Package: release.debian.org
Severity: normal
Tags: trixie
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: flatpak@packages.debian.org
Control: affects -1 + src:flatpak
[ Reason ]
Fix CVE-2024-32462, a sandbox escape vulnerability, without having to
wait for the whole 64-bit time_t transition.
[ Impact ]
If not fixed, malicious or compromised Flatpak apps can execute arbitrary
code on the host system. (Severity: grave)
The new upstream release also fixes one high-visibility non-security bug:
after some infrastructure changes on Flathub, the flatpak(1) CLI currently
mis-displays apps' developer names as though they were the name of the app,
for example showing org.chromium.Chromium as "The Chromium Authors" instead
of the correct "Chromium Web Browser". The proposed version corrects this.
(Severity: important)
[ Tests ]
Flatpak has a rather large test suite, which still passes. Unfortunately,
most tests have to be skipped when running under schroot or lxc because
those frameworks don't allow creating a nested user namespace, but I do
run the autopkgtest suite under autopkgtest-virt-qemu before uploading.
There is new automated test coverage for CVE-2024-32462 and for the
mis-display of app names.
I'll do a smoke-test on a trixie GNOME VM (install an app, run an app,
and verify that CVE-2024-32462 is fixed) before uploading.