flatpak-1.12.9-4.el8_10
エラータID: AXSA:2026-753:02
Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux.
Security Fix(es):
* flatpak: Flatpak: Arbitrary code execution via crafted symlinks in sandbox-expose options (CVE-2026-34078)
* flatpak: Flatpak: Arbitrary file deletion on host via improper cache file path validation (CVE-2026-34079)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
CVE-2026-34078
Flatpak is a Linux application sandboxing and distribution framework. Prior to 1.16.4, the Flatpak portal accepts paths in the sandbox-expose options which can be app-controlled symlinks pointing at arbitrary paths. Flatpak run mounts the resolved host path in the sandbox. This gives apps access to all host files and can be used as a primitive to gain code execution in the host context. This vulnerability is fixed in 1.16.4.
CVE-2026-34079
Flatpak is a Linux application sandboxing and distribution framework. Prior to 1.16.4, the caching for ld.so removes outdated cache files without properly checking that the app controlled path to the outdated cache is in the cache directory. This allows Flatpak apps to delete arbitrary files on the host. This vulnerability is fixed in 1.16.4.
Update packages.
Flatpak is a Linux application sandboxing and distribution framework. Prior to 1.16.4, the Flatpak portal accepts paths in the sandbox-expose options which can be app-controlled symlinks pointing at arbitrary paths. Flatpak run mounts the resolved host path in the sandbox. This gives apps access to all host files and can be used as a primitive to gain code execution in the host context. This vulnerability is fixed in 1.16.4.
Flatpak is a Linux application sandboxing and distribution framework. Prior to 1.16.4, the caching for ld.so removes outdated cache files without properly checking that the app controlled path to the outdated cache is in the cache directory. This allows Flatpak apps to delete arbitrary files on the host. This vulnerability is fixed in 1.16.4.
N/A
SRPMS
- flatpak-1.12.9-4.el8_10.src.rpm
MD5: 1448d1f891fd94cf7b17a12a756ee51a
SHA-256: e52766b9c8d52d26b02b0ef904b6565bfa21aa704a609cb368079138474fa386
Size: 1.61 MB
Asianux Server 8 for x86_64
- flatpak-1.12.9-4.el8_10.i686.rpm
MD5: 305918d819e6f9b4d32a2e3b2d8b5eaf
SHA-256: 270e017c97502813d1134cdc60294fdb37de8c6adb95938324e06fda41e06b45
Size: 1.84 MB - flatpak-1.12.9-4.el8_10.x86_64.rpm
MD5: 243143b657f2c900d5e03ee67dd5ec5a
SHA-256: f75ae1301863300bed330eb13b6efee70fb7c9afcf34c5d0c316a6ea5abfdc40
Size: 1.79 MB - flatpak-devel-1.12.9-4.el8_10.i686.rpm
MD5: 3c73323626e69937aa1b0c2a915838fb
SHA-256: f5f83aaea535d8f6a909fb7a448fc5795185f27611bf236a7ee4f607e341f364
Size: 117.72 kB - flatpak-devel-1.12.9-4.el8_10.x86_64.rpm
MD5: 9c7f0ebc70ff278af598e1072c7afdce
SHA-256: 992aa0cc6b2369bca6a8187aa53ff22c9fa48a657dad8248716c0a0d1a0c3ad1
Size: 117.70 kB - flatpak-libs-1.12.9-4.el8_10.i686.rpm
MD5: e377a1a462941ace3669a68b657b3138
SHA-256: e53d357151f989ac3921f9a7826db05f40b26deb327528c970bd5081bf470d77
Size: 544.94 kB - flatpak-libs-1.12.9-4.el8_10.x86_64.rpm
MD5: a1b1c9049e1d9c63b25a56114fa91def
SHA-256: ecae4de48f3881feabfc0265d9f722606f0fcebdc9bc14b04b767e0d74ef2f64
Size: 523.46 kB - flatpak-selinux-1.12.9-4.el8_10.noarch.rpm
MD5: fa423573b0b8ed51b75412fcde4edd06
SHA-256: 97933684a41dac24f37bd60056cf4bf823d7898a377ae0264a31270462123ec1
Size: 27.50 kB - flatpak-session-helper-1.12.9-4.el8_10.i686.rpm
MD5: 031d2f2763a5f713643fa3f231155869
SHA-256: 3afb2d21660b1afb20c65ee5bbefbb1da665b6c66a330c9413cd15b7bd5c6df2
Size: 79.97 kB - flatpak-session-helper-1.12.9-4.el8_10.x86_64.rpm
MD5: decfaa531ff8b9d1976fac8878081beb
SHA-256: f71dd5ef061cb5811f8a42ee64211fc5f13a0b41b9ec92cac9a624a431b4727f
Size: 78.27 kB