Control: tags -1 + pending On Mon, 18 Jan 2021 at 17:44:49 +0000, Simon McVittie wrote: > On Sun, 17 Jan 2021 at 21:20:38 +0200, Joonas Sarajärvi wrote: > > With flatpak 1.2.5-0+deb10u2, LD_LIBRARY_PATH is not set when invoked > > over flatpak-builder. > > Good catch, this is a regression in the security update.
Please could you try this test version? (Source code and amd64 binaries included; .dsc and .changes signed by my key in the Debian keyring and can be checked with dscverify) https://people.debian.org/~smcv/bug980323/ Security team: this is a regression in DSA 4830-1 (CVE-2021-21261), now fixed upstream in 1.10.1 and backported to 1.2.x. In addition to the regression that was reported in #980323, I looked at similar code paths and fixed an equivalent regression elsewhere. It's a 2-line change (I'll follow up with the full debdiff, which is rather larger due to patch headers and changelog). Do you want a DSA 4830-2 to fix this? smcv
