diff mbox series

[meta-oe,4/6] flatpak: upgrade 1.17.3 -> 1.17.6

Message ID 20260413180227.755337-4-skandigraun@gmail.com
State New
Headers show
Series [meta-networking,1/6] corosync: patch CVE-2026-35091 | expand

Commit Message

Gyorgy Sarvari April 13, 2026, 6:02 p.m. UTC 
Contains fixes for CVE-2026-34078 and CVE-2026-34079

Add explicit CVE_STATUS tags for these CVEs, because they are tracked
without version info by NVD at this time.

Changelog:
17.6:
Bug fixes:
- Fix the remaining regression for Chromium based browsers by not leaking file
  descriptors down to wrapped command
- Fix a regression when installing extra-data without a runtime, which is the
  case for openh264
- Fix the remaining regression for Epiphany by ignoring unusable sandbox-expose
  paths for sub-sandboxes in the portal
- Fix the installed tests by allowing to add a new ref to an existing temporary
  ostree repo
- Avoid closing fds 0/1/2 when they are used as a bad argument to flatpak-run,
  and reduce duplication in handling file descriptor arguments

Enhancements:
- Disable auto-pin in flatpak-repair to preserve the pin state across
  re-installs
- Small improvements for the tests

17.5:
Bug fixes:
- Fix regressions caused by the sandbox escape security fix, which impact some
  browsers, browser-based apps and Steam (#6577, #6569, #6576, #6574)

Enhancements:
- Expand test coverage of flatpak-run features used by flatpak-portal (#6573)

17.4:
Security fixes:
- Fix a complete sandbox escape which leads to host file access and code
  execution in the host context (CVE-2026-34078)
- Prevent arbitrary file deletion on the host filesystem (CVE-2026-34079)
- Prevent arbitrary read-access to files in the system-helper context
  (GHSA-2fxp-43j9-pwvc)
- Prevent orphaning cross-user pull operations (GHSA-89xm-3m96-w3jg)

Enhancements:
- Enable ntsync unconditionally
- Automatic branch following for extensions to ensure that "no-autodownload"
  extensions stay functional after an update that requires a new branch
- Translation updates: eo, kk, sr, zh_CN

Bug fixes:
- Prevent CPR sequence from showing up in the terminal
- Fix a crash for apps/runtimes with multiarch permission
- Fixes for Coverity warnings
- Add test-preinstall.sh to the test matrix source
- Fix a test message to refer to "systemd-localed" instead of "located"

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
---
 .../flatpak/{flatpak_1.17.3.bb => flatpak_1.17.6.bb}         | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)
 rename meta-oe/recipes-extended/flatpak/{flatpak_1.17.3.bb => flatpak_1.17.6.bb} (93%)
diff mbox series

Patch

diff --git a/meta-oe/recipes-extended/flatpak/flatpak_1.17.3.bb b/meta-oe/recipes-extended/flatpak/flatpak_1.17.6.bb
similarity index 93%
rename from meta-oe/recipes-extended/flatpak/flatpak_1.17.3.bb
rename to meta-oe/recipes-extended/flatpak/flatpak_1.17.6.bb
index cd461e2632..1512b7239f 100644
--- a/meta-oe/recipes-extended/flatpak/flatpak_1.17.3.bb
+++ b/meta-oe/recipes-extended/flatpak/flatpak_1.17.6.bb
@@ -8,7 +8,7 @@  SRC_URI = " \
     file://0001-flatpak-pc-add-pc_sysrootdir.patch \
 "
 
-SRCREV = "13b26a94a3bd6fec309a16982a3a80d83776d7ac"
+SRCREV = "9b21874f1a175a9b7c79175a221fa043e202ca73"
 
 
 inherit meson pkgconfig gettext systemd gtk-doc gobject-introspection python3native mime features_check useradd
@@ -76,3 +76,6 @@  USERADD_PACKAGES = "${PN}"
 USERADD_PARAM:${PN} = "--system --no-create-home --user-group --shell /sbin/nologin flatpak"
 
 FILES:${PN} += "${libdir} ${datadir}"
+
+CVE_STATUS[CVE-2026-34078] = "fixed-version: fixed in v1.17.4"
+CVE_STATUS[CVE-2026-34079] = "fixed-version: fixed in v1.17.4"