-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 15 Apr 2026 20:27:40 +0100
Source: flatpak
Binary: flatpak flatpak-dbgsym flatpak-tests flatpak-tests-dbgsym gir1.2-flatpak-1.0 libflatpak-dev libflatpak0 libflatpak0-dbgsym
Architecture: s390x
Version: 1.14.10-1~deb12u2
Distribution: bookworm-security
Urgency: high
Maintainer: s390x Build Daemon (ziehrer) <buildd_s390x-ziehrer@buildd.debian.org>
Changed-By: Simon McVittie <smcv@debian.org>
Description:
 flatpak    - Application deployment framework for desktop apps
 flatpak-tests - Application deployment framework for desktop apps (tests)
 gir1.2-flatpak-1.0 - Application deployment framework for desktop apps (introspection)
 libflatpak-dev - Application deployment framework for desktop apps (development)
 libflatpak0 - Application deployment framework for desktop apps (library)
Closes: 1132943 1132944 1132945 1132946 1132960 1132968
Changes:
 flatpak (1.14.10-1~deb12u2) bookworm-security; urgency=high
 .
   * Security update
   * d/p/CVE-2026-34078-prep/*.patch:
     Backport libglnx changes required to address CVE-2026-34078
   * d/p/CVE-2026-34078/*.patch:
     Fix a sandbox escape involving symlinks passed to flatpak-portal.
     A malicious or compromised Flatpak app could exploit this to achieve
     arbitrary code execution on the host.
     (CVE-2026-34078, GHSA-cc2q-qc34-jprg) (Closes: #1132943)
   * d/p/CVE-2026-34079/*.patch:
     Prevent arbitrary file deletion outside the sandbox by a malicious or
     compromised Flatpak app
     (CVE-2026-34079, GHSA-p29x-r292-46pp) (Closes: #1132944)
   * d/p/GHSA-2fxp-43j9-pwvc/*.patch:
     Prevent a local user from reading any file that is readable by the
     _flatpak system user. A mitigation is that it would be very unusual
     for these files not to be readable by the original local user as well.
     (No CVE ID, GHSA-2fxp-43j9-pwvc) (Closes: #1132946)
   * d/p/GHSA-89xm-3m96-w3jg/*.patch:
     Prevent a local user from making another local user unable to cancel
     an ongoing download of apps or runtimes installed system-wide
     via the system helper.
     (No CVE ID, GHSA-89xm-3m96-w3jg) (Closes: #1132945)
   * d/p/portal-Use-G_LOCK_DEFINE_STATIC.patch,
     d/p/portal-Don-t-run-method-invocations-in-a-thread.patch:
     Add patches from upstream flatpak-1.14.x branch (which never got into a
     release before the branch was discontinued), originally from 1.16.1,
     fixing a thread-safety issue in flatpak-portal
   * d/p/1.16.5/*.patch:
     Add regression fixes taken from the upstream 1.16.5 release,
     fixing various regressions introduced by fixing CVE-2026-34078
     and improving test coverage
     (Closes: #1132960)
   * d/p/1.16.6/*.patch:
     Add regression fixes taken from the upstream 1.16.6 release,
     fixing additional regressions introduced by fixing CVE-2026-34078
     and improving test coverage
     (Closes: #1132968)
     - d/control: Add curl(1) to Build-Depends and flatpak-tests Depends
   * d/p/1.16.7/bwrap-Clarify-a-comment.patch,
     d/p/dir-Silence-a-spurious-warning-when-installing-extra-data.patch:
     Silence a spurious warning seen while testing 1.16.6
Checksums-Sha1:
 6b51600c31a1fa932fc0195a3a4f8416dee1192c 6321180 flatpak-dbgsym_1.14.10-1~deb12u2_s390x.deb
 dbee87679d35b5908d2c54e72824c05400df4cc3 9846800 flatpak-tests-dbgsym_1.14.10-1~deb12u2_s390x.deb
 9c3443001158a214385889e4acaf787cfced2ad1 1067368 flatpak-tests_1.14.10-1~deb12u2_s390x.deb
 691ab56f5442a9884607bbc5a57c9e3ec7cf41e6 14826 flatpak_1.14.10-1~deb12u2_s390x-buildd.buildinfo
 5da1b4ea5282b5fed26afdbf952cb85e8db6b61b 1308364 flatpak_1.14.10-1~deb12u2_s390x.deb
 dbec64970d8c3fff968e73d87f02be3ec579c3ae 25768 gir1.2-flatpak-1.0_1.14.10-1~deb12u2_s390x.deb
 86a953475e249eac309adedaaab502995fe3525e 69332 libflatpak-dev_1.14.10-1~deb12u2_s390x.deb
 a27ac5e6832eb14984f0357df70bf90ee9cc87cd 1532552 libflatpak0-dbgsym_1.14.10-1~deb12u2_s390x.deb
 2806df15ece38ca600a97faadd23ff6fd6e327f9 331804 libflatpak0_1.14.10-1~deb12u2_s390x.deb
Checksums-Sha256:
 90defc29e79cabcf2e3d0784f00647134b4a080d1e93216c6ec1b54c59c3c206 6321180 flatpak-dbgsym_1.14.10-1~deb12u2_s390x.deb
 4919a124cb3d055d50fcf65f2628027123021ed167819a233d178e69c6fb1ebf 9846800 flatpak-tests-dbgsym_1.14.10-1~deb12u2_s390x.deb
 55457c6ea3e5dfe2dad6f6cab104bd1b38f15f45c99034f6cf053a012992ad34 1067368 flatpak-tests_1.14.10-1~deb12u2_s390x.deb
 0884f4c7732b1bcd1e47afa2a2a96ccac98fd43796095314150d10fe6edb1810 14826 flatpak_1.14.10-1~deb12u2_s390x-buildd.buildinfo
 89808255f13156997ad14a0d9da815cb1b73ca15d9a15537accdfe3672669ce2 1308364 flatpak_1.14.10-1~deb12u2_s390x.deb
 fb713ab6b0f2497fc98d512f3ceb97cc7b92563bcef635a4305285c99c9b5737 25768 gir1.2-flatpak-1.0_1.14.10-1~deb12u2_s390x.deb
 de2705c9f35f03cc67bf8e5012589ce423568ea0ade1ca59c65095b01c0965f9 69332 libflatpak-dev_1.14.10-1~deb12u2_s390x.deb
 03afbefa3702c73d423faed4bc1d8f0f7ca2e7f028a3d7565565eecf0346e369 1532552 libflatpak0-dbgsym_1.14.10-1~deb12u2_s390x.deb
 ca74b8c250f377fd948f9ef64d876903b4e42dae3772a0a3ed4b63fb93f8443a 331804 libflatpak0_1.14.10-1~deb12u2_s390x.deb
Files:
 cd9d9b8050130a6e4a0606ee86876283 6321180 debug optional flatpak-dbgsym_1.14.10-1~deb12u2_s390x.deb
 474dffcc55c44e20c19dbfbc29194590 9846800 debug optional flatpak-tests-dbgsym_1.14.10-1~deb12u2_s390x.deb
 c033bb8c3ea49e9c40ee38bda087223c 1067368 misc optional flatpak-tests_1.14.10-1~deb12u2_s390x.deb
 2c50cf8beea9d25e302aca28d15aa830 14826 admin optional flatpak_1.14.10-1~deb12u2_s390x-buildd.buildinfo
 2ae2b4063665f7973c6e7fcecffff36c 1308364 admin optional flatpak_1.14.10-1~deb12u2_s390x.deb
 9553d1ac1062dd3adcae42acbd115f1b 25768 introspection optional gir1.2-flatpak-1.0_1.14.10-1~deb12u2_s390x.deb
 9c2cea2085ecf193b003822a178c3f9f 69332 libdevel optional libflatpak-dev_1.14.10-1~deb12u2_s390x.deb
 d632186920520d6c879c9301544925bd 1532552 debug optional libflatpak0-dbgsym_1.14.10-1~deb12u2_s390x.deb
 acbbef9730d0873b1e84a8d42da2fe81 331804 libs optional libflatpak0_1.14.10-1~deb12u2_s390x.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEl0BM/nR+Oj597wRWMWUFebkHnoQFAmnnP28ACgkQMWUFebkH
noRrCxAAiV9TBUVPiqajaEuHVmkCo+0OdmweF0p5j/aoNwwxOjjn5NMhF3WEigD6
4tAGJZ0ZDgDGrQKEmqGsANyR4cjZBZXQfdtpQebqNgBxnB+xLydd8qSaU8DCV3DI
B7cPa499/teIH38yO/zDLLxnuGHFQMPzkPawnXsrorJbZLJu7l+sn2ViTON1SBEE
fxI4d2/m+6ZAO56MyUmSRz7I22fNUuj5pZLi3qimn0Phj1KvYvTkm8N1pPzj79kx
l5mideFjWzNfJx/kHxO/rNZ5UxPACywG8zBUU5T6K5O4uN/6BoD++H/6Rm6h1liX
rKjhaaRUUy48LG6E92fysyiSGpR2Z350aEhgKFwJqeWXmmXEI/K3pEaS6vwbTTNZ
XXcICBGk/XU+Af+AXqQ0cA7wqokJ0NJFKSy6XB2+Upy2qCTzjZbbKDEp6MUJUZTa
xS/lvsQMbs5tR+9JK+j8qEAgCwEQ7A5k7J9wR9Kttmikw04Th640cS5elahZwCSZ
e9KHD2XQ65YEtjn9JegZWqu7lTBONFo8YbePAXhUX/MAp/avXObyItkoo8C6Z9W+
fLnI3Yy+q2U6CntsH6wrSamo15u6jVWX79sIQChWc0JRlBKEFtJcu4RGU8To4QgJ
yMcdVftWW7gwb3HhNy+nTLEiRmlabZ1rrNlT0U6KnMrBOZbNTbg=
=v8+X
-----END PGP SIGNATURE-----