-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Fri, 10 Apr 2026 20:03:53 +0100 Source: flatpak Binary: flatpak flatpak-dbgsym flatpak-tests flatpak-tests-dbgsym gir1.2-flatpak-1.0 libflatpak-dev libflatpak0 libflatpak0-dbgsym Architecture: ppc64el Version: 1.16.6-1~deb13u1 Distribution: trixie-security Urgency: high Maintainer: ppc64el Build Daemon (ppc64el-osuosl-01) Changed-By: Simon McVittie Description: flatpak - Application deployment framework for desktop apps flatpak-tests - Application deployment framework for desktop apps (tests) gir1.2-flatpak-1.0 - Application deployment framework for desktop apps (introspection) libflatpak-dev - Application deployment framework for desktop apps (development) libflatpak0 - Application deployment framework for desktop apps (library) Closes: 1132943 1132944 1132945 1132946 Changes: flatpak (1.16.6-1~deb13u1) trixie-security; urgency=high . * Backport new upstream stable release for Debian 13 - Fix a sandbox escape involving symlinks passed to flatpak-portal. A malicious or compromised Flatpak app could exploit this to achieve arbitrary code execution on the host. (CVE-2026-34078, GHSA-cc2q-qc34-jprg) (Closes: #1132943) - Prevent arbitrary file deletion outside the sandbox by a malicious or compromised Flatpak app (CVE-2026-34079, GHSA-p29x-r292-46pp) (Closes: #1132944) - Prevent a local user from reading any file that is readable by the _flatpak system user. A mitigation is that it would be very unusual for these files not to be readable by the original local user as well. (No CVE ID, GHSA-2fxp-43j9-pwvc) (Closes: #1132946) - Prevent a local user from making another local user unable to cancel an ongoing download of apps or runtimes installed system-wide via the system helper. (No CVE ID, GHSA-89xm-3m96-w3jg) (Closes: #1132945) - Various fixes for regressions caused when fixing CVE-2026-34078 * Revert changes that are not appropriate for a stable update: - Revert "d/watch: Convert to v5 format, only watch stable (even-numbered) releases" - Revert "Standards-Version: 4.7.3" Checksums-Sha1: 424394ac64a2e69d7118a05e8ac384bae89fb2c5 7537940 flatpak-dbgsym_1.16.6-1~deb13u1_ppc64el.deb ddf4dc7d04e3d339805236ec9c834db177eff0b9 10700172 flatpak-tests-dbgsym_1.16.6-1~deb13u1_ppc64el.deb c0ba66a86a3351b1df1dca72c67e6156db9698d2 1476376 flatpak-tests_1.16.6-1~deb13u1_ppc64el.deb a09334d1b9b4f406e4e45ea2132f6f637bd7fce8 17243 flatpak_1.16.6-1~deb13u1_ppc64el-buildd.buildinfo 20a2a6d8c7b3b6a763574bc9bd9a704b771cc743 1570164 flatpak_1.16.6-1~deb13u1_ppc64el.deb b2f99eee10ac0c9525e2a3aab9375155853995ee 28132 gir1.2-flatpak-1.0_1.16.6-1~deb13u1_ppc64el.deb d05463eb8ed3bc7349f55e2d7a4e33fb11aa2585 72356 libflatpak-dev_1.16.6-1~deb13u1_ppc64el.deb 3a3353d373000ac996ebbe10e278bf93785c20fa 1799712 libflatpak0-dbgsym_1.16.6-1~deb13u1_ppc64el.deb 6a3818ec2766a387285758767fdf4b67de194a99 412516 libflatpak0_1.16.6-1~deb13u1_ppc64el.deb Checksums-Sha256: 731ed8d0fc92cc59f04380c5c9eb8946a279db1e63d7552ba877004b9878a804 7537940 flatpak-dbgsym_1.16.6-1~deb13u1_ppc64el.deb 6820348c8611638fe907d2bcdf110187e92f67d4b689053c047a0982969620a7 10700172 flatpak-tests-dbgsym_1.16.6-1~deb13u1_ppc64el.deb e57f3f8c2f9422624d087c83a37cbf27cccfa1e973740952f1b63db93404679f 1476376 flatpak-tests_1.16.6-1~deb13u1_ppc64el.deb 688bcb7f5200395848d2781d4eed737ee11779d9d32f5ddacae118357254b6f7 17243 flatpak_1.16.6-1~deb13u1_ppc64el-buildd.buildinfo 3cc8e36b993313c201dd53e5f66bf82fc87cf19228c728b2d5724bf72f928b9f 1570164 flatpak_1.16.6-1~deb13u1_ppc64el.deb 719624cc60c8d45a3b99c6710f2a9413f7a27be85bc57580a4f30f5bd62306a0 28132 gir1.2-flatpak-1.0_1.16.6-1~deb13u1_ppc64el.deb 92ba02c753cd1f79e444332566dbb8c3806b543d8c0e8ff37e653769ce511873 72356 libflatpak-dev_1.16.6-1~deb13u1_ppc64el.deb 3f9368071ff1553c35ab68bf994866178a036f7770a60ad34867e24e3998fc2b 1799712 libflatpak0-dbgsym_1.16.6-1~deb13u1_ppc64el.deb dbad42ae2b8862331ca27dba48ecf38ce1da0ebbcb067ac674cebd2f30d8da98 412516 libflatpak0_1.16.6-1~deb13u1_ppc64el.deb Files: 2f93e77e6bcf6cf0b56a85e83ced2905 7537940 debug optional flatpak-dbgsym_1.16.6-1~deb13u1_ppc64el.deb dafdd5e49c8fc2231823a2dd2c5001eb 10700172 debug optional flatpak-tests-dbgsym_1.16.6-1~deb13u1_ppc64el.deb 7aceab81d560cc52bfaf10a689d12d01 1476376 misc optional flatpak-tests_1.16.6-1~deb13u1_ppc64el.deb 3da9479d275bfc39b03c424f35e8e503 17243 admin optional flatpak_1.16.6-1~deb13u1_ppc64el-buildd.buildinfo 614076921ae76cc428fa45bdce2d6d2a 1570164 admin optional flatpak_1.16.6-1~deb13u1_ppc64el.deb 57151cc1792fe05013e8f598084029dd 28132 introspection optional gir1.2-flatpak-1.0_1.16.6-1~deb13u1_ppc64el.deb a244b9400f7f27a8cbbb98d5e01c9211 72356 libdevel optional libflatpak-dev_1.16.6-1~deb13u1_ppc64el.deb 56300cae707cee1b55aeb9a7d6005222 1799712 debug optional libflatpak0-dbgsym_1.16.6-1~deb13u1_ppc64el.deb a7992fc2093b9c3f2e8ce8c014dd1002 412516 libs optional libflatpak0_1.16.6-1~deb13u1_ppc64el.deb -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEGHWM+bJZRznwgySGOrVShFbIMGEFAmnZhawACgkQOrVShFbI MGHFAA//WLxoFQY0oE+yDOsnG7MrfcpRQ5l08niJ1FruWfDHhL9Lob/ox1eCzX5z v5Z5g/AHcTXBha22s5rbOxaAJsu3ZzsSfHIqeapdPTQrh5ZFrt8qJQN4uAQHB8wS b67l7JPUizMSnmk190tFsLwiCXtwzRxHkD7id6TiH7Wq+KqeRA6mocePhG1EQMKK +Gj/JLyxC2mTVOwCzlWx0blw5CVFBsyiiFyqhYocIJ10f57da0Q174u8tfujP+1X /bdcTptIFGGn2JC8HaeOfJTs2kpnakoIUci5lMKhvNGq8D9DzwbpmuYO5skn16Fq Ud+RFL3iDcP//MiZTIQJTxRb2LUzhVOwp5JCxVi8v0Q4rUtmmzrQx5VEdRrmItDv 4XM/2miPDxoPxMXIUOs42ccff2A9eCFOPfqV85S8BuOcISrZkZxtkaB3QGEv9/7Y gcfxlgVAqc6+373j7o6qyRiyb/7Gh06sJY5g+TKCytBbbdwZ5tGghq1PpKrbpT1H cZRhDYPQw7EP7NkJUzVDGDRnQ4eRXSJZI3TiftPBdXFxXU73E8fwarTXRl0tAa3O INM8BYLkCHEyLYmIjQbc5XVOplGGbtBqybWXZtM4uxDOYC0ZheO1tzZaFYCdpavS 9mrnqwkR3uvVm3oBopM5HNpexS0csj1zG20WqYJ7OePgmi88Msg= =904O -----END PGP SIGNATURE-----