-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 10 Apr 2026 20:03:53 +0100
Source: flatpak
Binary: flatpak flatpak-dbgsym flatpak-tests flatpak-tests-dbgsym gir1.2-flatpak-1.0 libflatpak-dev libflatpak0 libflatpak0-dbgsym
Architecture: i386
Version: 1.16.6-1~deb13u1
Distribution: trixie-security
Urgency: high
Maintainer: amd64 / i386 Build Daemon (x86-ubc-02) <buildd_amd64-x86-ubc-02@buildd.debian.org>
Changed-By: Simon McVittie <smcv@debian.org>
Description:
 flatpak    - Application deployment framework for desktop apps
 flatpak-tests - Application deployment framework for desktop apps (tests)
 gir1.2-flatpak-1.0 - Application deployment framework for desktop apps (introspection)
 libflatpak-dev - Application deployment framework for desktop apps (development)
 libflatpak0 - Application deployment framework for desktop apps (library)
Closes: 1132943 1132944 1132945 1132946
Changes:
 flatpak (1.16.6-1~deb13u1) trixie-security; urgency=high
 .
   * Backport new upstream stable release for Debian 13
     - Fix a sandbox escape involving symlinks passed to flatpak-portal.
       A malicious or compromised Flatpak app could exploit this to achieve
       arbitrary code execution on the host.
       (CVE-2026-34078, GHSA-cc2q-qc34-jprg) (Closes: #1132943)
     - Prevent arbitrary file deletion outside the sandbox by a malicious or
       compromised Flatpak app
       (CVE-2026-34079, GHSA-p29x-r292-46pp) (Closes: #1132944)
     - Prevent a local user from reading any file that is readable by the
       _flatpak system user. A mitigation is that it would be very unusual
       for these files not to be readable by the original local user as well.
       (No CVE ID, GHSA-2fxp-43j9-pwvc) (Closes: #1132946)
     - Prevent a local user from making another local user unable to cancel
       an ongoing download of apps or runtimes installed system-wide
       via the system helper.
       (No CVE ID, GHSA-89xm-3m96-w3jg) (Closes: #1132945)
     - Various fixes for regressions caused when fixing CVE-2026-34078
   * Revert changes that are not appropriate for a stable update:
     - Revert "d/watch: Convert to v5 format, only watch stable
       (even-numbered) releases"
     - Revert "Standards-Version: 4.7.3"
Checksums-Sha1:
 00d248ae5810f5d4330bbdac5e08fc0833391f78 6425056 flatpak-dbgsym_1.16.6-1~deb13u1_i386.deb
 26ee54e4127ca2b30774a5520d54598d42307918 9098484 flatpak-tests-dbgsym_1.16.6-1~deb13u1_i386.deb
 c0aeab2aafb3471e772f170eb8bd2c23733522a6 1460536 flatpak-tests_1.16.6-1~deb13u1_i386.deb
 e44d03977eb4caaac80a06b8f196b5a8608eac84 17088 flatpak_1.16.6-1~deb13u1_i386-buildd.buildinfo
 f7e4a22cd7e61a4c31b4a17243f001865f416361 1592216 flatpak_1.16.6-1~deb13u1_i386.deb
 6fbb16b23bc826c6c001dd389e696aa3a3c9c450 28112 gir1.2-flatpak-1.0_1.16.6-1~deb13u1_i386.deb
 be3057016f3b39542bc004e26d04b2db92ccd7e3 72348 libflatpak-dev_1.16.6-1~deb13u1_i386.deb
 f6f3e2b3c5467d77b5501f3a2a4c46de202be53c 1492904 libflatpak0-dbgsym_1.16.6-1~deb13u1_i386.deb
 c5294b7120c6c1bd4d78f27fb779504051d2ba66 423536 libflatpak0_1.16.6-1~deb13u1_i386.deb
Checksums-Sha256:
 e1283d3747320fa883ce851752832b6c61a058b17cf070fb4d0886d3ff2e976f 6425056 flatpak-dbgsym_1.16.6-1~deb13u1_i386.deb
 61988f99328440c38f672a475b3c21a9a2a7dcd51ccdb78345d6ee371f11015b 9098484 flatpak-tests-dbgsym_1.16.6-1~deb13u1_i386.deb
 1da7ced3a5db6cc3df1122e5062dbd6068a39b8b12b6db3665206776baa8ada7 1460536 flatpak-tests_1.16.6-1~deb13u1_i386.deb
 aba82b71e083580f9895c32f74f8cc7d68a4e31c89b1f8f75d4d0e26f5a6e329 17088 flatpak_1.16.6-1~deb13u1_i386-buildd.buildinfo
 6211a5cbbc30707986176a1178a6d846e663f9ec05051217bf12752b30f2304f 1592216 flatpak_1.16.6-1~deb13u1_i386.deb
 5b679004971d1e601dca6721506d2fdc02cfba19c649180ad36445d4b0c2d610 28112 gir1.2-flatpak-1.0_1.16.6-1~deb13u1_i386.deb
 14a86b4846881dc25038c4235b99b9de1e6a74dc04d3a0affb86f81264258cad 72348 libflatpak-dev_1.16.6-1~deb13u1_i386.deb
 0e070cb1b27898b776813d7c937ac91c88f3c2d37daf52f0d6452778eea733d6 1492904 libflatpak0-dbgsym_1.16.6-1~deb13u1_i386.deb
 bf3b208e81e4f4160859486988e8f2f632448d6c7270ed58306afd02f42410cf 423536 libflatpak0_1.16.6-1~deb13u1_i386.deb
Files:
 85e655b89bfa83fe6805e74fcfbfb0c2 6425056 debug optional flatpak-dbgsym_1.16.6-1~deb13u1_i386.deb
 b0d9e530139fae5d48706c1987d4a75d 9098484 debug optional flatpak-tests-dbgsym_1.16.6-1~deb13u1_i386.deb
 b16e9318030e6307c0e747f7a3097232 1460536 misc optional flatpak-tests_1.16.6-1~deb13u1_i386.deb
 ac475fc4a58e1f859081970ab7e31fdb 17088 admin optional flatpak_1.16.6-1~deb13u1_i386-buildd.buildinfo
 cbf93e0f29c9069cc6903d8e68a926ae 1592216 admin optional flatpak_1.16.6-1~deb13u1_i386.deb
 b42e7c5298de94074c08b76f3ffdfc70 28112 introspection optional gir1.2-flatpak-1.0_1.16.6-1~deb13u1_i386.deb
 6a002ee7630a02b0c6595a477ae563de 72348 libdevel optional libflatpak-dev_1.16.6-1~deb13u1_i386.deb
 3575e3227cd8e88be18a96eb553f6695 1492904 debug optional libflatpak0-dbgsym_1.16.6-1~deb13u1_i386.deb
 332dcbb2b36d3276be3152878a42033d 423536 libs optional libflatpak0_1.16.6-1~deb13u1_i386.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEb5EwsJvHBEjqIJYIbheoBegwXLIFAmnZhbUACgkQbheoBegw
XLKI0g/+PZrPgGBz1lXMy20iu369xJnJELnUxkg0NNGuNjqHBPn6m7YaVRup3cme
NCbXk27LhZPUuMazNyqGjgxKSt+HEJTgY6dJ4RtHf2Tfbm2EnWuVrNFhI2jdZ+IX
i0s8/Ay+dgPnm4t6NyvXYXtV4qJTwW4ishzzT+12YwQE0oQHte3lYpPSHYVu4gYV
hk3du3SeA+g05S4JAX0qBrVBNMdc9oh6scOovyyydgkII55JGNcYGmc8Q0cPkiG1
PpF/dA/WeBsmqQOWSDIzW9Yvr2l0yIv7k9Ovb6t+lag3dj3RrBTxr6Yg2GNPqMaT
KDE9r0LqUmYTvkuqh9hWJPRZxnPRfUb/8qGwvRwHqR5J+dk2E5mCkZwBa46fVb8c
nahtFcI+XpOp2fWQJ528JKIRc4zznVftU0yzwTbOaoUQ04Ymg/09Qbj15BCbgKyp
LF5LaIWV2qeT3StcGTV5xPaT69uOOApGJ1BPXkQHcz6/C/I0hLcAgbg/Kdqx5Trh
52bzTpoAHs02WJ2eHZ4Ib8I/Tf0UKDlcEuNMHrYmU1YvVJtgdrMqXNPByOanugCV
hPBL6vex0AODpp9qC7BkDmexHwloca5Si50D63EAHbvM7yH2WW4kPeYoYFBBVZt3
LvBZN1EqvQZ7Wj6qCNapMMz3tu/dqRX/nJQuXIQcJ9yoKUH0JUw=
=vbiM
-----END PGP SIGNATURE-----