Suggestions search

All statuses

Filter by:

With package: flatpak

Found 2 matching suggestions

View:

Compact

Detailed

Published

Permalink CVE-2026-34079

updated 3 weeks, 5 days ago by @LeSuisse Activity log

Created suggestion 3 weeks, 5 days ago
@LeSuisse ignored
7 packages
- mpc-qt
- flatpak-builder
- flatpak-xdg-utils
- libsForQt5.flatpak-kcm
- kdePackages.flatpak-kcm
- plasma5Packages.flatpak-kcm
- haskellPackages.cabal-flatpak
3 weeks, 5 days ago
@LeSuisse deleted maintainer @getchoo 3 weeks, 5 days ago maintainer.delete
@LeSuisse accepted 3 weeks, 5 days ago
@LeSuisse published on GitHub 3 weeks, 5 days ago

Flatpak affected by arbitrary file deletion on the host filesystem

Flatpak is a Linux application sandboxing and distribution framework. Prior to 1.16.4, the caching for ld.so removes outdated cache files without properly checking that the app controlled path to the outdated cache is in the cache directory. This allows Flatpak apps to delete arbitrary files on the host. This vulnerability is fixed in 1.16.4.

References

https://github.com/flatpak/flatpak/security/advisories/GHSA-p29x-r292-46pp x_refsource_CONFIRM

Affected products

flatpak

==< 1.16.4

Matching in nixpkgs

pkgs.flatpak

Linux application sandboxing and distribution framework

nixos-unstable 1.16.3
- nixpkgs-unstable 1.16.3
- nixos-unstable-small 1.16.3
nixos-25.11 1.16.2
- nixos-25.11-small 1.16.2
- nixpkgs-25.11-darwin 1.16.2

Ignored packages (7)

pkgs.mpc-qt

Media Player Classic Qute Theater

nixos-25.11 24.12.1-flatpak
- nixos-25.11-small 24.12.1-flatpak
- nixpkgs-25.11-darwin 24.12.1-flatpak

pkgs.flatpak-builder

Tool to build flatpaks from source

nixos-unstable 1.4.4
- nixpkgs-unstable 1.4.4
- nixos-unstable-small 1.4.4
nixos-25.11 1.4.4
- nixos-25.11-small 1.4.4
- nixpkgs-25.11-darwin 1.4.4

pkgs.flatpak-xdg-utils

Commandline utilities for use inside Flatpak sandboxes

nixos-unstable 1.0.6
- nixpkgs-unstable 1.0.6
- nixos-unstable-small 1.0.6
nixos-25.11 1.0.6
- nixos-25.11-small 1.0.6
- nixpkgs-25.11-darwin 1.0.6

pkgs.libsForQt5.flatpak-kcm

None

pkgs.kdePackages.flatpak-kcm

Flatpak Permissions Management KCM

nixos-unstable 6.6.3
- nixpkgs-unstable 6.6.3
- nixos-unstable-small 6.6.3
nixos-25.11 6.5.6
- nixos-25.11-small 6.5.6
- nixpkgs-25.11-darwin 6.5.6

pkgs.plasma5Packages.flatpak-kcm

None

pkgs.haskellPackages.cabal-flatpak

Generate a FlatPak manifest from a Cabal package description

nixos-unstable 0.1.2
- nixpkgs-unstable 0.1.2
- nixos-unstable-small 0.1.2
nixos-25.11 0.1.2
- nixos-25.11-small 0.1.2
- nixpkgs-25.11-darwin 0.1.2

Package maintainers

Ignored maintainers (1)

@getchoo Seth Flynn <getchoo@tuta.io>

Published

Permalink CVE-2026-34078

updated 3 weeks, 5 days ago by @LeSuisse Activity log

Created suggestion 3 weeks, 5 days ago
@LeSuisse ignored
7 packages
- mpc-qt
- flatpak-builder
- flatpak-xdg-utils
- libsForQt5.flatpak-kcm
- kdePackages.flatpak-kcm
- plasma5Packages.flatpak-kcm
- haskellPackages.cabal-flatpak
3 weeks, 5 days ago
@LeSuisse deleted maintainer @getchoo 3 weeks, 5 days ago maintainer.delete
@LeSuisse accepted 3 weeks, 5 days ago
@LeSuisse published on GitHub 3 weeks, 5 days ago

Flatpak has a complete sandbox escape leading to host file access and code execution in the host context

Flatpak is a Linux application sandboxing and distribution framework. Prior to 1.16.4, the Flatpak portal accepts paths in the sandbox-expose options which can be app-controlled symlinks pointing at arbitrary paths. Flatpak run mounts the resolved host path in the sandbox. This gives apps access to all host files and can be used as a primitive to gain code execution in the host context. This vulnerability is fixed in 1.16.4.