-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 15 Apr 2026 20:27:40 +0100
Source: flatpak
Binary: flatpak flatpak-dbgsym flatpak-tests flatpak-tests-dbgsym gir1.2-flatpak-1.0 libflatpak-dev libflatpak0 libflatpak0-dbgsym
Architecture: armhf
Version: 1.14.10-1~deb12u2
Distribution: bookworm-security
Urgency: high
Maintainer: arm Build Daemon (arm-ubc-05) <buildd_arm64-arm-ubc-05@buildd.debian.org>
Changed-By: Simon McVittie <smcv@debian.org>
Description:
 flatpak    - Application deployment framework for desktop apps
 flatpak-tests - Application deployment framework for desktop apps (tests)
 gir1.2-flatpak-1.0 - Application deployment framework for desktop apps (introspection)
 libflatpak-dev - Application deployment framework for desktop apps (development)
 libflatpak0 - Application deployment framework for desktop apps (library)
Closes: 1132943 1132944 1132945 1132946 1132960 1132968
Changes:
 flatpak (1.14.10-1~deb12u2) bookworm-security; urgency=high
 .
   * Security update
   * d/p/CVE-2026-34078-prep/*.patch:
     Backport libglnx changes required to address CVE-2026-34078
   * d/p/CVE-2026-34078/*.patch:
     Fix a sandbox escape involving symlinks passed to flatpak-portal.
     A malicious or compromised Flatpak app could exploit this to achieve
     arbitrary code execution on the host.
     (CVE-2026-34078, GHSA-cc2q-qc34-jprg) (Closes: #1132943)
   * d/p/CVE-2026-34079/*.patch:
     Prevent arbitrary file deletion outside the sandbox by a malicious or
     compromised Flatpak app
     (CVE-2026-34079, GHSA-p29x-r292-46pp) (Closes: #1132944)
   * d/p/GHSA-2fxp-43j9-pwvc/*.patch:
     Prevent a local user from reading any file that is readable by the
     _flatpak system user. A mitigation is that it would be very unusual
     for these files not to be readable by the original local user as well.
     (No CVE ID, GHSA-2fxp-43j9-pwvc) (Closes: #1132946)
   * d/p/GHSA-89xm-3m96-w3jg/*.patch:
     Prevent a local user from making another local user unable to cancel
     an ongoing download of apps or runtimes installed system-wide
     via the system helper.
     (No CVE ID, GHSA-89xm-3m96-w3jg) (Closes: #1132945)
   * d/p/portal-Use-G_LOCK_DEFINE_STATIC.patch,
     d/p/portal-Don-t-run-method-invocations-in-a-thread.patch:
     Add patches from upstream flatpak-1.14.x branch (which never got into a
     release before the branch was discontinued), originally from 1.16.1,
     fixing a thread-safety issue in flatpak-portal
   * d/p/1.16.5/*.patch:
     Add regression fixes taken from the upstream 1.16.5 release,
     fixing various regressions introduced by fixing CVE-2026-34078
     and improving test coverage
     (Closes: #1132960)
   * d/p/1.16.6/*.patch:
     Add regression fixes taken from the upstream 1.16.6 release,
     fixing additional regressions introduced by fixing CVE-2026-34078
     and improving test coverage
     (Closes: #1132968)
     - d/control: Add curl(1) to Build-Depends and flatpak-tests Depends
   * d/p/1.16.7/bwrap-Clarify-a-comment.patch,
     d/p/dir-Silence-a-spurious-warning-when-installing-extra-data.patch:
     Silence a spurious warning seen while testing 1.16.6
Checksums-Sha1:
 c24de1210d3573c9226d024a3b4075b1aa80b79c 6218444 flatpak-dbgsym_1.14.10-1~deb12u2_armhf.deb
 102a0ec0ba0ec531d0da30e6a6a61a61686a1919 9682168 flatpak-tests-dbgsym_1.14.10-1~deb12u2_armhf.deb
 a4b43817835567cd3a693d03c977e5f76736993d 994244 flatpak-tests_1.14.10-1~deb12u2_armhf.deb
 5a1a4d24100c7bbfd8abce6b9f3f7a08f01b3a73 14834 flatpak_1.14.10-1~deb12u2_armhf-buildd.buildinfo
 0a3f25552ba27368caca66840b067e78ad6e9abc 1247440 flatpak_1.14.10-1~deb12u2_armhf.deb
 c1284f267d405f61650ea2447d6fcc3e679bed83 25896 gir1.2-flatpak-1.0_1.14.10-1~deb12u2_armhf.deb
 dd86f494c9f5391b5f19662ed8766c77e3e9ed31 69324 libflatpak-dev_1.14.10-1~deb12u2_armhf.deb
 b119117434f3d45a7a1c2a55087dedae56c91fae 1511640 libflatpak0-dbgsym_1.14.10-1~deb12u2_armhf.deb
 b7cb54c8b03676f5bcfa42f5f69bd460f9768849 317276 libflatpak0_1.14.10-1~deb12u2_armhf.deb
Checksums-Sha256:
 4cd257b25567e73f4bb220d706a986b318b8abb032af64aa516b59d51a2a1eff 6218444 flatpak-dbgsym_1.14.10-1~deb12u2_armhf.deb
 d345ea11cd1d36ec403460c8319f791b9360f57a7049ba98f530d3486d92681b 9682168 flatpak-tests-dbgsym_1.14.10-1~deb12u2_armhf.deb
 5a7696f30f53881d0f1a456e84fb8c5134ac4db7e6e5c75608ee34e89295e59e 994244 flatpak-tests_1.14.10-1~deb12u2_armhf.deb
 9ca219fccfe5bd6d0693e26dc13e5b18a16fa7802bb6ff2274eaf121903f945d 14834 flatpak_1.14.10-1~deb12u2_armhf-buildd.buildinfo
 db04a0ae15e9b017b40b2cbc1880f4589099dd5259b322a4cfe62bd40f07a639 1247440 flatpak_1.14.10-1~deb12u2_armhf.deb
 cde4cb17abca080429b516f68ca4e1070daad0368c67a5753f2e2df4e42ae956 25896 gir1.2-flatpak-1.0_1.14.10-1~deb12u2_armhf.deb
 5dc4299dc8cf2426c377bebb98bf4724ccf82cd4997ffb2010ce78b6a1c8196e 69324 libflatpak-dev_1.14.10-1~deb12u2_armhf.deb
 b20661ea3dde7170db89bf6dacf8a8c408fa4b0a85d46373a4fd113fb9fef0f5 1511640 libflatpak0-dbgsym_1.14.10-1~deb12u2_armhf.deb
 63725af0f4fa344c7c137860131eb80b2091e58260df5d2985cd759fd5b6e963 317276 libflatpak0_1.14.10-1~deb12u2_armhf.deb
Files:
 56b28e44f8544e5f4e7fd9b691a00e6e 6218444 debug optional flatpak-dbgsym_1.14.10-1~deb12u2_armhf.deb
 86661aad3e2ff8a1f7e8d30cfb8291ca 9682168 debug optional flatpak-tests-dbgsym_1.14.10-1~deb12u2_armhf.deb
 7c2e79299a8a6f0ff003577d51b0090c 994244 misc optional flatpak-tests_1.14.10-1~deb12u2_armhf.deb
 dc78ab4727a0044b00625f284fbebeff 14834 admin optional flatpak_1.14.10-1~deb12u2_armhf-buildd.buildinfo
 2e79af0d601e257cfdc14de51a279c03 1247440 admin optional flatpak_1.14.10-1~deb12u2_armhf.deb
 ead55a86c4ae8329b5d438d430932251 25896 introspection optional gir1.2-flatpak-1.0_1.14.10-1~deb12u2_armhf.deb
 61035362af787e5d3e889182af2c510b 69324 libdevel optional libflatpak-dev_1.14.10-1~deb12u2_armhf.deb
 4f8c68d04ec2bfe9d73b6c3ed6a51e93 1511640 debug optional libflatpak0-dbgsym_1.14.10-1~deb12u2_armhf.deb
 182c6816ab07ad71d2ca5fb47dd58fa8 317276 libs optional libflatpak0_1.14.10-1~deb12u2_armhf.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEiIG3Q3DxwDgRKKeyLRECdjCZQkcFAmnnOiYACgkQLRECdjCZ
QkfGeBAAhr/uMuiHpo3PwkplnDrMfT5Ol8m8+y7OqTEKYbhTG01lbEJtEAV++loj
ztpu3/FO2uyn8MtPiEyH5Rz4aTJKLPJWvM2neM4tTLamq0Ou5FZr4dxYPzH7bcku
qN6mmvwd6flLuHkvxF4hxuSwApMDKWg3rzXJ4D12inVU3cdZibRPQl0SXNQpwPQ0
XElXnCjHk6j8MskHWrRVcz9ffCD5N2nB1G8EnfWXvyetqP3PngDU/cwCpGnp3IyR
85VyI5R8Cd6YwY9FgvfM8ugDL+ewCnVhqZrK27Nh8EBJ/017Hw49mcLmXnAKsNUB
HDwbfXbWhWskC+w4swdPpYDlVD2ihyTbw8o0R/rifAcBY0x+H73aNAFr4eD2ZjKb
In02w6Bt5YlFGr2BmUQL1tqtKcHHsAWeG8Lh1MHXYbxh9rRC28VxLwa9WA70VuZu
U6Rf52AS94PPtdNjHCT5bIx53Do2OF78CiDIm37IoYG80H6GHqGfZm88sWdggxOt
2pJ8YmzmV5J/Qq/307Xbb/R6XgEuU4tgq3fgK2X/q/Cwgy2BldNYkjTcIHo93JjQ
uyCiclgIyzh2cOqSNgiMr0AUkUJbZni2FB8c+/tacDErnj6xVn9oAmVQ/lRdpBz2
sbIoHmbP+ek37Jx5p8KP5vizS+QpmZoO16zcsXtNTZNKY0BnvuU=
=3ndt
-----END PGP SIGNATURE-----