Debian Package Tracker

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: <debian-experimental-changes@lists.debian.org> , <debian-devel-changes@lists.debian.org>
Subject: Accepted flatpak 1.17.3-2 (source) into experimental
Date: Tue, 07 Apr 2026 23:19:23 +0000
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 07 Apr 2026 23:55:57 +0100
Source: flatpak
Architecture: source
Version: 1.17.3-2
Distribution: experimental
Urgency: high
Maintainer: Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>
Changed-By: Simon McVittie <smcv@debian.org>
Closes: 1132943 1132944 1132945 1132946
Changes:
 flatpak (1.17.3-2) experimental; urgency=high
 .
   * d/p/CVE-2026-34078/*.patch:
     Fix a sandbox escape involving symlinks passed to flatpak-portal.
     A malicious or compromised Flatpak app could exploit this to achieve
     arbitrary code execution on the host.
     (CVE-2026-34078, GHSA-cc2q-qc34-jprg) (Closes: #1132943)
   * d/p/CVE-2026-34079/*.patch:
     Prevent arbitrary file deletion outside the sandbox by a malicious or
     compromised Flatpak app
     (CVE-2026-34079, GHSA-p29x-r292-46pp) (Closes: #1132944)
   * d/p/GHSA-89xm-3m96-w3jg/*.patch:
     Prevent a local user from making another local user unable to cancel
     an ongoing download of apps or runtimes installed system-wide
     via the system helper.
     (No CVE ID, GHSA-89xm-3m96-w3jg) (Closes: #1132945)
   * d/p/GHSA-2fxp-43j9-pwvc/*.patch:
     Prevent a local user from reading any file that is readable by the
     _flatpak system user. A mitigation is that it would be very unusual
     for these files not to be readable by the original local user as well.
     (No CVE ID, GHSA-2fxp-43j9-pwvc) (Closes: #1132946)
   * Merge packaging changes from unstable
   * Standards-Version: 4.7.4 (no changes required)
 .
 flatpak (1.16.4-1) unstable; urgency=high
 .
   * New upstream security release
     - Fix a sandbox escape involving symlinks passed to flatpak-portal.
       A malicious or compromised Flatpak app could exploit this to achieve
       arbitrary code execution on the host.
       (CVE-2026-34078, GHSA-cc2q-qc34-jprg)
     - Prevent arbitrary file deletion outside the sandbox by a malicious or
       compromised Flatpak app
       (CVE-2026-34079, GHSA-p29x-r292-46pp)
     - Prevent a local user from reading any file that is readable by the
       _flatpak system user. A mitigation is that it would be very unusual
       for these files not to be readable by the original local user as well.
       (No CVE ID, GHSA-2fxp-43j9-pwvc)
     - Prevent a local user from making another local user unable to cancel
       an ongoing download of apps or runtimes installed system-wide
       via the system helper.
       (No CVE ID, GHSA-89xm-3m96-w3jg)
 .
 flatpak (1.16.3-1) unstable; urgency=medium
 .
   * New upstream stable release
     - In flatpak-build(1), only provide /run/host/font-dirs.xml if the
       calling process has not already added it, fixing a regression for
       users of GNOME Builder and Foundry (flatpak#6450 upstream)
   * Standards-Version: 4.7.3
     - Remove Priority: optional, unnecessary since Debian 13
   * d/watch: Convert to v5 format
   * d/watch: Only watch stable (even-numbered) releases
     - d/watch.devel: Add a second watch file for development
       (odd-numbered) releases
Checksums-Sha1:
 10d2269ae6be0e47d564600035895c529274f6bf 4040 flatpak_1.17.3-2.dsc
 02ff6446ddf840a9e050dbcef9e010ff1c3f080d 73024 flatpak_1.17.3-2.debian.tar.xz
 ebe3f843dea639c131c90ef1835db661f8bc5a89 6557264 flatpak_1.17.3-2.git.tar.xz
 19272e755e99a4c70dc6d2bc77a530e40dcfe67c 17338 flatpak_1.17.3-2_source.buildinfo
Checksums-Sha256:
 4ac1c13e259686207c104a1492f35fd1fd9931332aabf52b9a1105825092b808 4040 flatpak_1.17.3-2.dsc
 8c28394661489f20e6b1bc866ec7157fdcb92cc6672b8ccee38863e5ccb725a9 73024 flatpak_1.17.3-2.debian.tar.xz
 0f19a2f6adc3dcb987ce04686942844ff4fe4d4e83b9bbfed935b705c684998b 6557264 flatpak_1.17.3-2.git.tar.xz
 27c2fa9d3eccd8d0aad188d6072df70bdb862b774f5138317aa114b5ce682be2 17338 flatpak_1.17.3-2_source.buildinfo
Files:
 05800db60fbd59ae9c31bf1e15d67078 4040 admin optional flatpak_1.17.3-2.dsc
 53b10e2bfdc9674907e9b3485a44ec72 73024 admin optional flatpak_1.17.3-2.debian.tar.xz
 ffc3c6694f13cba7f17886eb6c1b6c09 6557264 admin None flatpak_1.17.3-2.git.tar.xz
 4c64182d322c0db68f27d9c26ad146e0 17338 admin optional flatpak_1.17.3-2_source.buildinfo
Git-Tag-Info: tag=46c1c72dff67c46125282c6b2a8a135d2802a537 fp=7a073ad1ae694fa25bff62e5235c099d3eb33076
Git-Tag-Tagger: Simon McVittie <smcv@debian.org>

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEN02M5NuW6cvUwJcqYG0ITkaDwHkFAmnVjD8ACgkQYG0ITkaD
wHlVFw//WJXC2NxLY3v5p72BClxxlLYW3D7Yedh2gU8IIoCrUl3stl6DCvNVtziK
08fEP5gTDUJTb6SnDOFSLzXJMJjnOPwFK4lc9JzUyrezFeRV9qg1Qm8yF5GStXQd
TPL2BYyqSI24zafrNizDkexEowlluHb9qRC1mfCqF3DPP5SXaaJvZbv0dnoiuTOv
w+Hv7EAc9SAae4SFOfSJ2quirAfefuJAS45fN8/g/cm4u+nWqYswM2BgHhUXpM+v
hWdSilelfJzb7/Z0ko8f/vn2Qpl4QkxZx2mC83Dh38lQIaMMMp2Z0RQP4GGx+tQU
55RhtOY2QSdwl8y0/sQMbsH62Vj8EVl6cYfHS4GcGA1dLPwF52ZRook8lxjFBL2x
YFTJJWE1evK/2Vb/G/6V/ErbCfJ7KQMmHsEqqF+usSsDxgwxi5+Wu0a1zdOolCVB
DRnHFFAU4oVoMbkvNxuzQl3LX8wZOPSNT9W/pUTjJDrELbJTD9Pgw4IDmbjdm2B2
uCUB+B8ue88LqPsQA7l+OdE1j4/sTwMwLuIE/RJlVGpWeiIw9H9A3W8hNLZdjnnm
PuWBA29x8UH+mQnxI3tqmfsc5lua4i7Uk1A9ltpgFs2Fj0KE0KhGB/rKjiviyh/n
jSRcWU/BdstgyNwIE1r4BndazNOf5FqVh/15rt9dAMWFy8nhL6s=
=HFsZ
-----END PGP SIGNATURE-----
News for package flatpak
