Tags: flatpak/flatpak
Tags
flatpak 1.15.8 Security fixes: * Don't allow an executable name to be misinterpreted as a command-line option for bwrap(1). This prevents a sandbox escape where a malicious or compromised app could ask xdg-desktop-portal to generate a .desktop file with access to files outside the sandbox. (CVE-2024-32462) Other bug fixes: * Pass the -export-dynamic linker option as -Wl,-export-dynamic, fixing build failures with clang 18 and lld 18 (#5760) * Fix a double-free when installation is cancelled (#5763) * Fix installed-tests failure with "FUSERMOUNT: unbound variable" (#5751) * Translation updates: pt_BR (#5762), tr (#5761) Git-EVTag-v0-SHA512: 6bb3122c4a22c23543d587bf1373bb73a64533affc5208847026ae28dc81f5fd16587a05e8c5f77ebafb522027e2e08173e4f31921183401b9259011e41384fa
flatpak 1.14.6 Security fixes: * Don't allow an executable name to be misinterpreted as a command-line option for bwrap(1). This prevents a sandbox escape where a malicious or compromised app could ask xdg-desktop-portal to generate a .desktop file with access to files outside the sandbox. (CVE-2024-32462) Other bug fixes: * Don't parse `<developer><name/></developer>` as the application name (#5700) Git-EVTag-v0-SHA512: 1c64befa19c599f921421f6b07cda67c612635ff7213a4ddd9bb3e155abc82f05ce351f56c7ecb895781ce5351e136b3e8e6e7837077d7027f43269fed5e9a38
flatpak 1.12.9 Security fixes: * Don't allow an executable name to be misinterpreted as a command-line option for bwrap(1). This prevents a sandbox escape where a malicious or compromised app could ask xdg-desktop-portal to generate a .desktop file with access to files outside the sandbox. (CVE-2024-32462) Git-EVTag-v0-SHA512: 0b0f2a0e4e95cbc38df39312b5928b4aaf5275111673265a024f742d65583c87fa8cdc5176194c6b17435ec47dfe64bb7a338d774a307eb3a8d620dbd1fffc3a
flatpak 1.10.9 Security fixes: * Don't allow an executable name to be misinterpreted as a command-line option for bwrap(1). This prevents a sandbox escape where a malicious or compromised app could ask xdg-desktop-portal to generate a .desktop file with access to files outside the sandbox. (CVE-2024-32462) Git-EVTag-v0-SHA512: a14f1fc0bbd96b9f8bb7dd4f6c1c7fc33e18db4865d185f9b16a46a76a28830ce54002d67afd95a3ce69e1f35d45a45109b8f58d871b267cf5c4802509b9847f
flatpak 1.15.7 Dependencies: * The Meson build system is now required. Compiling with Autotools is no longer possible. * In distributions that compile Flatpak to use a separate bubblewrap (bwrap) executable, version 0.9.0 is recommended. Several of the bug fixes listed below will not be active if an older version is used. * In distributions that compile Flatpak to use a separate xdg-dbus-proxy executable, version 0.1.5 is recommended. * If libmalcontent (parental controls) is enabled, it must be version 0.5.0 or later. New features: * Automatically remove obsolete driver versions and other autopruned refs (#5632) * `--socket=inherit-wayland-socket` (#5614) * Automatically reload D-Bus session bus configuration after installing or upgrading apps, to pick up any exported D-Bus services (#3342) Bug fixes: * Update included copy of bubblewrap to version 0.9.0: * `--symlink` is now idempotent, meaning it succeeds if the symlink already exists and already has the desired target (#2387, #3477, #5255) * Report a better error message if `mount(2)` fails with `ENOSPC` * Fix a double-close on error reading from `--args`, `--seccomp` or `--add-seccomp-fd` argument * Improve memory allocation behaviour * Silence various compiler warnings * Update included copy of bubblewrap to version 0.1.5: * Fix handling of long object paths * Don't parse `<developer><name/></developer>` as the application name (#5700) * Don't refuse to start apps when there is no D-Bus system bus available (#5076) * Don't try to repeat migration of apps whose data was migrated to a new name and then deleted (#5668) * Improve handling of mixed locales on systems with systemd-localed (#5497) * Improve display of ellipsized columns in wide terminals (#5722) * Make `flatpak info -e` look for extensions in all installations (#5670) * Fix warnings from newer GLib versions (#5660, #5737) * Always set the `container` environment variable (#5610) * Always let the app inherit redirected file descriptors (#5626) * In `flatpak ps`, add xdg-desktop-portal-gnome to the list of backends we'll use to learn which apps are running in the background (#5729) * Don't use `WAYLAND_SOCKET` unless given `--socket=inherit-wayland-socket` (#5614) * Use `fusermount3` if compiled with FUSE 3, overridable with `-Dsystem_fusermount` compile-time option (#5104) * Avoid leaking a temporary variable from /etc/profile.d/flatpak.sh into the shell environment (#5574) * Improve async-signal safety (#5687) * Fix various memory leaks (#5683, #5690, #5691) * Avoid undefined behaviour of signed left-shift when storing object IDs in a hash table (#5738) * Detect the correct gtk-doc when cross-compiling (#5650) * Detect the correct wayland-scanner when cross-compiling (#5596) * Documentation improvements (#5659, #5677, #5682, #5664, #5719) * Skip more tests when FUSE isn't available (#5611) * Translation updates (#5602, #5707) Git-EVTag-v0-SHA512: db8fc26de3ac72e7ec53a0a63401542c268e3d25c6ff2540ef062a073ae8ba3c9e894ae29575e757db5a7253deee36dcb1241776585eb7f3b6c889c308cd8792
flatpak 1.14.5 Features: * Stop http transfers if a download in progress becomes very slow (#5519) * Add anchors to link to sections of flatpak-metadata documentation (#5582) Bug fixes: * Avoid warnings processing symbolic links with GLib >= 2.77.0, and with GLib 2.76.0 (GLib 2.76.1 or later silences these warnings) * Bypass page cache for backend requests in revokefs, fixing installation errors with libostree 2023.4 (#5452) * Show AppStream metadata in `flatpak remote-info` as intended (#5523; regression in 1.9.1) * Don't let Flatpak apps inherit VK_DRIVER_FILES or VK_ICD_FILENAMES from the host system, which would be wrong for the sandbox (#5553) * Fix build failure with prereleases of libappstream 0.17.x (#5472) * Forward-compatibility with libappstream 1.0 (#5563) * Fix a memory leak (#5329) * Fix compiler warnings (#5362, #5366) * Make the tests fail more comprehensibly if a required tool is missing (#5020) * Clean up `/var/tmp/flatpak-cache-*` directories on boot (#1119) * Don't force `GIO_USE_VFS=local` for programs launched via flatpak-spawn (#5567) * Clarify documentation for D-Bus name ownership (#5582) Internal changes: * CI improvements (#5381) Git-EVTag-v0-SHA512: dc5b44cc5b6c1282ca2250d2bfffa39dfc09a82b55ae14185f6256f8cb70a5201e3a41d027292a038d206c91ba52b002022067df69f6500e996db47da31b7b47
flatpak 1.15.6 Dependencies: * In distributions that compile Flatpak to use a separate bubblewrap (bwrap) executable, version 0.8.0 is now required. * Enabling the optional Wayland security context feature requires libwayland-client, wayland-scanner >= 1.15 and wayland-protocols >= 1.32. * Ubuntu 18.04 is no longer routinely tested. Support for dependency versions included in Ubuntu 18.04 should be considered "at risk". Features: * Add --device=input, for access to evdev devices in /dev/input (#5481) * Update bundled copy of bubblewrap to version 0.8.0, and rely on its features: * Improve error message if seccomp is disabled in kernel config * Security hardening: set user namespace limit to 0, to prevent creation of nested user namespaces in a more robust way (#5084) * For subsandboxes started by flatpak-portal, inherit environment variables from the `flatpak run` that started the original instance rather than from flatpak-portal, fixing behaviour of FLATPAK_GL_DRIVERS and similar features (#5278) * Stop http transfers if a download in progress becomes very slow (#5519) * Make it easier to configure extra languages, by picking them up from AccountsService if configured there (#5006) * Add new flatpak_transaction_add_rebase_and_uninstall() API, allowing end-of-life apps to be replaced by their intended replacement more reliably (#3991) * Create a private Wayland socket with the "security context" extension if available, allowing the compositor to identify connections from sandboxed apps as belonging to the sandbox (#4920, #5507, #5558) * Update libglnx to 2023-08-29 * Use features of newer GLib versions if available * Turn off system-level crash reporting infrastructure during some unit tests that involve intentional assertion failures * Add anchors to link to sections of flatpak-metadata documentation (#5582) * New translations: ka, nl. Bug fixes: * Avoid warnings processing symbolic links with GLib >= 2.77.0, and with GLib 2.76.0 (GLib 2.76.1 or later silences these warnings) * Bypass page cache for backend requests in revokefs, fixing installation errors with libostree 2023.4 (#5452) * Show AppStream metadata in `flatpak remote-info` as intended (#5523; regression in 1.9.1) * Don't let Flatpak apps inherit VK_DRIVER_FILES or VK_ICD_FILENAMES from the host system, which would be wrong for the sandbox (#5553) * Fix build failure with prereleases of libappstream 0.17.x (#5472) * Forward-compatibility with libappstream 1.0 (#5563) * Fix installation with Meson if configured with -Dauto_sideloading=true (#5495) * Fix a memory leak (#5329) * Fix compiler warnings (#5362, #5366) * Make the tests fail more comprehensibly if a required tool is missing (#5020) * Clean up `/var/tmp/flatpak-cache-*` directories on boot (#1119) * Don't force `GIO_USE_VFS=local` for programs launched via flatpak-spawn (#5567) * Clarify documentation for D-Bus name ownership (#5582) * Translation updates: id, tr, zh_CN (#5332, #5565) Internal changes: * Split up large source files into smaller modules, reducing internal circular dependencies (#5410, #5411, #5415, #5419, #5416, #5414) * Re-synchronize code backported from GLib with the version in GLib (#5410) * Make the flags used to apply "extra data" clearer (#5466) * Use glnx_opendirat() where possible (#5527) * CI improvements (#5374, #5381) Git-EVTag-v0-SHA512: 89a8b1248147640dc1729a4ee42a2bec5e887d97ece9eb7dcf1a11ae03c40a7eabb3d25eb9a8ab7be4548c68f4b9a5d6a6c3902d3912c8748aea1879de8b80b6
flatpak 1.15.4 Security fixes: * Escape special characters when displaying permissions and metadata, preventing malicious apps from manipulating the appearance of the permissions list using crafted metadata (CVE-2023-28101). * If a Flatpak app is run on a Linux virtual console (tty1, tty2, etc.), don't allow copy/paste via the TIOCLINUX ioctl (CVE-2023-28100). Note that this is specific to virtual consoles: Flatpak is not vulnerable to this if run from a graphical terminal emulator such as xterm, gnome-terminal or Konsole. Other bug fixes: * Document the path used for `flatpak override` * Translation updates: oc, pl, ru, sv, tr Git-EVTag-v0-SHA512: da193fee33f3108222ff5e3b48fdd6c41ff5215fd0e556864f597f3a81d521fa794ec1c6918b67c0efe47b9be0a03181d2a1f2ab9910fdb8479d3f5da65372d5
PreviousNext