Nixpkgs security tracker
Untriaged
Flatpak affected by arbitrary file deletion on the host filesystem
Flatpak is a Linux application sandboxing and distribution framework. Prior to 1.16.4, the caching for ld.so removes outdated cache files without properly checking that the app controlled path to the outdated cache is in the cache directory. This allows Flatpak apps to delete arbitrary files on the host. This vulnerability is fixed in 1.16.4.
References
-
https://github.com/flatpak/flatpak/security/advisories/GHSA-p29x-r292-46pp x_refsource_CONFIRM
Affected products
flatpak
- ==< 1.16.4
Matching in nixpkgs
pkgs.mpc-qt
Media Player Classic Qute Theater
-
nixos-25.11 24.12.1-flatpak
- nixos-25.11-small 24.12.1-flatpak
- nixpkgs-25.11-darwin 24.12.1-flatpak
pkgs.flatpak
Linux application sandboxing and distribution framework
pkgs.flatpak-builder
Tool to build flatpaks from source
pkgs.flatpak-xdg-utils
Commandline utilities for use inside Flatpak sandboxes
pkgs.libsForQt5.flatpak-kcm
None
pkgs.kdePackages.flatpak-kcm
Flatpak Permissions Management KCM
pkgs.plasma5Packages.flatpak-kcm
None
Package maintainers
-
@getchoo Seth Flynn <getchoo@tuta.io>
-
@arthsmn Arthur Cerqueira
-
@michaelgrahamevans Michael Evans <michaelgrahamevans@gmail.com>
-
@thielema Henning Thielemann <nix@henning-thielemann.de>
-
@NickCao Nick Cao <nickcao@nichi.co>
-
@K900 Ilya K. <me@0upti.me>
-
@ttuegel Thomas Tuegel <ttuegel@mailbox.org>
-
@SuperSandro2000 Sandro Jäckel <sandro.jaeckel@gmail.com>
-
@ilya-fedin Ilya Fedin <fedin-ilja2010@ya.ru>
-
@mjm Matt Moriarity <matt@mattmoriarity.com>
-
@LunNova Luna Nova <nixpkgs-maintainer@lunnova.dev>
-
@nyanloutre Paul Trehiou <paul@nyanlout.re>
-
@romildo José Romildo Malaquias <malaquias@gmail.com>