[Pkg-utopia-maintainers] Bug#980323: flatpak: LD_LIBRARY_PATH is not set under flatpak-builder
Simon McVittie
smcv at debian.org
Thu Jan 21 17:51:30 GMT 2021
Control: tags -1 + pending
On Mon, 18 Jan 2021 at 17:44:49 +0000, Simon McVittie wrote:
> On Sun, 17 Jan 2021 at 21:20:38 +0200, Joonas Sarajärvi wrote:
> > With flatpak 1.2.5-0+deb10u2, LD_LIBRARY_PATH is not set when invoked
> > over flatpak-builder.
>
> Good catch, this is a regression in the security update.
Please could you try this test version? (Source code and amd64 binaries
included; .dsc and .changes signed by my key in the Debian keyring and
can be checked with dscverify)
https://people.debian.org/~smcv/bug980323/
Security team: this is a regression in DSA 4830-1 (CVE-2021-21261), now
fixed upstream in 1.10.1 and backported to 1.2.x. In addition to the
regression that was reported in #980323, I looked at similar code paths
and fixed an equivalent regression elsewhere. It's a 2-line change
(I'll follow up with the full debdiff, which is rather larger due to
patch headers and changelog). Do you want a DSA 4830-2 to fix this?
smcv
More information about the Pkg-utopia-maintainers
mailing list