CVE-2026-39977

NameCVE-2026-39977
Descriptionflatpak-builder is a tool to build flatpaks from source. From 1.4.5 to before 1.4.8, the license-files manifest key takes an array of paths to user defined licence files relative to the source directory of the module. The paths from that array are resolved using g_file_resolve_relative_path() and validated to stay inside the source directory using two checks - g_file_get_relative_path() which does not resolve symlinks and g_file_query_file_type() with G_FILE_QUERY_INFO_NOFOLLOW_SYMLINKS which only applies to the final path component. The copy operation runs on host. This can be exploited by using a crafted manifest and/or source to read arbitrary files from the host and capture them into the build output. This vulnerability is fixed in 1.4.8.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1133099

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
flatpak-builder (PTS)bullseye (security), bullseye1.0.12-1+deb11u1fixed
bookworm1.2.3-1fixed
trixie1.4.4-2fixed
forky1.4.7-1vulnerable
sid1.4.8-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
flatpak-buildersourcebullseye(not affected)
flatpak-buildersourcebookworm(not affected)
flatpak-buildersourcetrixie(not affected)
flatpak-buildersource(unstable)1.4.8-11133099

Notes

[trixie] - flatpak-builder <not-affected> (Vulnerable code not present)
[bookworm] - flatpak-builder <not-affected> (Vulnerable code not present)
[bullseye] - flatpak-builder <not-affected> (Vulnerable code not present)
https://github.com/flatpak/flatpak-builder/security/advisories/GHSA-6gm9-3g7m-3965
Search for package or bug name: Reporting problems