Bug#1033160: bullseye-pu: package flatpak/1.10.8-0+deb11u1

To: Simon McVittie <smcv@debian.org>, 1033160@bugs.debian.org
Subject: Bug#1033160: bullseye-pu: package flatpak/1.10.8-0+deb11u1
From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
Date: Sat, 01 Apr 2023 19:57:32 +0100
Message-id: <[🔎] f6861541cbfbe10524855090768b1b20c5c3a86b.camel@adam-barratt.org.uk>
Reply-to: "Adam D. Barratt" <adam@adam-barratt.org.uk>, 1033160@bugs.debian.org
In-reply-to: <ZBXk4uswGP0ebjks@momentum.pseudorandom.co.uk>
References: <ZBXk4uswGP0ebjks@momentum.pseudorandom.co.uk> <ZBXk4uswGP0ebjks@momentum.pseudorandom.co.uk>

Control: tags -1 + confirmed

On Sat, 2023-03-18 at 16:20 +0000, Simon McVittie wrote:
> CVE-2023-28101: A malicious Flatpak app could prevent the flatpak(1)
> CLI
> from displaying its permissions as intended, by having crafted
> permissions
> or other metadata containing terminal escape sequences or other
> special
> characters. (#1033098)
> 
> CVE-2023-28100: A malicious Flatpak app could execute code outside
> the
> sandbox if run from a Linux virtual console. (#1033099)
> 
> Additionally, the new upstream stable release has some other bug
> fixes
> backported from 1.12.x and 1.14.x for:
> - temporary directories not being cleaned up if an upgrade is
> cancelled,
>   in particular if it's blocked by parental controls (libmalcontent);
> - the `flatpak history` command, which didn't previously work in
> bullseye;
> 

Please go ahead.

Regards,

Adam

Reply to:

Follow-Ups:
- Bug#1033160: bullseye-pu: package flatpak/1.10.8-0+deb11u1
  - From: Simon McVittie <smcv@debian.org>

Prev by Date: Processed: Re: Bug#1032921: bullseye-pu: package node-webpack/4.43.0-6+deb11u1
Next by Date: Processed: Re: Bug#1033160: bullseye-pu: package flatpak/1.10.8-0+deb11u1
Previous by thread: Processed: Re: Bug#1032921: bullseye-pu: package node-webpack/4.43.0-6+deb11u1
Next by thread: Processed: Re: Bug#1033160: bullseye-pu: package flatpak/1.10.8-0+deb11u1
Index(es):
- Date
- Thread