Sandbox escape hardening was done in yelp's recent 49.1 release that was discussed more today at https://blogs.gnome.org/mcatanzaro/2026/05/11/flatpak-sandbox-escape-via-yelp/ A CVE has been requested, but we don't need to wait for it to be assigned to fix this issue. The issue is fixed with these 2 upstream commits: https://gitlab.gnome.org/GNOME/yelp/-/commit/d220aa2f754eed4e6a006a4acaa68b31892dea2b https://gitlab.gnome.org/GNOME/yelp/-/commit/c8c8244c8a812860782d635890c9b6c43ecc2639 This issue has already been fixed in unstable. Thank you, Jeremy Bícha
> This issue has already been fixed in unstable. is there any plan to have a fix for stable-security? We're releasing Tails 7.8, and we'll freeze on Wednesday morning, so ideally we'd like to have a fix for that by that date.
boyska: > is there any plan to have a fix for stable-security? I manually tested that, by cherry-picking commits c8c8244c8a812860782d635890c9b6c43ecc2639 d220aa2f754eed4e6a006a4acaa68b31892dea2b, I can get a package which prevents the PoC[1] from working. I haven't tested 3c1ad5579b7fdcf0ed0a40fe21ecbdc69a9249e8 or a2f3caf8500287981331c4ff54369e9c5747cd9d, which also seem very relevant (and are included in 42.3). Hope this helps, [1] https://gist.github.com/parrot409/e970b155358d45b298d7024edd9b17f2
> I manually tested that, by cherry-picking commits c8c8244c8a812860782d635890c9b6c43ecc2639 > d220aa2f754eed4e6a006a4acaa68b31892dea2b, I can get a package which prevents the PoC[1] from working. > [1] https://gist.github.com/parrot409/e970b155358d45b298d7024edd9b17f2 ooops, that wasn't the right PoC to test. We couldn't reproduce the PoC on Trixie, see https://gitlab.tails.boum.org/tails/tails/-/work_items/21584#note_284203
Sorry, I don't have the spare capacity to land a stable security fix in the next few days. Thank you, Jeremy Bícha