fdf0753f4f33adfb505076ca411cbba504eee200fa 1328864 flatpak_1.14.10-1~deb12u2_arm64.deb
 6eda8bee0a974da536a6e924f57a74b99112251752e8b8bc5db1c4579e035a07 25912 gir1.2-flatpak-1.0_1.14.10-1~deb12u2_arm64.deb
 7f67c6537af58922c1269969c53ca08805b1f92e85621d7186dc433e784e9deb 69332 libflatpak-dev_1.14.10-1~deb12u2_arm64.deb
 ade5597827d46fd10d8238177b115b484cb9b07ca1bc6fb8da927070edb02466 1554672 libflatpak0-dbgsym_1.14.10-1~deb12u2_arm64.deb
 3390e158fda7694687b32706db992e9099865c2dca8f9724eb8e7d99d762e8e1 327808 libflatpak0_1.14.10-1~deb12u2_arm64.deb
Files:
 52b67fd60e9f73b76ba3dd5e3cf6040c 6665384 debug optional flatpak-dbgsym_1.14.10-1~deb12u2_arm64.deb
 78e9f4f7498cb04afeaa0fbd31812fc5 10437032 debug optional flatpak-tests-dbgsym_1.14.10-1~deb12u2_arm64.deb
 f7a4fb9c9ce57785c1392df0b2ca8bc4 1113012 misc optional flatpak-tests_1.14.10-1~deb12u2_arm64.deb
 fc72e0f68c6936d2b195d93d8bdadd2c 14996 admin optional flatpak_1.14.10-1~deb12u2_arm64-buildd.buildinfo
 98283bdf45d84c7e86a3f79338f7cc47 1328864 admin optional flatpak_1.14.10-1~deb12u2_arm64.deb
 b519b98037cef6db143e6e2ca337697a 25912 introspection optional gir1.2-flatpak-1.0_1.14.10-1~deb12u2_arm64.deb
 767f86ba1409135063ebb2f9fe0a0bb3 69332 libdevel optional libflatpak-dev_1.14.10-1~deb12u2_arm64.deb
 8144f990b00727a797b326e72c6295f9 1554672 debug optional libflatpak0-dbgsym_1.14.10-1~deb12u2_arm64.deb
 16271f2eef1f606ea4e70f3b8ea72f4d 327808 libs optional libflatpak0_1.14.10-1~deb12u2_arm64.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEiIG3Q3DxwDgRKKeyLRECdjCZQkcFAmnnOwcACgkQLRECdjCZ
Qke9Iw//YjnZATBW0USOEkPmSUUtDLjYeYNFKxH+wiDNeKV/HcUVekbwxQBos0fC
0H+AWaPpmNDzS3MMLl/bYke+hxKhE8zdW3yrcNTPUnEvQ7zTEHOkSKRuJrE9jYpF
4wcbssV0IoyesZrfRa9We44ApUzc9pAwnnItxgpUqhPVEaZ3TvQUs6DWYVFGoxQd
rjaf4tQZoBlegX8CPvm4r0prSp81Rh2Xy2J18y+7TO7kRK9btP6wd5jipWMbvT9n
s95K1gd5H9SrjVuhQr9YOqBy6IOS8BMzOH1SQ+nU/ss8UeSugSxflwEKXvrTngt9
NLTfLLwrzUXW/KUFfY1IiVl4l5644R3c2NyyLrPhPs99sLSG340NC9ZH2r+qu2mw
lz21nHAvp+VeIj+zY0j40X+dQytTGwuAzFoa5xL8NGO3a1UQuYbZqQN4YEMhSmmo
w1yRuwSs4OfiaowEAiwduoeoguy/l1rZ8Y2Yx1dicIW+5INJgTJl8yfYMFLtZJ+N
mhuNA65lmXE8YzujFXj9ZKNum6VAXXMX4nhNHU3jVVwENlYeVje7a3sGdzitvU/L
ZlVP1oTVKiBIZtMPXhHZ2K2Y8/WrR3F+8j8qkvHqWbPuGhNOLwRlmW02Br650UlR
8c/wacOChvUPCMcPl9Q+GB0XZsgJRE5r93Q61UtYqFSMLf1CPYo=
=nwsl
-----END PGP SIGNATURE-----