feat: update flatpak to 1.14.10-1~deb12u1

debian/changelog

@@ -1,3 +1,19 @@
+flatpak (1.14.10-1~deb12u1) bookworm-security; urgency=high
+
+  * Backport upstream stable release into Debian 12 (CVE-2024-42472)
+  * d/control: Relax required bubblewrap version to 0.8.0-2+deb12u1.
+    This version has a backport of the required --bind-fd option.
+  * Other changes relative to 1.14.10-1 in unstable:
+    - Revert polkitd dependencies to polkitd | policykit-1 as previously
+      used in bookworm
+    - Revert pkgconf dependencies to pkg-config as previously used in
+      bookworm
+    - Revert location of systemd unit to /lib/systemd/system as previously
+      used in bookworm, dropping versioned dependency on debhelper 13.11.6~
+    - Revert changes related to Debian 13 GIR XML packaging policy
+
+ -- Simon McVittie <smcv@debian.org>  Wed, 14 Aug 2024 15:49:20 +0100
+
 flatpak (1.14.10-1) unstable; urgency=high
 
   * New upstream stable release
@@ -12,6 +28,89 @@ flatpak (1.14.10-1) unstable; urgency=high
 
  -- Simon McVittie <smcv@debian.org>  Wed, 14 Aug 2024 15:03:33 +0100
 
+flatpak (1.14.8-1~deb12u1) bookworm; urgency=medium
+
+  * Backport upstream stable release for Debian 12
+  * Changes relative to 1.14.4-1+deb12u1 in bookworm-security:
+    - New upstream stable release 1.14.6
+      + Don't parse `<developer><name/></developer>` as though it was
+        the application name
+      + Install a tmpfiles.d snippet to clean up /var/tmp/flatpak-cache-*
+        during boot
+      + Stop http transfers if a download in progress becomes very slow
+      + Silence warnings when using GLib 2.77.0 or later
+      + Bypass page cache for backend requests in revokefs, fixing
+        installation errors with libostree 2023.4 or later
+      + Show AppStream metadata in `flatpak remote-info` as intended,
+        fixing a regression in 1.9.1
+      + Don't let Flatpak apps inherit $VK_DRIVER_FILES or $VK_ICD_FILENAMES
+        from the host system, which would be wrong in the sandbox
+      + Fix forward-compatibility with libappstream 0.17.x and 1.0
+      + Fix a memory leak
+      + Fix some compiler warnings
+      + Make the test failure produce a clearer message if a required tool
+        is missing
+      + Don't force `GIO_USE_VFS=local` for programs launched via
+        flatpak-spawn
+      + Documentation improvements
+    - New upstream stable release 1.14.7
+      + Automatically reload D-Bus session bus configuration when apps are
+        installed or upgraded, ensuring that any new .service files get
+        picked up
+      + Allow apps to be run if the D-Bus system bus is missing or
+        non-functional
+      + Add several more environment variables to the list not inherited
+        into the sandbox:
+        * $LD_AUDIT, $LD_PRELOAD for ld.so
+        * $__EGL_VENDOR_LIBRARY_DIRS, etc. for EGL
+        * $VK_ADD_DRIVER_FILES, etc. for Vulkan
+        * $container, when running Flatpak inside a container manager
+      + Use xdg-desktop-portal-gnome, if installed, to detect whether apps
+        are running in the background
+      + If an app's data is migrated to a new name and then deleted, don't
+        try to migrate it again, avoiding a recursive symlink loop
+      + Don't leak temporary variable $new_dirs from /etc/profile.d/flatpak.sh
+        into user shell sessions
+      + Avoid an out-of-bounds left-shift (which is technically undefined
+        behaviour) when hashing object names
+      + Fix critical warnings "GFileInfo created without
+        standard::is-symlink" when using /var/lib/flatpak/extension with
+        testing/unstable glib2.0
+      + Fix validation of documentation against Docbook DTD
+      + Fix a misleading comment in the test for CVE-2024-32462
+      + Fix a double-free in the test suite
+      + Skip more tests if bubblewrap works but FUSE doesn't
+    - New upstream stable release 1.14.8
+      + Respin of 1.14.7 reverting unintended submodule changes
+    - d/control: Move dbus-system-bus from Depends to Recommends.
+      `flatpak run` no longer has a working system bus as a hard requirement
+      (verified in `podman run --privileged --rm -it debian:sid-slim`)
+    - Drop CVE-2024-32462 patches, included in the upstream stable release
+    - debian/test.sh: Disable http proxy if used, to ensure we can reach
+      a HTTP server on localhost during automated tests
+  * Changes relative to 1.14.8-1 in unstable:
+    - Revert polkitd dependencies to polkitd | policykit-1 as previously
+      used in bookworm
+    - Revert pkgconf dependencies to pkg-config as previously used in
+      bookworm
+    - Revert location of systemd unit to /lib/systemd/system as previously
+      used in bookworm, dropping versioned dependency on debhelper 13.11.6~
+    - Revert changes related to Debian 13 GIR XML packaging policy
+
+ -- Simon McVittie <smcv@debian.org>  Tue, 30 Apr 2024 16:50:10 +0100
+
+flatpak (1.14.4-1+deb12u1) bookworm-security; urgency=high
+
+  * d/p/When-starting-non-static-command-using-bwrap-use.patch,
+    d/p/test-run-Add-a-reproducer-for-CVE-2024-32462.patch:
+    Don't allow an executable name to be misinterpreted as a command-line
+    option for bwrap(1). This prevents a sandbox escape where a malicious
+    or compromised app could ask xdg-desktop-portal to generate a .desktop
+    file with access to files outside the sandbox. (CVE-2024-32462)
+  * d/gbp.conf: Use debian/bookworm packaging branch
+
+ -- Simon McVittie <smcv@debian.org>  Wed, 17 Apr 2024 19:39:48 +0100
+
 flatpak (1.14.8-1) unstable; urgency=medium
 
   * New upstream stable release 1.14.7

debian/control

@@ -9,18 +9,16 @@ Build-Depends:
  attr <!nocheck>,
  automake (>= 1.14.1),
  bison,
- bubblewrap (>= 0.10.0~),
+ bubblewrap (>= 0.8.0-2+deb12u1~),
+ bubblewrap (<< 0.8.1~) | bubblewrap (>= 0.10.0~),
  ca-certificates <!nocheck>,
  dbus-daemon,
- debhelper (>= 13.11.6~),
  debhelper-compat (= 13),
  desktop-file-utils <!nocheck>,
  dh-exec (>= 0.23~),
  docbook-xml <!nodoc>,
  docbook-xsl <!nodoc>,
  fuse3 <!nocheck>,
- gir1.2-gio-2.0-dev,
- gir1.2-gobject-2.0-dev,
  gnupg <!nocheck>,
  gobject-introspection (>= 1.54.1-2~),
  gtk-doc-tools,
@@ -51,8 +49,7 @@ Build-Depends:
  libxml2-utils,
  libzstd-dev,
  ostree (>= 2020.8) <!nocheck>,
- pkgconf,
- polkitd <!nocheck>,
+ polkitd <!nocheck> | policykit-1 <!nocheck>,
  procps,
  python3:any,
  python3-pyparsing,
@@ -74,7 +71,8 @@ Package: flatpak
 Architecture: linux-any
 Depends:
  adduser,
- bubblewrap (>= 0.10.0~),
+ bubblewrap (>= 0.8.0-2+deb12u1~),
+ bubblewrap (<< 0.8.1~) | bubblewrap (>= 0.10.0~),
  fuse3,
  xdg-dbus-proxy (>= 0.1.0),
  ${misc:Depends},
@@ -87,7 +85,7 @@ Recommends:
  gtk-update-icon-cache,
  libpam-systemd,
  p11-kit,
- polkitd,
+ polkitd | policykit-1,
  shared-mime-info,
  xdg-desktop-portal (>= 1.6),
  xdg-desktop-portal-gtk (>= 1.6) | xdg-desktop-portal-backend,
@@ -130,7 +128,7 @@ Depends:
  gtk-update-icon-cache,
  hicolor-icon-theme,
  ostree (>= 2020.8),
- polkitd,
+ polkitd | policykit-1,
  shared-mime-info,
  socat,
  ${misc:Depends},
@@ -168,9 +166,8 @@ Depends:
  libglib2.0-dev,
  libostree-dev (>= 2020.8),
  libxml2-dev (>= 2.4),
- pkgconf,
+ pkg-config,
  python3:any,
- ${gir:Depends},
  ${misc:Depends},
 Recommends:
  flatpak,
@@ -179,8 +176,6 @@ Suggests:
  ostree,
  python3-gi,
  systemd-coredump,
-Provides:
- ${gir:Provides},
 Description: Application deployment framework for desktop apps (development)
  Flatpak installs, manages and runs sandboxed desktop application bundles.
  See the flatpak package for a more comprehensive description.
@@ -208,7 +203,8 @@ Package: libflatpak0
 Architecture: linux-any
 Section: libs
 Depends:
- bubblewrap (>= 0.10.0~),
+ bubblewrap (>= 0.8.0-2+deb12u1~),
+ bubblewrap (<< 0.8.1~) | bubblewrap (>= 0.10.0~),
  ${misc:Depends},
  ${shlibs:Depends},
 Pre-Depends:

debian/flatpak.install

@@ -1,9 +1,9 @@
 debian/org.freedesktop.Flatpak.pkla     var/lib/polkit-1/localauthority/10-vendor.d/
 etc/X11/Xsession.d
 etc/profile.d/
+lib/systemd/system/flatpak-system-helper.service
 usr/bin/flatpak
 usr/lib/systemd/system-environment-generators
-usr/lib/systemd/system/flatpak-system-helper.service
 usr/lib/systemd/user-environment-generators
 usr/lib/systemd/user/flatpak-oci-authenticator.service
 usr/lib/systemd/user/flatpak-portal.service

debian/gbp.conf

@@ -1,7 +1,7 @@
 [DEFAULT]
 pristine-tar = True
 compression = xz
-debian-branch = debian/unstable
+debian-branch = debian/bookworm
 upstream-branch = upstream/1.14.x
 patch-numbers = False
 upstream-vcs-tag = %(version)s

debian/rules

@@ -47,7 +47,7 @@ override_dh_auto_configure:
 		--with-run-media-dir=/media \
 		--with-system-bubblewrap=bwrap \
 		--with-system-dbus-proxy=xdg-dbus-proxy \
-		--with-systemdsystemunitdir=/usr/lib/systemd/system \
+		--with-systemdsystemunitdir=/lib/systemd/system \
 		--with-system-helper-user=_flatpak \
 		$(configure_options)