-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Fri, 10 Apr 2026 20:03:53 +0100 Source: flatpak Binary: libflatpak-doc Architecture: all Version: 1.16.6-1~deb13u1 Distribution: trixie-security Urgency: high Maintainer: all / amd64 / i386 Build Daemon (x86-conova-01) Changed-By: Simon McVittie Description: libflatpak-doc - Application deployment framework for desktop apps (documentation) Closes: 1132943 1132944 1132945 1132946 Changes: flatpak (1.16.6-1~deb13u1) trixie-security; urgency=high . * Backport new upstream stable release for Debian 13 - Fix a sandbox escape involving symlinks passed to flatpak-portal. A malicious or compromised Flatpak app could exploit this to achieve arbitrary code execution on the host. (CVE-2026-34078, GHSA-cc2q-qc34-jprg) (Closes: #1132943) - Prevent arbitrary file deletion outside the sandbox by a malicious or compromised Flatpak app (CVE-2026-34079, GHSA-p29x-r292-46pp) (Closes: #1132944) - Prevent a local user from reading any file that is readable by the _flatpak system user. A mitigation is that it would be very unusual for these files not to be readable by the original local user as well. (No CVE ID, GHSA-2fxp-43j9-pwvc) (Closes: #1132946) - Prevent a local user from making another local user unable to cancel an ongoing download of apps or runtimes installed system-wide via the system helper. (No CVE ID, GHSA-89xm-3m96-w3jg) (Closes: #1132945) - Various fixes for regressions caused when fixing CVE-2026-34078 * Revert changes that are not appropriate for a stable update: - Revert "d/watch: Convert to v5 format, only watch stable (even-numbered) releases" - Revert "Standards-Version: 4.7.3" Checksums-Sha1: 9713633f5e6f658325a8d7a84b4079d992a2006f 15115 flatpak_1.16.6-1~deb13u1_all-buildd.buildinfo 8888768053cb4f570c41f7a9cdbbfca16862f648 164828 libflatpak-doc_1.16.6-1~deb13u1_all.deb Checksums-Sha256: 0e0aca6cac7006ec61a4d1637246472e3a9a183bce7e0509b45a3ee65a5ef385 15115 flatpak_1.16.6-1~deb13u1_all-buildd.buildinfo b28ab037dece8e787436769ed325192ecce37f68b8ed900b4b93e18b2ac5b603 164828 libflatpak-doc_1.16.6-1~deb13u1_all.deb Files: b22444d71bf45f0aac65a61eb7299647 15115 admin optional flatpak_1.16.6-1~deb13u1_all-buildd.buildinfo 2b8a831c93742f322c8638554175d679 164828 doc optional libflatpak-doc_1.16.6-1~deb13u1_all.deb -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE7cQ9mRD4+dWjjrb6PkCWRKsh20cFAmnZhW0ACgkQPkCWRKsh 20e8QA/+NqkM17ijoU4xqPNgLSeh0kPWLrrNKfF/UY3DpbI/okXX6kbcXp+NUi6e iIPGCVdGEJ52aPiGmOq8dfVsWfFz9MLMrxxPwZIB5e3CcvDnwe6D1D1DO4yfEGOi zT3buhXYm2xTuDtusKUoH3wQCH5ADK+2olKZtPZEgLaq3wDIKb2CS8UlzvQYS7PY DhL6xnqM1s0Zb9ewex6X+qbYLFsf94T9WJQ17nz1u5gifsxMh1jwRDRVit2zgXXh /SoLiC788xGnQ5V1ksfMBpDsYQuoyBvhFXsCCpndnOvGWvBrAgDC+VTVA9HPa6EW 1rfMVa4osAtzTWj/5+JfMmzSI0tIo4JfGzk8TaylLfxhrmk16As33NDROba9FMhI hZ2d7MeBynm9AR9UWHfqx6rrNZ1/jjQf0THaRHjZVnBHG2+4TU4yzjla5kxjiiZh P1ssZtRCg77O/gonaJ/yd2ckrK/HvVs25qo8+pXILSBgthlxpTe1w//TPGW1BmT5 4yMcPqXTuqMQ7WUk3L9OwriChJHjkJpoa413UufiiMs5sTKA8Si6zQLCFdGU6oBL QemFds793LiFV6EAXlud/WUyqFZt8IC1J+kNQ7ovgE0SsnD/YOdlU+2i8IfambTx ADvqKOSbCxDjDsdmKjogmkqX6MNxRRju4k2IdxOJGOvz+HtN1g4= =JZgJ -----END PGP SIGNATURE-----