Nixpkgs security tracker
NIXPKGS-2026-0955
GitHub issue
published on
by @LeSuisse Activity log
- Created suggestion
-
@LeSuisse
ignored
7 packages
- mpc-qt
- flatpak-builder
- flatpak-xdg-utils
- libsForQt5.flatpak-kcm
- kdePackages.flatpak-kcm
- plasma5Packages.flatpak-kcm
- haskellPackages.cabal-flatpak
- @LeSuisse deleted maintainer @getchoo maintainer.delete
- @LeSuisse accepted
- @LeSuisse published on GitHub
Flatpak affected by arbitrary file deletion on the host filesystem
Flatpak is a Linux application sandboxing and distribution framework. Prior to 1.16.4, the caching for ld.so removes outdated cache files without properly checking that the app controlled path to the outdated cache is in the cache directory. This allows Flatpak apps to delete arbitrary files on the host. This vulnerability is fixed in 1.16.4.
References
-
https://github.com/flatpak/flatpak/security/advisories/GHSA-p29x-r292-46pp x_refsource_CONFIRM
Affected products
flatpak
- ==< 1.16.4
Matching in nixpkgs
Ignored packages (7)
pkgs.mpc-qt
Media Player Classic Qute Theater
-
nixos-25.11 24.12.1-flatpak
- nixos-25.11-small 24.12.1-flatpak
- nixpkgs-25.11-darwin 24.12.1-flatpak
pkgs.flatpak-builder
Tool to build flatpaks from source
pkgs.flatpak-xdg-utils
Commandline utilities for use inside Flatpak sandboxes
pkgs.libsForQt5.flatpak-kcm
None
pkgs.kdePackages.flatpak-kcm
Flatpak Permissions Management KCM
pkgs.plasma5Packages.flatpak-kcm
None
Package maintainers
Ignored maintainers (1)
-
@getchoo Seth Flynn <getchoo@tuta.io>