News / App

Flatpak 1.12.3 Released with Important Security Fixes, Support for More PulseAudio Configs

Flatpak 1.12.3

Alexander Larsson released today Flatpak 1.12.3 as the third maintenance update to the latest Flatpak 1.12 stable series of this open-source and popular Linux app sandboxing and distribution framework.

Flatpak 1.12.3 is an important update as it fixes two critical security issues found in Flatpak, such as CVE-2021-4386, a vulnerability that could allow a malicious repository to send invalid application metadata in a way that the app’s permissions are hidden during the installation.

Also fixed is an issue affecting the flatpak-builder component of Flatpak, which can cause the flatpak-builder --mirror-screenshots-url commands to access files outside the build directory.

“The fix for this is done in flatpak by making the --nofilesystem=host and --nofilesystem=home more powerful. They previously only removed access to the particular location, i.e. --nofilesystem=host negated —filesystem=host, but not --filesytem=/some/dir,” reads the release notes. This is a minor change in behavior, as it may change the behavior of an override with these specific options, however it is likely that the new behavior was the expected one.

In addition to these security fixes, the Flatpak 1.12.3 release adds support for more PulseAudio configurations, such as those used in WSL2, improves the handling of extension updates from multiple repos, improves command-line output for non-terminal targets, and fixes the flatpak run --session-bus command.

Furthermore, it updates bash auto completion so it no longer work on command name aliases, fixes “Since” annotations on FlatpakTransaction signals, and adds the ability to verify checksums of summary caches to improve handling of local file corruption.

Among other changes, Flatpak 1.12.3 improves downloading of extra data to properly handle compressed content encodings and fix verification of checksums, and adds minor improvements to the list, repair, and search commands.

Last but not least, the new update fixes the initial installation of Flatpak apps with renamed IDs, fixes a regression in updates from no-enumerate remotes, fixes building with PyParsing 3.0.4 or later, adds more tests, and updates the documentation and various translations.

You can download Flatpak 1.12.3 right now from the project’s GitHub page if you fancy compiling it yourself, otherwise you should wait until it lands in the stable software repositories of your GNU/Linux distributions before updating.

Also today, Flatpak 1.10.6 was released for those still using the Flatpak 1.10 series, which includes fixes for the two important security issues mentioned above, as well as improved diagnostic messages when seccomp rules can’t be applied and improved error handling for the syscalls that are blocked when not using the --devel argument.

Last updated 2 weeks ago