Debian Patches
Status for flatpak/1.17.3-2
| Patch | Description | Author | Forwarded | Bugs | Origin | Last update |
|---|---|---|---|---|---|---|
| debian/system-helper-Set-Debian-s-canonical-home-directory-for-s.patch | system-helper: Set Debian's canonical home directory for system users | Simon McVittie <smcv@debian.org> | not-needed | 2025-03-10 | ||
| CVE-2026-34078/Update-subtree-libglnx-2026-04-07.patch | Update subtree: libglnx 2026-04-07 * fdio: Avoid relying on VLAs or gcc-specific constant-folding * errors: Fix URL to an old libgsystem commit * lockfile: Assert non-null path in make_lock_file for analyzers * backports: Add g_clear_fd * glnx-errors.h: add glnx_fd_throw[_*] variants * fdio: Add glnx_fd_reopen * local-alloc: Remove duplicate definition of glnx_unref_object * fdio: Add glnx_statx * chase: Add glnx_chaseat which functions similar to openat2 * chase: Add glnx_chase_and_statxat |
Simon McVittie <smcv@collabora.com> | yes | upstream | upstream, 1.17.4, commit:1293a6441bf0f8522f73727ff9e9872be6b43f03 | 2026-04-07 |
| CVE-2026-34078/flatpak-bwrap-Add-dup-ing-variant-flatpak_bwrap_add_args_.patch | flatpak-bwrap: Add dup-ing variant flatpak_bwrap_add_args_data_fd_dup | Sebastian Wick <sebastian.wick@redhat.com> | yes | upstream | upstream, 1.17.4, commit:2acdd330d8aa11c6f2fab5467e038bec29c2474e | 2026-02-06 |
| CVE-2026-34078/utils-Add-flatpak_parse_fd.patch | utils: Add flatpak_parse_fd This is meant to parse file descriptor strings passed via the command line. It is not a security mechanism and will happily accept fds 0-3 as well. |
Sebastian Wick <sebastian.wick@redhat.com> | yes | upstream | upstream, 1.17.4, commit:50af610ff417dfd66b9c8d7b7846698808a3abd8 | 2026-02-06 |
| CVE-2026-34078/flatpak-bwrap-Use-glnx_close_fd-as-clear-func.patch | flatpak-bwrap: Use glnx_close_fd as clear func We already have a function which clears a fd that a pointer points to, so let's use it instead of duplicating the code. Will become useful in a later commit as well. |
Sebastian Wick <sebastian.wick@redhat.com> | yes | upstream | upstream, 1.17.4, commit:aab3f42374634518fdd0d71ab2369bb7557f34d1 | 2026-02-06 |
| CVE-2026-34078/run-Use-O_PATH-fds-for-the-runtime-and-app-deploy-directo.patch | run: Use O_PATH fds for the runtime and app deploy directories This also allows us to use glnx_chaseat, and other at-functions to traverse the filesystem tree in a safe way. This is important because the app and runtime deploy directories can be under an attackers control. The flatpak portal for example allows sandboxed apps to provide them. In particular, attacks where the deploy dirs get replaced by a symlink pointing into the host system will be stopped by this. Note that this change alone is not enough to avoid the attack, and the portal has to be changed as well. |
Sebastian Wick <sebastian.wick@redhat.com> | yes | upstream | upstream, 1.17.4, commit:ac62ebe3080401501efb47044981d2b519629186 | 2026-02-06 |
| CVE-2026-34078/run-Add-usr-fd-and-app-fd-options.patch | run: Add --usr-fd and --app-fd options Exposes options to pass in a fd for the runtime and app deploy. The flatpak portal will make use of this in a following commit. |
Sebastian Wick <sebastian.wick@redhat.com> | yes | upstream | upstream, 1.17.4, commit:1b5e886d7f22f2ee81c2149c04e915bf4cabe518 | 2026-02-06 |
| CVE-2026-34078/run-Add-ro-bind-fds-to-flatpak_run_app.patch | run: Add (ro-)bind fds to flatpak_run_app The flatpak portal allows apps to expose files and folders from within the sandbox to a side-sandbox using flatpak-spawn. So far it has used the --filesystem option to mount those files and folders, but it takes a path. Paths are inherently racy and they allow the app to swap out any component of the path with a symlink after handing it off. If they win the race, flatpak will mount a completely different directory. This adds a new way to mount files and directories based on O_PATH file descriptor that needs to provided when execing the flatpak binary. |
Sebastian Wick <sebastian.wick@redhat.com> | yes | upstream | upstream, 1.17.4, commit:2ed87aff36bb162434a5c8e926396b5121b5e183 | 2026-02-06 |
| CVE-2026-34078/run-Add-ro-bind-fd-options.patch | run: Add --(ro-)bind-fd options Exposes the functionality added to flatpak_run_app in the previous commit with two new options. |
Sebastian Wick <sebastian.wick@redhat.com> | yes | upstream | upstream, 1.17.4, commit:b5ae89ed332e0f0c9f642bbdddb7c3cbd2f6fae6 | 2026-02-06 |
| CVE-2026-34078/portal-Use-bind-fd-app-fd-and-usr-fd-options-to-avoid-rac.patch | portal: Use --bind-fd, --app-fd and --usr-fd options to avoid races Now that flatpak_run_app accepts fds for app and runtime deploy, as well as bind and ro-bind fds, and flatpak-run exposes the functionality, we can finally hook this all up to the flatpak portal! |
Sebastian Wick <sebastian.wick@redhat.com> | yes | upstream | upstream, 1.17.4, commit:3c500145fd4c056a41d36f32138ae61735898087 | 2026-02-06 |
| CVE-2026-34079/utils-Only-remove-cached-files-in-the-cache-directory.patch | utils: Only remove cached files in the cache directory The function flatpak_switch_symlink_and_remove is used to implement a cache for ld.so (regenerate_ld_cache). If the active symlink changes to a new cache file, the old cache file is supposed to get removed. The symlink still points to the old cache file, so we would remove the file that it points to and then point at the new file. Because the symlink is under the app's control, the symlink can point anywhere, and the removal happens in the host context, which allows an app to remove arbitrary files on the host. The filename of the cache files are checksums, which means that we can ensure that the link is a file in the same directory of the link by checking that it only contains the chars a-zA-Z0-9. |
Sebastian Wick <sebastian.wick@redhat.com> | yes | upstream | upstream, 1.17.4, commit:c94b780e58fd3a6d92a9e7e145dac7a1f5e40d92 | 2026-01-09 |
| GHSA-2fxp-43j9-pwvc/utils-Do-not-follow-symlinks-in-flatpak_open_file_at.patch | utils: Do not follow symlinks in flatpak_open_file_at We use flatpak_open_file_at in the context of the system helper to open files written by a user. This means that we want to prevent DOS and exposing files which only the system helper has access to. To prevent DOS and avoid side-effects, the file is opened with O_NONBLOCK and O_NOCTTY. To prevent leaking files, the file is supposed to not open symlinks. This part, we failed at. We check if the opened file is a regular file, but what we actually checked is, if the file a symlink might point at is a regular file. Fix this by also specifying O_NOFOLLOW in openat. |
Sebastian Wick <sebastian.wick@redhat.com> | yes | upstream | upstream, 1.17.4, commit:3c111d9e19267dad63bf006647c1d44861a7fec5 | 2026-01-12 |
| GHSA-89xm-3m96-w3jg/system-helper-Only-remove-an-ongoing-pull-if-users-match.patch | system-helper: Only remove an ongoing pull if users match The code would always remove a pull from the hashtable, and then check if the users match and abort if they don't. Either way, the pull gets dropped. Fix this by only removing the pull if the dir and the user match. |
Sebastian Wick <sebastian.wick@redhat.com> | yes | upstream | upstream, 1.17.4, commit:f1bdc6aeae91f7171d1529f40267acc78825231d | 2026-02-07 |
All known versions for source package 'flatpak'
- 1.17.3-2 (experimental)
- 1.16.6-1 (sid)
- 1.16.3-1 (forky)
- 1.16.3-1~deb13u1 (trixie)
- 1.16.1-1~bpo12+1 (bookworm-backports)
- 1.14.10-1~deb12u1 (bookworm, bookworm-security)