-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 15 Apr 2026 20:27:40 +0100
Source: flatpak
Binary: flatpak flatpak-dbgsym flatpak-tests flatpak-tests-dbgsym gir1.2-flatpak-1.0 libflatpak-dev libflatpak0 libflatpak0-dbgsym
Architecture: mipsel
Version: 1.14.10-1~deb12u2
Distribution: bookworm-security
Urgency: high
Maintainer: mipsel Build Daemon (mipsel-osuosl-04) <buildd_mips64el-mipsel-osuosl-04@buildd.debian.org>
Changed-By: Simon McVittie <smcv@debian.org>
Description:
 flatpak    - Application deployment framework for desktop apps
 flatpak-tests - Application deployment framework for desktop apps (tests)
 gir1.2-flatpak-1.0 - Application deployment framework for desktop apps (introspection)
 libflatpak-dev - Application deployment framework for desktop apps (development)
 libflatpak0 - Application deployment framework for desktop apps (library)
Closes: 1132943 1132944 1132945 1132946 1132960 1132968
Changes:
 flatpak (1.14.10-1~deb12u2) bookworm-security; urgency=high
 .
   * Security update
   * d/p/CVE-2026-34078-prep/*.patch:
     Backport libglnx changes required to address CVE-2026-34078
   * d/p/CVE-2026-34078/*.patch:
     Fix a sandbox escape involving symlinks passed to flatpak-portal.
     A malicious or compromised Flatpak app could exploit this to achieve
     arbitrary code execution on the host.
     (CVE-2026-34078, GHSA-cc2q-qc34-jprg) (Closes: #1132943)
   * d/p/CVE-2026-34079/*.patch:
     Prevent arbitrary file deletion outside the sandbox by a malicious or
     compromised Flatpak app
     (CVE-2026-34079, GHSA-p29x-r292-46pp) (Closes: #1132944)
   * d/p/GHSA-2fxp-43j9-pwvc/*.patch:
     Prevent a local user from reading any file that is readable by the
     _flatpak system user. A mitigation is that it would be very unusual
     for these files not to be readable by the original local user as well.
     (No CVE ID, GHSA-2fxp-43j9-pwvc) (Closes: #1132946)
   * d/p/GHSA-89xm-3m96-w3jg/*.patch:
     Prevent a local user from making another local user unable to cancel
     an ongoing download of apps or runtimes installed system-wide
     via the system helper.
     (No CVE ID, GHSA-89xm-3m96-w3jg) (Closes: #1132945)
   * d/p/portal-Use-G_LOCK_DEFINE_STATIC.patch,
     d/p/portal-Don-t-run-method-invocations-in-a-thread.patch:
     Add patches from upstream flatpak-1.14.x branch (which never got into a
     release before the branch was discontinued), originally from 1.16.1,
     fixing a thread-safety issue in flatpak-portal
   * d/p/1.16.5/*.patch:
     Add regression fixes taken from the upstream 1.16.5 release,
     fixing various regressions introduced by fixing CVE-2026-34078
     and improving test coverage
     (Closes: #1132960)
   * d/p/1.16.6/*.patch:
     Add regression fixes taken from the upstream 1.16.6 release,
     fixing additional regressions introduced by fixing CVE-2026-34078
     and improving test coverage
     (Closes: #1132968)
     - d/control: Add curl(1) to Build-Depends and flatpak-tests Depends
   * d/p/1.16.7/bwrap-Clarify-a-comment.patch,
     d/p/dir-Silence-a-spurious-warning-when-installing-extra-data.patch:
     Silence a spurious warning seen while testing 1.16.6
Checksums-Sha1:
 6ea744dfa057cfdb1019851a8f8ca7bfede99b50 6523228 flatpak-dbgsym_1.14.10-1~deb12u2_mipsel.deb
 b9611db5f5adff1a40d34fe4035561ef14282ad9 10161660 flatpak-tests-dbgsym_1.14.10-1~deb12u2_mipsel.deb
 08d1d6ac14bfd1d44e577b949ca2bb88f93c197b 931160 flatpak-tests_1.14.10-1~deb12u2_mipsel.deb
 1a59a98d4ebee97e26cafa2585e906ce685ed143 14793 flatpak_1.14.10-1~deb12u2_mipsel-buildd.buildinfo
 5b2668c743ac28263fe45eb99e97d6698fa32ebe 1234060 flatpak_1.14.10-1~deb12u2_mipsel.deb
 9a4a29a57898af553ef28f6fc5aa090579a48970 25892 gir1.2-flatpak-1.0_1.14.10-1~deb12u2_mipsel.deb
 861d76169dd346dd3601956428a60393c0191388 69320 libflatpak-dev_1.14.10-1~deb12u2_mipsel.deb
 516558c7188d10523d9fe695ef029b600d369120 1585288 libflatpak0-dbgsym_1.14.10-1~deb12u2_mipsel.deb
 34f961a34bd4ec2df62ac4d754c1dc906c32ad32 309432 libflatpak0_1.14.10-1~deb12u2_mipsel.deb
Checksums-Sha256:
 6bfd6a750934d7f6ba15a0f3c4e5411cdb441da3c08b2dd9a23130cd77fe8ec1 6523228 flatpak-dbgsym_1.14.10-1~deb12u2_mipsel.deb
 7a25fb776e4448206c77a68b738c522b286519caadba420427eaa94793b00dcd 10161660 flatpak-tests-dbgsym_1.14.10-1~deb12u2_mipsel.deb
 cdaea9fb109d054c9181759721d3645a7454b8cc35fc4b78c5d27628e7f8b61b 931160 flatpak-tests_1.14.10-1~deb12u2_mipsel.deb
 88f525242e3d45164aa556b316da043f007b1f519a721626b52f81f4b220cb1f 14793 flatpak_1.14.10-1~deb12u2_mipsel-buildd.buildinfo
 ed104d8bcb2860afbcd1011f0897a9413619d1bc3982bfb9057aae5315750cbf 1234060 flatpak_1.14.10-1~deb12u2_mipsel.deb
 643f45d2f369e159e2ad1f900cb15b4be4e4baa9b850fe841f5ae8ab1c9abc5d 25892 gir1.2-flatpak-1.0_1.14.10-1~deb12u2_mipsel.deb
 5bd98e939fa2757fec8321a60aae012957f0162000fa2fb13487484f0c4e9020 69320 libflatpak-dev_1.14.10-1~deb12u2_mipsel.deb
 467cf6cb66ecd2aadbf64617aff7b4fab9cc5ee632a9cac3f551859703334764 1585288 libflatpak0-dbgsym_1.14.10-1~deb12u2_mipsel.deb
 2b39597e40be7651c5bcb42dd97d25e0e3bd2bfafc915c3638c8eb66231760a5 309432 libflatpak0_1.14.10-1~deb12u2_mipsel.deb
Files:
 c7490de29d97b3495d47ab2cff26f5cb 6523228 debug optional flatpak-dbgsym_1.14.10-1~deb12u2_mipsel.deb
 c9f9f544b560f9dc41e4baed73544be0 10161660 debug optional flatpak-tests-dbgsym_1.14.10-1~deb12u2_mipsel.deb
 ebf7867e2c374294f7086f3fa9081138 931160 misc optional flatpak-tests_1.14.10-1~deb12u2_mipsel.deb
 363a86ee8c39409d55036b36d6e396ba 14793 admin optional flatpak_1.14.10-1~deb12u2_mipsel-buildd.buildinfo
 99c524e5d9533da980cb18508ae3eeab 1234060 admin optional flatpak_1.14.10-1~deb12u2_mipsel.deb
 693de3d5382805bed366e0558c38bac8 25892 introspection optional gir1.2-flatpak-1.0_1.14.10-1~deb12u2_mipsel.deb
 8509eb36bffa453f23579e1c5e17f261 69320 libdevel optional libflatpak-dev_1.14.10-1~deb12u2_mipsel.deb
 19399d82b00c2d763994e9b1219bdfce 1585288 debug optional libflatpak0-dbgsym_1.14.10-1~deb12u2_mipsel.deb
 0a77f127efb149fb30a9d37fb2b69668 309432 libs optional libflatpak0_1.14.10-1~deb12u2_mipsel.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEyYUQCyzsgu940OiVpwP2OD8jZaoFAmnnO3oACgkQpwP2OD8j
ZaqDBA//cVEyR2d5bfdxu2rzzWY9FfO705XtCAg86N3jnwW4E5W/RoszCzQenGdb
dmgw9cIFMnnHvtXrYWL48GSHrq6Cx9J8hIBM7hBRSzbjCzod8udgJ7MauqVK+Kc8
E2ZvWHd3wrmr2R8kqsQR+XyVtNBXXtU82gAQNpfPMSMBPW0Q7FhtoHUyOLNNsLBx
n2O1CWosqlin/O3p9oC4JHOCjkGrJm8agRyI9UkVvgkvSdsvEfmSAXTbw8fHHktq
WzC90hnDDYbqYtuHy1mlPg/VrnkjXQpMf5FOifTK2OsAyw43s3hdsLo+5pnLj75T
3ds6d8f4prdYo2Xi0yfh7G1omDJe8X34Njm/NqUrMm30VkyB+sl7+TyXPxG6fIGE
6x9nw7g3XzgdHx4NOma6h7pF3Rzr0OvOnAfJBeMqc6yGJ2yW8GsV4ngrCOE4hAPc
PLuMaZwNtNuf5URN7NlZEVX9YIKs2i76XPeerPD7P7gzdqpL0ikOLRROhrbRyEK+
SNOPIqmgKOv/8yxHlGQQDBvZvy3dgywrE0JuTYdufl+EBUUYmE6mh8YQwz0hvAmx
2gKA/46DTr14VdzQspUo9Kn2t1hH/r76/n+sJs6KAg10Q2LbsZehKPL3hv5drOIr
AdpEApxszx6cCo5EAsIVwN3wHfQXEuW9bNGbnZe08L39e3Kbq6g=
=zusI
-----END PGP SIGNATURE-----