Debian Package Tracker
Register | Log in
Subscribe

flatpak

Application deployment framework for desktop apps

Choose email to subscribe with

general
  • source: flatpak (main)
  • version: 1.12.7-1
  • maintainer: Utopia Maintenance Team (archive) (DMD)
  • uploaders: Simon McVittie [DMD] – Matthias Klumpp [DMD]
  • arch: all
  • std-ver: 4.6.0
  • VCS: Git (Browse, QA)
versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]
[pool directory]
  • o-o-stable: 0.8.9-0+deb9u3
  • o-o-sec: 0.8.9-0+deb9u2
  • o-o-bpo: 1.2.5-0+deb10u1~bpo9+1
  • oldstable: 1.2.5-0+deb10u4
  • old-sec: 1.2.5-0+deb10u4
  • old-bpo: 1.10.7-0+deb11u1~bpo10+1
  • stable: 1.10.5-0+deb11u1
  • stable-sec: 1.10.7-0+deb11u1
  • stable-bpo: 1.12.7-1~bpo11+1
  • testing: 1.12.7-1
  • unstable: 1.12.7-1
  • exp: 1.13.2-1
versioned links
  • 0.8.9-0+deb9u2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 0.8.9-0+deb9u3: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 1.2.5-0+deb10u1~bpo9+1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 1.2.5-0+deb10u4: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 1.10.3-0+deb11u1~bpo11+1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 1.10.5-0+deb11u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 1.10.7-0+deb11u1~bpo10+1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 1.10.7-0+deb11u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 1.12.7-1~bpo11+1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 1.12.7-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 1.13.2-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
binaries
  • flatpak (14 bugs: 0, 13, 1, 0)
  • flatpak-tests
  • gir1.2-flatpak-1.0
  • libflatpak-dev
  • libflatpak-doc
  • libflatpak0
action needed
Marked for autoremoval on 30 June due to nvidia-graphics-drivers-tesla-470: #1011146 high
Version 1.12.7-1 of flatpak is marked for autoremoval from testing on Thu 30 Jun 2022. It depends (transitively) on nvidia-graphics-drivers-tesla-470, affected by #1011146. You should try to prevent the removal by fixing these RC bugs.
Created: 2022-05-24 Last update: 2022-05-25 19:13
The VCS repository is not up to date, push the missing commits. high
vcswatch reports that the current version of the package is not in its VCS.
Either you need to push your commits and/or your tags, or the information about the package's VCS are out of date. A common cause of the latter issue when using the Git VCS is not specifying the correct branch when the packaging is not in the default one (remote HEAD branch), which is usually "master" but can be modified in salsa.debian.org in the project's general settings with the "Default Branch" field). Alternatively the Vcs-Git field in debian/control can contain a "-b <branch-name>" suffix to indicate what branch is used for the Debian packaging.
Created: 2022-03-03 Last update: 2022-05-19 03:11
Depends on packages which need a new maintainer normal
The packages that flatpak depends on which need a new maintainer are:
  • dh-exec (#851746)
    • Build-Depends: dh-exec
Created: 2019-11-22 Last update: 2022-05-25 18:33
Standards version of the package is outdated. wishlist
The package should be updated to follow the last version of Debian Policy (Standards-Version 4.6.1 instead of 4.6.0).
Created: 2022-05-11 Last update: 2022-05-11 23:24
No known security issue in buster wishlist

There are 3 open security issues in buster.

3 ignored issues:
  • CVE-2021-41133: Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. In versions prior to 1.10.4 and 1.12.0, Flatpak apps with direct access to AF_UNIX sockets such as those used by Wayland, Pipewire or pipewire-pulse can trick portals and other host-OS services into treating the Flatpak app as though it was an ordinary, non-sandboxed host-OS process. They can do this by manipulating the VFS using recent mount-related syscalls that are not blocked by Flatpak's denylist seccomp filter, in order to substitute a crafted `/.flatpak-info` or make that file disappear entirely. Flatpak apps that act as clients for AF_UNIX sockets such as those used by Wayland, Pipewire or pipewire-pulse can escalate the privileges that the corresponding services will believe the Flatpak app has. Note that protocols that operate entirely over the D-Bus session bus (user bus), system bus or accessibility bus are not affected by this. This is due to the use of a proxy process `xdg-dbus-proxy`, whose VFS cannot be manipulated by the Flatpak app, when interacting with these buses. Patches exist for versions 1.10.4 and 1.12.0, and as of time of publication, a patch for version 1.8.2 is being planned. There are no workarounds aside from upgrading to a patched version.
  • CVE-2021-43860: Flatpak is a Linux application sandboxing and distribution framework. Prior to versions 1.12.3 and 1.10.6, Flatpak doesn't properly validate that the permissions displayed to the user for an app at install time match the actual permissions granted to the app at runtime, in the case that there's a null byte in the metadata file of an app. Therefore apps can grant themselves permissions without the consent of the user. Flatpak shows permissions to the user during install by reading them from the "xa.metadata" key in the commit metadata. This cannot contain a null terminator, because it is an untrusted GVariant. Flatpak compares these permissions to the *actual* metadata, from the "metadata" file to ensure it wasn't lied to. However, the actual metadata contents are loaded in several places where they are read as simple C-style strings. That means that, if the metadata file includes a null terminator, only the content of the file from *before* the terminator gets compared to xa.metadata. Thus, any permissions that appear in the metadata file after a null terminator are applied at runtime but not shown to the user. So maliciously crafted apps can give themselves hidden permissions. Users who have Flatpaks installed from untrusted sources are at risk in case the Flatpak has a maliciously crafted metadata file, either initially or in an update. This issue is patched in versions 1.12.3 and 1.10.6. As a workaround, users can manually check the permissions of installed apps by checking the metadata file or the xa.metadata key on the commit metadata.
  • CVE-2022-21682: Flatpak is a Linux application sandboxing and distribution framework. A path traversal vulnerability affects versions of Flatpak prior to 1.12.3 and 1.10.6. flatpak-builder applies `finish-args` last in the build. At this point the build directory will have the full access that is specified in the manifest, so running `flatpak build` against it will gain those permissions. Normally this will not be done, so this is not problem. However, if `--mirror-screenshots-url` is specified, then flatpak-builder will launch `flatpak build --nofilesystem=host appstream-utils mirror-screenshots` after finalization, which can lead to issues even with the `--nofilesystem=host` protection. In normal use, the only issue is that these empty directories can be created wherever the user has write permissions. However, a malicious application could replace the `appstream-util` binary and potentially do something more hostile. This has been resolved in Flatpak 1.12.3 and 1.10.6 by changing the behaviour of `--nofilesystem=home` and `--nofilesystem=host`.
Created: 2021-10-08 Last update: 2022-03-26 17:38
news
[rss feed]
  • [2022-03-20] Accepted flatpak 1.12.7-1~bpo11+1 (source) into bullseye-backports (Simon McVittie)
  • [2022-03-20] flatpak 1.12.7-1 MIGRATED to testing (Debian testing watch)
  • [2022-03-14] Accepted flatpak 1.12.7-1 (source) into unstable (Simon McVittie)
  • [2022-03-14] Accepted flatpak 1.13.2-1 (source) into experimental (Simon McVittie)
  • [2022-03-02] Accepted flatpak 1.13.1-1 (source) into experimental (Simon McVittie)
  • [2022-02-28] Accepted flatpak 1.12.6-1~bpo11+1 (source) into bullseye-backports (Simon McVittie)
  • [2022-02-28] flatpak 1.12.6-1 MIGRATED to testing (Debian testing watch)
  • [2022-02-28] flatpak 1.12.6-1 MIGRATED to testing (Debian testing watch)
  • [2022-02-22] Accepted flatpak 1.12.5-1~bpo11+1 (source) into bullseye-backports (Simon McVittie)
  • [2022-02-22] Accepted flatpak 1.12.6-1 (source) into unstable (Simon McVittie)
  • [2022-02-17] flatpak 1.12.5-1 MIGRATED to testing (Debian testing watch)
  • [2022-02-11] Accepted flatpak 1.12.5-1 (source) into unstable (Simon McVittie)
  • [2022-01-24] Accepted flatpak 1.12.4-1~bpo11+1 (source) into bullseye-backports (Simon McVittie)
  • [2022-01-24] flatpak 1.12.4-1 MIGRATED to testing (Debian testing watch)
  • [2022-01-22] Accepted flatpak 1.10.7-0+deb11u1 (source) into proposed-updates->stable-new, proposed-updates (Debian FTP Masters) (signed by: Simon McVittie)
  • [2022-01-21] Accepted flatpak 1.10.7-0+deb11u1~bpo10+1 (source) into buster-backports->backports-policy, buster-backports (Debian FTP Masters) (signed by: Simon McVittie)
  • [2022-01-20] Accepted flatpak 1.10.7-0+deb11u1 (source) into stable-security->embargoed, stable-security (Debian FTP Masters) (signed by: Simon McVittie)
  • [2022-01-18] Accepted flatpak 1.12.4-1 (source) into unstable (Simon McVittie)
  • [2022-01-15] flatpak 1.12.3-1 MIGRATED to testing (Debian testing watch)
  • [2022-01-12] Accepted flatpak 1.12.3-1 (source) into unstable (Simon McVittie)
  • [2022-01-12] Accepted flatpak 1.12.3-1~bpo11+1 (source) into bullseye-backports (Simon McVittie)
  • [2021-12-19] flatpak 1.12.2-2 MIGRATED to testing (Debian testing watch)
  • [2021-12-13] Accepted flatpak 1.12.2-2 (source) into unstable (Simon McVittie)
  • [2021-10-20] Accepted flatpak 1.10.5-0+deb11u1~bpo10+1 (source) into buster-backports->backports-policy, buster-backports (Debian FTP Masters) (signed by: Simon McVittie)
  • [2021-10-18] Accepted flatpak 1.12.2-1~bpo11+1 (source) into bullseye-backports (Simon McVittie)
  • [2021-10-18] flatpak 1.12.2-1 MIGRATED to testing (Debian testing watch)
  • [2021-10-16] Accepted flatpak 1.10.5-0+deb11u1 (source) into proposed-updates->stable-new, proposed-updates (Debian FTP Masters) (signed by: Simon McVittie)
  • [2021-10-15] Accepted flatpak 1.12.1-1~bpo11+1 (all amd64 source) into bullseye-backports, bullseye-backports (Debian FTP Masters) (signed by: Simon McVittie)
  • [2021-10-15] Accepted flatpak 1.10.3-0+deb11u1~bpo11+1 (source) into buster-backports->backports-policy, buster-backports (Debian FTP Masters) (signed by: Simon McVittie)
  • [2021-10-12] Accepted flatpak 1.10.5-0+deb11u1 (source) into stable-security->embargoed, stable-security (Debian FTP Masters) (signed by: Simon McVittie)
  • 1
  • 2
bugs [bug history graph]
  • all: 17
  • RC: 0
  • I&N: 16
  • M&W: 1
  • F&P: 0
  • patch: 0
links
  • homepage
  • buildd: logs, exp, clang, reproducibility
  • popcon
  • browse source code
  • edit tags
  • other distros
  • security tracker
  • screenshots
  • l10n (-, 72)
  • debci
ubuntu Ubuntu logo [Information about Ubuntu for Debian Developers]
  • version: 1.12.7-1
  • 8 bugs

Debian Package Tracker — Copyright 2013-2018 The Distro Tracker Developers
Report problems to the tracker.debian.org pseudo-package in the Debian BTS.
Documentation — Bugs — Git Repository — Contributing