-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 15 Apr 2026 20:27:40 +0100
Source: flatpak
Binary: flatpak flatpak-dbgsym flatpak-tests flatpak-tests-dbgsym gir1.2-flatpak-1.0 libflatpak-dev libflatpak0 libflatpak0-dbgsym
Architecture: armel
Version: 1.14.10-1~deb12u2
Distribution: bookworm-security
Urgency: high
Maintainer: arm Build Daemon (arm-ubc-06) <buildd_arm64-arm-ubc-06@buildd.debian.org>
Changed-By: Simon McVittie <smcv@debian.org>
Description:
 flatpak    - Application deployment framework for desktop apps
 flatpak-tests - Application deployment framework for desktop apps (tests)
 gir1.2-flatpak-1.0 - Application deployment framework for desktop apps (introspection)
 libflatpak-dev - Application deployment framework for desktop apps (development)
 libflatpak0 - Application deployment framework for desktop apps (library)
Closes: 1132943 1132944 1132945 1132946 1132960 1132968
Changes:
 flatpak (1.14.10-1~deb12u2) bookworm-security; urgency=high
 .
   * Security update
   * d/p/CVE-2026-34078-prep/*.patch:
     Backport libglnx changes required to address CVE-2026-34078
   * d/p/CVE-2026-34078/*.patch:
     Fix a sandbox escape involving symlinks passed to flatpak-portal.
     A malicious or compromised Flatpak app could exploit this to achieve
     arbitrary code execution on the host.
     (CVE-2026-34078, GHSA-cc2q-qc34-jprg) (Closes: #1132943)
   * d/p/CVE-2026-34079/*.patch:
     Prevent arbitrary file deletion outside the sandbox by a malicious or
     compromised Flatpak app
     (CVE-2026-34079, GHSA-p29x-r292-46pp) (Closes: #1132944)
   * d/p/GHSA-2fxp-43j9-pwvc/*.patch:
     Prevent a local user from reading any file that is readable by the
     _flatpak system user. A mitigation is that it would be very unusual
     for these files not to be readable by the original local user as well.
     (No CVE ID, GHSA-2fxp-43j9-pwvc) (Closes: #1132946)
   * d/p/GHSA-89xm-3m96-w3jg/*.patch:
     Prevent a local user from making another local user unable to cancel
     an ongoing download of apps or runtimes installed system-wide
     via the system helper.
     (No CVE ID, GHSA-89xm-3m96-w3jg) (Closes: #1132945)
   * d/p/portal-Use-G_LOCK_DEFINE_STATIC.patch,
     d/p/portal-Don-t-run-method-invocations-in-a-thread.patch:
     Add patches from upstream flatpak-1.14.x branch (which never got into a
     release before the branch was discontinued), originally from 1.16.1,
     fixing a thread-safety issue in flatpak-portal
   * d/p/1.16.5/*.patch:
     Add regression fixes taken from the upstream 1.16.5 release,
     fixing various regressions introduced by fixing CVE-2026-34078
     and improving test coverage
     (Closes: #1132960)
   * d/p/1.16.6/*.patch:
     Add regression fixes taken from the upstream 1.16.6 release,
     fixing additional regressions introduced by fixing CVE-2026-34078
     and improving test coverage
     (Closes: #1132968)
     - d/control: Add curl(1) to Build-Depends and flatpak-tests Depends
   * d/p/1.16.7/bwrap-Clarify-a-comment.patch,
     d/p/dir-Silence-a-spurious-warning-when-installing-extra-data.patch:
     Silence a spurious warning seen while testing 1.16.6
Checksums-Sha1:
 af8743186d449953fd3ce8975812c805aff01f11 6261040 flatpak-dbgsym_1.14.10-1~deb12u2_armel.deb
 c529a2d63373b5b9db4735f8dff956141aa81305 9736636 flatpak-tests-dbgsym_1.14.10-1~deb12u2_armel.deb
 ab267fe54f04f720c7b723541d7f91a59403991c 988028 flatpak-tests_1.14.10-1~deb12u2_armel.deb
 ab23a2c7877c0dfbb217be388fa475bd4b47d9be 14832 flatpak_1.14.10-1~deb12u2_armel-buildd.buildinfo
 147ff45963e9f68a9a4a454551d96d4ffaef5ce2 1245520 flatpak_1.14.10-1~deb12u2_armel.deb
 c68ebd26e37f84451f79327373cc8cdb5b7a5c92 25900 gir1.2-flatpak-1.0_1.14.10-1~deb12u2_armel.deb
 0fd368b145628b1394bfadd741b01f1cf658aa72 69332 libflatpak-dev_1.14.10-1~deb12u2_armel.deb
 ec201b93e50b0ed1f7faff45216720d51ee24a05 1524120 libflatpak0-dbgsym_1.14.10-1~deb12u2_armel.deb
 2f56d99c3f93123991a60dac4d70a99156c541cc 314008 libflatpak0_1.14.10-1~deb12u2_armel.deb
Checksums-Sha256:
 592019819eaf266f2dbb9211a9346b83fc43db3c9127fed33ee38e652369318e 6261040 flatpak-dbgsym_1.14.10-1~deb12u2_armel.deb
 15217a33fccc39104cea9d5dddb8283a7e32f07a8432b2ccae2e4d348b92a25b 9736636 flatpak-tests-dbgsym_1.14.10-1~deb12u2_armel.deb
 2797d7ccbb500ad0f41d2bb3392dc572c5df4b4479daa3d8363ef6cdf95e7145 988028 flatpak-tests_1.14.10-1~deb12u2_armel.deb
 7c923cb5a4ad392c0d76c709029934d549ee39ee81f1c8092b6bfcdbec39a886 14832 flatpak_1.14.10-1~deb12u2_armel-buildd.buildinfo
 f984f059ac11bded09cd9ccf30ead7c891756cde014331c19a76fda1f8684e6b 1245520 flatpak_1.14.10-1~deb12u2_armel.deb
 6cf0ca9c8ec1d23fc68cb962dc81ca8702e0a7c629aae094e72a921ae1131332 25900 gir1.2-flatpak-1.0_1.14.10-1~deb12u2_armel.deb
 0eb9691cce9a1c89161d3d8e79e17a6bb5c5a391b3043b39d2b84a53217eb219 69332 libflatpak-dev_1.14.10-1~deb12u2_armel.deb
 cbdd4ee7260723663adaaae43a7f97a273bbc71c1a2945ce10d4b2f851119a20 1524120 libflatpak0-dbgsym_1.14.10-1~deb12u2_armel.deb
 5c6f883593236ac7b345f7af5d45e04e5e3dcf8252e52e2d1cfd642099a77815 314008 libflatpak0_1.14.10-1~deb12u2_armel.deb
Files:
 fc4ba1ad3c2e3233aa88bd508e3f0771 6261040 debug optional flatpak-dbgsym_1.14.10-1~deb12u2_armel.deb
 87fd787bf46fa2d3086e31f469147de9 9736636 debug optional flatpak-tests-dbgsym_1.14.10-1~deb12u2_armel.deb
 bff5771a38000eadb4fa356ecabd822f 988028 misc optional flatpak-tests_1.14.10-1~deb12u2_armel.deb
 b3beb05287f8b01f16fef6410d1cf780 14832 admin optional flatpak_1.14.10-1~deb12u2_armel-buildd.buildinfo
 dfdf8ece9616ea03b2d66642250b15c4 1245520 admin optional flatpak_1.14.10-1~deb12u2_armel.deb
 e80048099b71403bf9db2a62508aa185 25900 introspection optional gir1.2-flatpak-1.0_1.14.10-1~deb12u2_armel.deb
 8cca0375ee25a3dd397ae1095109d2ed 69332 libdevel optional libflatpak-dev_1.14.10-1~deb12u2_armel.deb
 d342447e4e320e86c75254798262d984 1524120 debug optional libflatpak0-dbgsym_1.14.10-1~deb12u2_armel.deb
 06094fa39302e2965677deabc5b44f6e 314008 libs optional libflatpak0_1.14.10-1~deb12u2_armel.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEpxWVfktWxVoKRwGgJ7tNDw2WyRsFAmnnO+4ACgkQJ7tNDw2W
yRvdQxAAmFpq8AlMAG0+eAsx1lY5+sI8lQa8Zs8+kt5DNOIbxWez+IRCznec5b6j
XngIxOSXqrOfC4/GeKjEAIBCHrIFConrr/vBumMCNPBvkJT6rIkYrvlAfhBwpUxF
MvWxnBFQU6SMJAhTY3/driQ0qy3uEevTxXEHJsKb5kCQ+ivnZX8G+Xeoi8jGT0BT
oI5hlQAaY7ZmzHqv6tyngr/9GNqykm23rbNOmzP2Nuu2MbIzILC9KIMaoyupV5S3
TMXZGxDHtq8T1LOuJWagkZWn6cmIPcdvR+5RyhnlpGtayTUeS/fTjlPEHSmLcviL
GzdtP1gZ4NHSEJfCtUJHNx0ulOZvVTTbc7Jc5dPEQmydV7T3UtXVcFOKmC6l4FvN
dH9re0WC19/bs+QN/bURVYGcsO/RKKQFEGWUsR/PUeDdC7pLh6u7/XwuznUzH282
6QOnXdN0EyDKg4CryApZJj4mn/guBd+qEG0j0A8H8DcgcwdsuBkwzj+OKeRdU9/R
YDgXFP9rQ6gxPHfYttLxetCROqfxunS6RqWhGR+vImKtX+G6GPm9MY6DzAzaMITm
IRFEPkMQp2hZ9intGSywPRcx6UP5cwkA2ndHfb6VwpKmsvlH4X49UDep9FNArUGP
Bcz8ZQPpdoAUXex/JdQ2HRIAfNU9O3GvozAqofBjjPNNnREXWXk=
=8VU9
-----END PGP SIGNATURE-----