Accepted flatpak 1.14.10-1~deb12u2 (source) into oldstable-security

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 15 Apr 2026 20:27:40 +0100
Source: flatpak
Architecture: source
Version: 1.14.10-1~deb12u2
Distribution: bookworm-security
Urgency: high
Maintainer: Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>
Changed-By: Simon McVittie <smcv@debian.org>
Closes: 1132943 1132944 1132945 1132946 1132960 1132968
Changes:
 flatpak (1.14.10-1~deb12u2) bookworm-security; urgency=high
 .
   * Security update
   * d/p/CVE-2026-34078-prep/*.patch:
     Backport libglnx changes required to address CVE-2026-34078
   * d/p/CVE-2026-34078/*.patch:
     Fix a sandbox escape involving symlinks passed to flatpak-portal.
     A malicious or compromised Flatpak app could exploit this to achieve
     arbitrary code execution on the host.
     (CVE-2026-34078, GHSA-cc2q-qc34-jprg) (Closes: #1132943)
   * d/p/CVE-2026-34079/*.patch:
     Prevent arbitrary file deletion outside the sandbox by a malicious or
     compromised Flatpak app
     (CVE-2026-34079, GHSA-p29x-r292-46pp) (Closes: #1132944)
   * d/p/GHSA-2fxp-43j9-pwvc/*.patch:
     Prevent a local user from reading any file that is readable by the
     _flatpak system user. A mitigation is that it would be very unusual
     for these files not to be readable by the original local user as well.
     (No CVE ID, GHSA-2fxp-43j9-pwvc) (Closes: #1132946)
   * d/p/GHSA-89xm-3m96-w3jg/*.patch:
     Prevent a local user from making another local user unable to cancel
     an ongoing download of apps or runtimes installed system-wide
     via the system helper.
     (No CVE ID, GHSA-89xm-3m96-w3jg) (Closes: #1132945)
   * d/p/portal-Use-G_LOCK_DEFINE_STATIC.patch,
     d/p/portal-Don-t-run-method-invocations-in-a-thread.patch:
     Add patches from upstream flatpak-1.14.x branch (which never got into a
     release before the branch was discontinued), originally from 1.16.1,
     fixing a thread-safety issue in flatpak-portal
   * d/p/1.16.5/*.patch:
     Add regression fixes taken from the upstream 1.16.5 release,
     fixing various regressions introduced by fixing CVE-2026-34078
     and improving test coverage
     (Closes: #1132960)
   * d/p/1.16.6/*.patch:
     Add regression fixes taken from the upstream 1.16.6 release,
     fixing additional regressions introduced by fixing CVE-2026-34078
     and improving test coverage
     (Closes: #1132968)
     - d/control: Add curl(1) to Build-Depends and flatpak-tests Depends
   * d/p/1.16.7/bwrap-Clarify-a-comment.patch,
     d/p/dir-Silence-a-spurious-warning-when-installing-extra-data.patch:
     Silence a spurious warning seen while testing 1.16.6
Checksums-Sha1:
 58c0151d0a1373e9f77b3c1cf1236944e01cebad 3901 flatpak_1.14.10-1~deb12u2.dsc
 29eda29e492f82aeeb3b670a89d7636267e35cf0 1647100 flatpak_1.14.10.orig.tar.xz
 52fcc6407ed227ae632db6625398800d175de844 833 flatpak_1.14.10.orig.tar.xz.asc
 5c9d2be5bf7d48a9405611e58d8e14a2dfb4f5ee 78968 flatpak_1.14.10-1~deb12u2.debian.tar.xz
 ec4cdb9294c567afa60183906e0ad2015896ce33 12821 flatpak_1.14.10-1~deb12u2_source.buildinfo
Checksums-Sha256:
 b38fafad8940c8222a5e7c23e6ccb32b4a67f0ced9ea77667edfa9b96a1d6b92 3901 flatpak_1.14.10-1~deb12u2.dsc
 6bbdc7908127350ad85a4a47d70292ca2f4c46e977b32b1fd231c2a719d821cd 1647100 flatpak_1.14.10.orig.tar.xz
 86f596ae816c77b6ee2789df177cc194d0a86d5ebd127d2a5c5cf99a627641ca 833 flatpak_1.14.10.orig.tar.xz.asc
 ed0c2bed6fcec0642f3824cc14ccc5c22d30d58e029f6c570e2a7ad82c3b4b9c 78968 flatpak_1.14.10-1~deb12u2.debian.tar.xz
 9aa808ec6a39e1ed091c7b92fc16c87a7b6417451b62ef8f11ab4d2aab7d4d32 12821 flatpak_1.14.10-1~deb12u2_source.buildinfo
Files:
 8541708b99e58ec680c88f60c83fbe1e 3901 admin optional flatpak_1.14.10-1~deb12u2.dsc
 4eb3f96ab7a73b01b408e5bb15630106 1647100 admin optional flatpak_1.14.10.orig.tar.xz
 067ee69526edc3294dcfb3d43fd99de6 833 admin optional flatpak_1.14.10.orig.tar.xz.asc
 58a6c35f6b83bc98fa6be23be65414d3 78968 admin optional flatpak_1.14.10-1~deb12u2.debian.tar.xz
 4518dd7874c84bf826767003fcb7edf3 12821 admin optional flatpak_1.14.10-1~deb12u2_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEegc60a5pT6Jb/2LlI1wJnT6zMHYFAmnnNDcACgkQI1wJnT6z
MHZ3nA//cjST/seoppo0vkZX8WNRXTBwnv/7k7NXEYavnDWI2SClXWnANXCo47Fq
IwOv5EZqnOiYb8Ytv4ouAAxHVk10TKSlC1hyphiEsZP8NqQYXpV6OBteaPQYgZAa
tyiq5ZDo2tIf8B0he4DRMg+0phIMhK6ES2U/xPHfLyqCc3UqZW7povUFR/HE+EPp
RE7UV4Pib4LB1lJ4/c+tMB3U+lbT2/8X22wo8wKQwsB9OOEijpI0VuoXpn6mBV7e
qIaLj/pi191kKm3M0H3oxsjLQTJzoOENF3Wi9KLOGnUPghMmf9ucCyU79sWAD0kA
4idZt94UwUHWp+zsLrP66PHwliEzhQzWZ0YOXu3QkQEApfF0fNprio9k/w12yQb8
kKgJbSgynycnwSgQ/dROLFTbXr3+c/JeuoLzHE3eq6S+2b/q8BTPDmWuvpY/a8qW
B6IPIeGjETj9BCLlvv/8kK/rt7OuxT2n+feXj/i3tC5RHUXyQFhfD10PzSWfl6oE
PA7qPVnWpi6wESEbuKMJovDNyPsKExTIy6/fZN7QCaDEoPi1+Anb17beNdhZALlI
4R3FvjwTO5hp2ACLdhYx872jMXh2iVAVSsHDi9/6Jeq0AZYo2zH9+DghSLbQdAd8
MNF/fJQokdAB+kU4VtaOcnjbgLsMOUfo1mBZTcs6qDIMPc3wVP4=
=jyUk
-----END PGP SIGNATURE-----