-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 15 Apr 2026 20:27:40 +0100
Source: flatpak
Binary: flatpak flatpak-dbgsym flatpak-tests flatpak-tests-dbgsym gir1.2-flatpak-1.0 libflatpak-dev libflatpak0 libflatpak0-dbgsym
Architecture: i386
Version: 1.14.10-1~deb12u2
Distribution: bookworm-security
Urgency: high
Maintainer: amd64 / i386 Build Daemon (x86-ubc-01) <buildd_amd64-x86-ubc-01@buildd.debian.org>
Changed-By: Simon McVittie <smcv@debian.org>
Description:
 flatpak    - Application deployment framework for desktop apps
 flatpak-tests - Application deployment framework for desktop apps (tests)
 gir1.2-flatpak-1.0 - Application deployment framework for desktop apps (introspection)
 libflatpak-dev - Application deployment framework for desktop apps (development)
 libflatpak0 - Application deployment framework for desktop apps (library)
Closes: 1132943 1132944 1132945 1132946 1132960 1132968
Changes:
 flatpak (1.14.10-1~deb12u2) bookworm-security; urgency=high
 .
   * Security update
   * d/p/CVE-2026-34078-prep/*.patch:
     Backport libglnx changes required to address CVE-2026-34078
   * d/p/CVE-2026-34078/*.patch:
     Fix a sandbox escape involving symlinks passed to flatpak-portal.
     A malicious or compromised Flatpak app could exploit this to achieve
     arbitrary code execution on the host.
     (CVE-2026-34078, GHSA-cc2q-qc34-jprg) (Closes: #1132943)
   * d/p/CVE-2026-34079/*.patch:
     Prevent arbitrary file deletion outside the sandbox by a malicious or
     compromised Flatpak app
     (CVE-2026-34079, GHSA-p29x-r292-46pp) (Closes: #1132944)
   * d/p/GHSA-2fxp-43j9-pwvc/*.patch:
     Prevent a local user from reading any file that is readable by the
     _flatpak system user. A mitigation is that it would be very unusual
     for these files not to be readable by the original local user as well.
     (No CVE ID, GHSA-2fxp-43j9-pwvc) (Closes: #1132946)
   * d/p/GHSA-89xm-3m96-w3jg/*.patch:
     Prevent a local user from making another local user unable to cancel
     an ongoing download of apps or runtimes installed system-wide
     via the system helper.
     (No CVE ID, GHSA-89xm-3m96-w3jg) (Closes: #1132945)
   * d/p/portal-Use-G_LOCK_DEFINE_STATIC.patch,
     d/p/portal-Don-t-run-method-invocations-in-a-thread.patch:
     Add patches from upstream flatpak-1.14.x branch (which never got into a
     release before the branch was discontinued), originally from 1.16.1,
     fixing a thread-safety issue in flatpak-portal
   * d/p/1.16.5/*.patch:
     Add regression fixes taken from the upstream 1.16.5 release,
     fixing various regressions introduced by fixing CVE-2026-34078
     and improving test coverage
     (Closes: #1132960)
   * d/p/1.16.6/*.patch:
     Add regression fixes taken from the upstream 1.16.6 release,
     fixing additional regressions introduced by fixing CVE-2026-34078
     and improving test coverage
     (Closes: #1132968)
     - d/control: Add curl(1) to Build-Depends and flatpak-tests Depends
   * d/p/1.16.7/bwrap-Clarify-a-comment.patch,
     d/p/dir-Silence-a-spurious-warning-when-installing-extra-data.patch:
     Silence a spurious warning seen while testing 1.16.6
Checksums-Sha1:
 e7c4dcd9c3107ec0ab5a4e4ca7c68a088e1d4f56 5580668 flatpak-dbgsym_1.14.10-1~deb12u2_i386.deb
 3132af54bf749c8d11c8b73f03279b73cb7f4668 8718032 flatpak-tests-dbgsym_1.14.10-1~deb12u2_i386.deb
 04704d3238e98e459aba413aabb47110aebe87a2 1218692 flatpak-tests_1.14.10-1~deb12u2_i386.deb
 b96970d760d5bb4a3a3a9a031a4f0842a65ca0ea 14900 flatpak_1.14.10-1~deb12u2_i386-buildd.buildinfo
 418214f581cc4b74a30f8502f61ddef922fbe050 1450140 flatpak_1.14.10-1~deb12u2_i386.deb
 ee9f52144110b356d37ab7a2791824ee93c57c57 25892 gir1.2-flatpak-1.0_1.14.10-1~deb12u2_i386.deb
 471c8a4b6bf19b256818063854771d28c9185235 69332 libflatpak-dev_1.14.10-1~deb12u2_i386.deb
 3172177f88ab0a3a542b81c3b9a7fb8b7fcc80db 1315800 libflatpak0-dbgsym_1.14.10-1~deb12u2_i386.deb
 555c0aaad31dd283a7133f48d877f871ec01e993 400048 libflatpak0_1.14.10-1~deb12u2_i386.deb
Checksums-Sha256:
 cc54bba93076db7cdf471ae081b124ddf4c3e8b162f81054a242191b1e69fbbd 5580668 flatpak-dbgsym_1.14.10-1~deb12u2_i386.deb
 8949ef5598ac539f5df920e2ef2606eeea42dc0c81ffa40a017e7a27be50da53 8718032 flatpak-tests-dbgsym_1.14.10-1~deb12u2_i386.deb
 bac488937b7076b2be395e6c4bfcfd951cc7aa41a9d92e1ef389ee16c32603e5 1218692 flatpak-tests_1.14.10-1~deb12u2_i386.deb
 c5542bc2174ceb6526c412d852b72c7c24653f86e0238d021f30bf4cccdd265e 14900 flatpak_1.14.10-1~deb12u2_i386-buildd.buildinfo
 1d5328b8d4a6fb64b4e5d0000105a82654652bd1568591e7115cde52cf25fc1a 1450140 flatpak_1.14.10-1~deb12u2_i386.deb
 31f590e2143c6c0bb71ba0d3ea4092a7a4f9f479b6f1cc71f7d1cc3031fc1df5 25892 gir1.2-flatpak-1.0_1.14.10-1~deb12u2_i386.deb
 2e0cc5d87f4f7928c5de09c548d38935d23b9f6e1a4a092eaa68388587e0e2c5 69332 libflatpak-dev_1.14.10-1~deb12u2_i386.deb
 dba14d6693c2e370158b55b96d7bb27bb0cf1544af72a64e9f7d8821572bd42b 1315800 libflatpak0-dbgsym_1.14.10-1~deb12u2_i386.deb
 2c015eb13913c548e4449ecdc507e9e0477052edf19250dbfe6d008cbeee842a 400048 libflatpak0_1.14.10-1~deb12u2_i386.deb
Files:
 d26d8f1a10b0a10a09a61c37dc428ee2 5580668 debug optional flatpak-dbgsym_1.14.10-1~deb12u2_i386.deb
 b129b822c4008248b20797d372b9549a 8718032 debug optional flatpak-tests-dbgsym_1.14.10-1~deb12u2_i386.deb
 4627f22f8d2399da5608b47bb7800ee3 1218692 misc optional flatpak-tests_1.14.10-1~deb12u2_i386.deb
 0fbefa478a8b74248aa1c8ae76d7628f 14900 admin optional flatpak_1.14.10-1~deb12u2_i386-buildd.buildinfo
 3474cec21be0f4edcc643ab585fbc6c2 1450140 admin optional flatpak_1.14.10-1~deb12u2_i386.deb
 d15dfb16fd6520cbbf93f805948a1082 25892 introspection optional gir1.2-flatpak-1.0_1.14.10-1~deb12u2_i386.deb
 50bd3b15dd17afdd384f8e28b730e88e 69332 libdevel optional libflatpak-dev_1.14.10-1~deb12u2_i386.deb
 03c14bcb03db519161f3adcf5c0d049c 1315800 debug optional libflatpak0-dbgsym_1.14.10-1~deb12u2_i386.deb
 148317caf69720461225ee334d8719c4 400048 libs optional libflatpak0_1.14.10-1~deb12u2_i386.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEmtr4KUMaso2EQ6NrTwt/65ON6zcFAmnnPC8ACgkQTwt/65ON
6zeNEQ/+Oxq0fIyrWEudAPuslAYQCDFtunXOsrajQxTTeT8hSDgRWgBP2kD0xbuu
8KqoRAHd0EiZvqcVJeJOrwqLcTLDI/hroB0wACcXq5dNOKh8Tps0ApCxxKMTrfXa
dM/u4s6axGpQ2kaMRVHPqUIQW80XBhc18ggpdnzaXYfyTNQcTxoAiDUl3+beP3VM
FVHMjhjZtT11OOG5uiHUkmlC2HMk4oNJ6psyny1RoBZ/FovCU96eBQ1xipkIf3QR
K5MBwS6Y4LY8YzjJGbmc3RCUP+u4FiTWrPcuzzq5ddxJsmVvEebqjvJlG4Nva8Ab
UrM75jJV5jxoNCy46oxWdX0yCE8lgDfwsYujgpQu32HjOmuqJ0nhjIuNncnODy7D
j7M6UGtpGvfkoQLKkUEEUaUWrlEatsaZvLgoQaBWEBluP8bfIDwoX6AcxRfxVzX2
UKuc3rBjIREkgdyd6qHi3PQEGGsUqLvePZiCT4qEyZCXIOirCSlq8xYCqovomTRA
NugZ76Exi66QOmwiEy3wSK1xuve2UYxguoHv/2jzoF0xDiaMOBK0kPStQyzmQuTm
8dH7lBOonPPGOCqnQZqCfd8QNTVtx34VNsJEfg7351Yc8Nm/gWov7YkhZ2e5nFHg
KZJjQzCKqBrM4Rm2OV4dZlhRdzNQ3GGrmGkcCYit4HRiuAXHdeU=
=FxKZ
-----END PGP SIGNATURE-----