@alexmurray, hey, I believe that commit was reverted later as it caused a behavioural regression? The Github advisory (https://github.com/flatpak/flatpak/security/advisories/GHSA-8ch7-5j3h-g4fx) was changed to point to a different commit (https://github.com/flatpak/flatpak/commit/5709f1aaed6579f0136976e14e7f3cae399134ca).
When creating that debdiff, if i recall correctly I went though the commits in this branch https://github.com/flatpak/flatpak/commits/flatpak-1.10.x combined with referring to the github advisories and then skipped the "Make --nofilesystem=host/home remove access to subdirs of those" (307ee18dd62f65c1319594501d01bbdb10f88ab8) as it was reverted later with "Revert "Make --nofilesystem=host/home remove access to subdirs of those"" (ed91bba615d4e50ccd7de53ca9861e367175bbfb). Please correct me if you think i've missed something :-) In the github advisory (https://github.com/flatpak/flatpak/security/advisories/GHSA-8ch7-5j3h-g4fx) there are two commits for flatpak-builder so this could also be done. Also note I tried looking at focal/bionic but there are a large amount of merge conflicts due to substantial change in the codebase and I'm not familiar enough with GObject/GLib etc to rewrite that code. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1957716 Title: Update for CVE-2021-43860 and CVE-2022-21682 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/1957716/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs