-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 15 Apr 2026 20:27:40 +0100
Source: flatpak
Binary: flatpak flatpak-dbgsym flatpak-tests flatpak-tests-dbgsym gir1.2-flatpak-1.0 libflatpak-dev libflatpak0 libflatpak0-dbgsym
Architecture: ppc64el
Version: 1.14.10-1~deb12u2
Distribution: bookworm-security
Urgency: high
Maintainer: ppc64el Build Daemon (ppc64el-osuosl-02) <buildd_ppc64el-ppc64el-osuosl-02@buildd.debian.org>
Changed-By: Simon McVittie <smcv@debian.org>
Description:
 flatpak    - Application deployment framework for desktop apps
 flatpak-tests - Application deployment framework for desktop apps (tests)
 gir1.2-flatpak-1.0 - Application deployment framework for desktop apps (introspection)
 libflatpak-dev - Application deployment framework for desktop apps (development)
 libflatpak0 - Application deployment framework for desktop apps (library)
Closes: 1132943 1132944 1132945 1132946 1132960 1132968
Changes:
 flatpak (1.14.10-1~deb12u2) bookworm-security; urgency=high
 .
   * Security update
   * d/p/CVE-2026-34078-prep/*.patch:
     Backport libglnx changes required to address CVE-2026-34078
   * d/p/CVE-2026-34078/*.patch:
     Fix a sandbox escape involving symlinks passed to flatpak-portal.
     A malicious or compromised Flatpak app could exploit this to achieve
     arbitrary code execution on the host.
     (CVE-2026-34078, GHSA-cc2q-qc34-jprg) (Closes: #1132943)
   * d/p/CVE-2026-34079/*.patch:
     Prevent arbitrary file deletion outside the sandbox by a malicious or
     compromised Flatpak app
     (CVE-2026-34079, GHSA-p29x-r292-46pp) (Closes: #1132944)
   * d/p/GHSA-2fxp-43j9-pwvc/*.patch:
     Prevent a local user from reading any file that is readable by the
     _flatpak system user. A mitigation is that it would be very unusual
     for these files not to be readable by the original local user as well.
     (No CVE ID, GHSA-2fxp-43j9-pwvc) (Closes: #1132946)
   * d/p/GHSA-89xm-3m96-w3jg/*.patch:
     Prevent a local user from making another local user unable to cancel
     an ongoing download of apps or runtimes installed system-wide
     via the system helper.
     (No CVE ID, GHSA-89xm-3m96-w3jg) (Closes: #1132945)
   * d/p/portal-Use-G_LOCK_DEFINE_STATIC.patch,
     d/p/portal-Don-t-run-method-invocations-in-a-thread.patch:
     Add patches from upstream flatpak-1.14.x branch (which never got into a
     release before the branch was discontinued), originally from 1.16.1,
     fixing a thread-safety issue in flatpak-portal
   * d/p/1.16.5/*.patch:
     Add regression fixes taken from the upstream 1.16.5 release,
     fixing various regressions introduced by fixing CVE-2026-34078
     and improving test coverage
     (Closes: #1132960)
   * d/p/1.16.6/*.patch:
     Add regression fixes taken from the upstream 1.16.6 release,
     fixing additional regressions introduced by fixing CVE-2026-34078
     and improving test coverage
     (Closes: #1132968)
     - d/control: Add curl(1) to Build-Depends and flatpak-tests Depends
   * d/p/1.16.7/bwrap-Clarify-a-comment.patch,
     d/p/dir-Silence-a-spurious-warning-when-installing-extra-data.patch:
     Silence a spurious warning seen while testing 1.16.6
Checksums-Sha1:
 a6f1f3048f661b4ab3a85e7a2cd30b096c8a1efd 6577920 flatpak-dbgsym_1.14.10-1~deb12u2_ppc64el.deb
 cdf6e6f5941668d8b74a92fb08ded027e7695acf 10314948 flatpak-tests-dbgsym_1.14.10-1~deb12u2_ppc64el.deb
 e80932ab18b6d759cf06805b40cd5e4c477c8063 1197388 flatpak-tests_1.14.10-1~deb12u2_ppc64el.deb
 b311bd63b297b217c4a68584cb5dbad18f0a7bf9 15045 flatpak_1.14.10-1~deb12u2_ppc64el-buildd.buildinfo
 04388507e0f1490bdf3747f62f60f71e34cd8a02 1428332 flatpak_1.14.10-1~deb12u2_ppc64el.deb
 c27f92f4d1d5e1a1f999544b0cd3ca58c15f9aff 25920 gir1.2-flatpak-1.0_1.14.10-1~deb12u2_ppc64el.deb
 169abb96c48e8098feb43c5f9dfafa2ced0a497e 69336 libflatpak-dev_1.14.10-1~deb12u2_ppc64el.deb
 7d749f86ed7d5459376276fcb45cd72f2cfd2af7 1597632 libflatpak0-dbgsym_1.14.10-1~deb12u2_ppc64el.deb
 ef149b46d1a20b9adc8ae32ebc01e85b7b430506 387372 libflatpak0_1.14.10-1~deb12u2_ppc64el.deb
Checksums-Sha256:
 fdfd024d1f8373cd94c01182627cd4fe614d161f9b55de5329bd98726a94f3db 6577920 flatpak-dbgsym_1.14.10-1~deb12u2_ppc64el.deb
 c5c8ade9c2d7f902f202932cb95e3d6fa51afa12bf215d260ba97a8656fa0a11 10314948 flatpak-tests-dbgsym_1.14.10-1~deb12u2_ppc64el.deb
 0dcbcb5074fd404fef1282742f8cdfc1e6cf36e7a97fb7a690896ced7a6f5363 1197388 flatpak-tests_1.14.10-1~deb12u2_ppc64el.deb
 00722f27bee9f70b4f92eb80d10cf630529a2d69c26535b2df0192ca7af79d56 15045 flatpak_1.14.10-1~deb12u2_ppc64el-buildd.buildinfo
 036f923f559633e6d868b0f255de70d06963263d9afbad77ebb53e054fc4579f 1428332 flatpak_1.14.10-1~deb12u2_ppc64el.deb
 1786f4f13d431da7f159c0905fd839abaebeb2ab33248689e476c7bfc5f4eabf 25920 gir1.2-flatpak-1.0_1.14.10-1~deb12u2_ppc64el.deb
 58289ad683585cbd8a4af7deb0e8cd4e99deddd6abca69fed36788230ad6b02b 69336 libflatpak-dev_1.14.10-1~deb12u2_ppc64el.deb
 f0bc1343dd14353889556ac7332d7758cd240fd42d0f6e0d65c41d3851f059ba 1597632 libflatpak0-dbgsym_1.14.10-1~deb12u2_ppc64el.deb
 5107f6729311558cf2f8cfa387fb0093cce24ed4867c097f6658d7f421372536 387372 libflatpak0_1.14.10-1~deb12u2_ppc64el.deb
Files:
 af728ed822e8c1f926708af47263eaea 6577920 debug optional flatpak-dbgsym_1.14.10-1~deb12u2_ppc64el.deb
 fc1886ac2a4529a55acee1946cb0d094 10314948 debug optional flatpak-tests-dbgsym_1.14.10-1~deb12u2_ppc64el.deb
 1817dfd0d0ac1db8585f8994565abec4 1197388 misc optional flatpak-tests_1.14.10-1~deb12u2_ppc64el.deb
 c38c2641f40b41e0f1cd5079a18cdf6d 15045 admin optional flatpak_1.14.10-1~deb12u2_ppc64el-buildd.buildinfo
 78ea01eedfa03c58a9737db27da8a595 1428332 admin optional flatpak_1.14.10-1~deb12u2_ppc64el.deb
 195b0027f0a494225f6dbca17ab654aa 25920 introspection optional gir1.2-flatpak-1.0_1.14.10-1~deb12u2_ppc64el.deb
 e98b84a5bee5b8517346040f29ade1d9 69336 libdevel optional libflatpak-dev_1.14.10-1~deb12u2_ppc64el.deb
 e3ea5e154af63abf76cd1db2944a0ef1 1597632 debug optional libflatpak0-dbgsym_1.14.10-1~deb12u2_ppc64el.deb
 af0c051de4dd90b1d92988ddaf50b233 387372 libs optional libflatpak0_1.14.10-1~deb12u2_ppc64el.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEYo4fOZBRi9qmvTxH1PowSTJ8+YQFAmnnOdcACgkQ1PowSTJ8
+YTJgQ/+OlzfAcUNrtXAaHD97/WTm7ExkBIkY41wSlwy5yuSAQtNqlK6mfc2Ei9U
pnthO1QqsvhmQkjkXFtlNqtixSeWeuQEzWVp0yIs+MZZeETzUaNUEaE7MiS94HTH
zMNTeK5mSq8qQlO7h7Sf6+D3WAEUNLPCawZ2dOu4Lf0TAbXiHU9D7gIJ7LIHlVbh
hW48Rv0OB+mxFmP8W9oFgWESETHXbrVGoL3dHM73VJ2vOnEsfJDHeBbqe7le7hL8
HTZrLK/tRozQRLU+vMhENfgwiaR2H4s34TxC0r3UcD1dV8WMk8QNngU/RzX+vmHg
a5gMYO8Ad7QEgZbgXZU2LL13/PnZlG5XPJFb8gsVGn37KXeAmSDN2BxrTMNpjd6X
zaqA7oG3arNA0qKGC+D3/6Grd1uiLAwYaPxUnRUzI4KdC4d7DV+KoXc6M/uOrFV0
ujEJI7khqlJBsPdK+s1WMZXRfV2G5LMVfkW6ENK8iaV2Bz4bgtAyp+BVIb8aadWq
l3sMjA+5N421JsfRlb5rD8kQUO1OPOqvET67B9IRmjGBAG0JOSaC3cpHAVXqdYPm
I3qYK/e1tM6Wx6sxu1Mva9nkMpxLrPRGo+l90L/uH9RyGyuxjhS7h4cw6f7cLyYO
JU3sdyJkTkiBZtRxVnEIOrQE2iytGYhOgUQffW5ss1LvQ7NWCwk=
=Gl1X
-----END PGP SIGNATURE-----