This is an "old-stable" update for users of the Flatpak 1.10.x branch, such as Debian 11. In environments that do not need to stay on a specific branch, updating to the newest stable version instead of using this version is recommended. At the time of writing, the newest stable version is 1.12.4.

Released: 2021-01-18

This is a regression fix update, reverting non-backwards-compatible
behaviour changes in the solution previously chosen for CVE-2022-21682.

Flatpak 1.12.3 and 1.10.6 changed the behaviour of --nofilesystem=host
and --nofilesystem=home in a way that was not backwards-compatible in
all cases. For example, some Flatpak users previously used a global
flatpak override --nofilesystem=home or
flatpak override --nofilesystem=host, but expected that individual apps
would still be able to have finer-grained filesystem access granted by the
app manifest, such as Zoom's --filesystem=~/Documents/Zoom:create. With
the changes in 1.12.3, this no longer had the intended result, because
--nofilesystem=home was special-cased to disallow inheriting the
finer-grained --filesystem.

Flatpak 1.12.4 and 1.10.7 return to the previous behaviour of
--nofilesystem=host and --nofilesystem=home. Instead, CVE-2022-21682
will be resolved by a new 1.2.2 release of flatpak-builder, which will
use a new option --nofilesystem=host:reset introduced in Flatpak 1.12.4
and 1.10.7. In addition to behaving like --nofilesystem=host, the new
option prevents filesystem permissions from being inherited from the
app manifest.

Other changes:

• Clarify documentation of --nofilesystem
• Improve unit test coverage around --filesystem and --nofilesystem
• Restore compatibility with older appstream-glib versions, fixing a
  regression in 1.12.3
• Update variant-schema-compiler subproject to fix builds with newer
  versions of pyparsing (the content of the generated code is not affected)
• Make the unit test for CVE-2021-43860 robust against versions of Python's
  http.server module that only read timestamps with a 1 second granularity

sha256:

6d10b13d435ca4d1c2bddb8338a85a19c8efd5df84ed97ef7d3c385bb56adb8d *flatpak-1.10.7.tar.xz

This is a security update that fixes two issues that were found in flatpak:

GHSA-qpjc-vq3c-572j
(also known as CVE-2021-43860)

This issue is about the possibility for a malicious repository to send
invalid application metadata in a way that hides some of the app
permissions displayed during installation.

GHSA-8ch7-5j3h-g4fx

This issue is a problem with how flatpak-builder uses flatpak, that
can cause flatpak-builder --mirror-screenshots-url commands to be
allowed to create directories outside of the build directory.

The fix for this is done in flatpak by making the --nofilesystem=host
and --nofilesystem=home more powerful. They previously only removed
access to the particular location, i.e. --nofilesystem=host negated
--filesystem=host, but not --filesytem=/some/dir. This is a minor
change in behavior, as it may change the behavior of an override
with these specific options, however it is likely that the new
behavior was the expected one.

Other changes:

• Extra-data downloading now properly handles compressed content-encodings
  which fixes checksum verification (see #4415)
  Note: In some corner case server setups this may require the extra-data
  checksum to be changed
• Avoid unnecessary policy-kit dialog due to auto-pinning when installing runtimes
• Better handling of updates of extensions that exist in multiple repositories
• Fixed (initial) installation apps with renamed ids
• Support more pulseaudio configuration, including the one used in WSL2
• Fixed regression in updates from no-enumerate remotes
• We now verify checksums of summary caches, to better handle local file
  corruption
• Improved cli output for non-terminal targets
• Flatpak run --session-bus now works
• Fix build with PyParsing >= 3.0.4
• Fixed "Since" annotations on FlatpakTransaction signals
• bash auto completion now doesn't complete on command name aliases
• Minor improvements to the search command
• Minor improvements to the list command
• Minor improvements to the repair command
• Add more tests
• Updated translations and docs

$ sha256sum flatpak-1.12.3.tar.xz 
d715f23347d7eb859301c8f0c778a899bb7c9e26dac6ae2a2a4b9fc21cf77b69  flatpak-1.12.3.tar.xz

This is a security update that fixes two issues that were found in flatpak:

GHSA-qpjc-vq3c-572j
(also known as CVE-2021-43860)

This issue is about the possibility for a malicious repository to send
invalid application metadata in a way that hides some of the app
permissions displayed during installation.

GHSA-8ch7-5j3h-g4fx

This issue is a problem with how flatpak-builder uses flatpak, that
can cause flatpak-builder --mirror-screenshots-url commands to be
allowed to create directories outside of the build directory.

The fix for this is done in flatpak by making the --nofilesystem=host
and --nofilesystem=home more powerful. They previously only removed
access to the particular location, i.e. --nofilesystem=host negated
--filesystem=host, but not --filesytem=/some/dir. This is a minor
change in behavior, as it may change the behavior of an override
with these specific options, however it is likely that the new
behavior was the expected one.

Other changes:

• Fix error handling for the syscalls that are blocked when not using --devel
• Improve diagnostic messages when seccomp rules cannot be applied
• Update Polish translation

$ sha256sum flatpak-1.10.6.tar.xz 
01d7edb111531ab581d3b434c0ec533ab429b3c2eefa9dc5c1f33f1994ad183a  flatpak-1.10.6.tar.xz

This stable release fixes some minor issues found in 1.12.0 and 1.12.1.

• Install translations referenced by LANG, LANGUAGE or LC_ALL
• Fix error handling for the syscalls that are blocked when not using --devel
• Improve diagnostic messages when seccomp rules cannot be applied
• Update Polish translation

$ sha256sum flatpak-1.12.2.tar.xz
df1eb464f9142c11627f99f04f6a5c02c868bbb145489b8902cb6c105e774b75  flatpak-1.12.2.tar.xz

The security fix in the 1.12.0 release failed when used with some
older versions of libseccomp (that don't know about the new syscalls).

More specifically, installing modules that use extra-data would fail, and so
would running applications with the --allow=multiarch feature, such as Steam.
This release fixes those regressions.

$ sha256sum flatpak-1.12.1.tar.xz
23893bca7fee82692c43cb692dbec36ea9d5339508c19d3925eac6f06414c857 flatpak-1.12.1.tar.xz

This is the first stable release in the 1.12.x series. The major changes
in this series is the support for better control of sub-sandboxes, as
used by the Steam Flatpak app to run Windows games under Proton.

In addition, this release fixes a security vulnerability in the portal
support. Some recently added syscalls were not blocked by the seccomp rules
which allowed the application to create sub-sandboxes which can confuse
the sandboxing verification mechanisms of the portal. This has been
fixed by extending the seccomp rules. (CVE-2021-41133)
For details, see:
GHSA-67h7-w3jq-vh4q

Other changes in this version:

• Some test fixes
• Update translations
• Support for specifying the flatpak binary to use during exports
• Install translations for all languages in the locale, not just the ones in
  LC_MESSAGES.
• Fix progress reporting in flatpak fsck
• Handle cases where /var/tmp is a symlink
• Expose /etc/gai.conf to the sandbox
• Fix the parental control checks for root
• Handle missing /etc/ld.so.cache (musl)

$ sha256sum flatpak-1.12.0.tar.xz 
d8a9a1f4cd1790711e836964eab6fb69de83b86c902249fff0c73706c73dd586  flatpak-1.12.0.tar.xz

The security fix in the 1.10.4 release failed when used with some
older versions of libseccomp (that don't know about the new syscalls).

$ sha256sum flatpak-1.10.5.tar.xz 
3ac884b99063cc78e65de94fe015b4146624f3ab8b9f2f84e4017d508af4223b  flatpak-1.10.5.tar.xz

This release fixes a security vulnerability in the portal
support. Some recently added syscalls were not blocked by the seccomp rules
which allowed the application to create sub-sandboxes which can confuste
the sandboxing verification mechanisms of the portal. This has been
fixed by extending the seccomp rules.
For details, see:
GHSA-67h7-w3jq-vh4q

Other changes in this version:

• OCI now use the pax tar format which handles large files better than gnutar
• Fix the parental control checks for root

$ sha256sum flatpak-1.10.4.tar.xz 
641f1a62b1b875cc0561ab9bdfd3030071286d6021ae4bac6f80094408f00d1c  flatpak-1.10.4.tar.xz

This is a maintenance update with various bug fixes backported from 1.11.x.

• Don't inherit an unusual $XDG_RUNTIME_DIR setting into the sandbox, fixing a regression introduced when CVE-2021-21261 was fixed in 1.8.5 and 1.10.0
• Fix various memory and file descriptor leaks, in particular with flatpak-spawn --env=...
• Fix fd confusion in flatpak-spawn --env=... --forward-fd=..., resolving a regression introduced in 1.8.5 and 1.10.0
• Fix deploys of local remotes in system-helper, possibly involving newer GLib versions
• Fix test failures on non-x86_64 systems
• create-usb: Skip copying extra-data flatpaks
• Improve test coverage on Debian derivatives by ensuring /sbin is in tests' PATH

$ sha256sum -b flatpak-1.10.3.tar.xz
12723ad250997b5a28bef92ae632b097f50b0819feeb25ef8887fe8ec9b63b46 *flatpak-1.10.3.tar.xz

This is a release-candidate for Flatpak 1.12.0.

Dependencies:

• For Linux distributions that compile Flatpak to use a separate bubblewrap (bwrap) executable, updating to version 0.5.0 is recommended, but not required. The minimal version is still 0.4.0.

Bug fixes:

• Don't inherit an unusual $XDG_RUNTIME_DIR setting into the sandbox, fixing a regression introduced when CVE-2021-21261 was fixed in 1.8.5 and 1.10.0
• Update the included copy of bubblewrap (flatpak-bwrap) to 0.5.0
  • Better diagnostics when a --bind or other bind-mount fails
  • Create non-directories with safer permissions
  • Allow mounting an non-directory over an existing non-directory
  • Silence kernel messages for our bind-mounts
  • Improve ability to bind-mount directories on case-insensitive filesystems
• Don't ask user which remote to download from if there is only one option
• Improve robustness of autogen.sh

Internal changes:

• Improve test coverage
• Spelling fixes

Translation updates: Brazilian Portuguese, Russian, Spanish, Ukrainian

$ sha256sum -b flatpak-1.11.3.tar.xz
1284ead93b42acaec511a1649cd64d0df3da851bab2e65cf004bc90828d16b6c *flatpak-1.11.3.tar.xz