Suggestions search

All statuses

Filter by:

With package: plasma5Packages.flatpak-kcm

Found 2 matching suggestions

View:

Compact

Detailed

Untriaged

Permalink CVE-2026-34079

created 1 week ago

Flatpak affected by arbitrary file deletion on the host filesystem

Flatpak is a Linux application sandboxing and distribution framework. Prior to 1.16.4, the caching for ld.so removes outdated cache files without properly checking that the app controlled path to the outdated cache is in the cache directory. This allows Flatpak apps to delete arbitrary files on the host. This vulnerability is fixed in 1.16.4.

References

https://github.com/flatpak/flatpak/security/advisories/GHSA-p29x-r292-46pp x_refsource_CONFIRM

Affected products

flatpak

==< 1.16.4

Matching in nixpkgs

pkgs.mpc-qt

Media Player Classic Qute Theater

nixos-25.11 24.12.1-flatpak
- nixos-25.11-small 24.12.1-flatpak
- nixpkgs-25.11-darwin 24.12.1-flatpak

pkgs.flatpak

Linux application sandboxing and distribution framework

nixos-unstable 1.16.3
- nixpkgs-unstable 1.16.3
- nixos-unstable-small 1.16.3
nixos-25.11 1.16.2
- nixos-25.11-small 1.16.2
- nixpkgs-25.11-darwin 1.16.2

pkgs.flatpak-builder

Tool to build flatpaks from source

nixos-unstable 1.4.4
- nixpkgs-unstable 1.4.4
- nixos-unstable-small 1.4.4
nixos-25.11 1.4.4
- nixos-25.11-small 1.4.4
- nixpkgs-25.11-darwin 1.4.4

pkgs.flatpak-xdg-utils

Commandline utilities for use inside Flatpak sandboxes

nixos-unstable 1.0.6
- nixpkgs-unstable 1.0.6
- nixos-unstable-small 1.0.6
nixos-25.11 1.0.6
- nixos-25.11-small 1.0.6
- nixpkgs-25.11-darwin 1.0.6

pkgs.libsForQt5.flatpak-kcm

None

pkgs.kdePackages.flatpak-kcm

Flatpak Permissions Management KCM

nixos-unstable 6.6.3
- nixpkgs-unstable 6.6.3
- nixos-unstable-small 6.6.3
nixos-25.11 6.5.6
- nixos-25.11-small 6.5.6
- nixpkgs-25.11-darwin 6.5.6

pkgs.plasma5Packages.flatpak-kcm

None

pkgs.haskellPackages.cabal-flatpak

Generate a FlatPak manifest from a Cabal package description

nixos-unstable 0.1.2
- nixpkgs-unstable 0.1.2
- nixos-unstable-small 0.1.2
nixos-25.11 0.1.2
- nixos-25.11-small 0.1.2
- nixpkgs-25.11-darwin 0.1.2

Package maintainers

@getchoo Seth Flynn <getchoo@tuta.io>
@arthsmn Arthur Cerqueira
@michaelgrahamevans Michael Evans <michaelgrahamevans@gmail.com>
@thielema Henning Thielemann <nix@henning-thielemann.de>
@NickCao Nick Cao <nickcao@nichi.co>
@K900 Ilya K. <me@0upti.me>
@ttuegel Thomas Tuegel <ttuegel@mailbox.org>
@SuperSandro2000 Sandro Jäckel <sandro.jaeckel@gmail.com>
@ilya-fedin Ilya Fedin <fedin-ilja2010@ya.ru>
@mjm Matt Moriarity <matt@mattmoriarity.com>
@LunNova Luna Nova <nixpkgs-maintainer@lunnova.dev>
@nyanloutre Paul Trehiou <paul@nyanlout.re>
@romildo José Romildo Malaquias <malaquias@gmail.com>

Untriaged

Permalink CVE-2026-34078

created 1 week ago

Flatpak has a complete sandbox escape leading to host file access and code execution in the host context

Flatpak is a Linux application sandboxing and distribution framework. Prior to 1.16.4, the Flatpak portal accepts paths in the sandbox-expose options which can be app-controlled symlinks pointing at arbitrary paths. Flatpak run mounts the resolved host path in the sandbox. This gives apps access to all host files and can be used as a primitive to gain code execution in the host context. This vulnerability is fixed in 1.16.4.