Package: xdg-dbus-proxy Version: 0.1.0-1 Severity: grave Tags: security Justification: user security hole X-Debbugs-Cc: Debian Security Team <[email protected]> Control: fixed -1 0.1.7-1 Forwarded: https://github.com/flatpak/xdg-dbus-proxy/security/advisories/GHSA-vjp5-hjfm-7677
xdg-dbus-proxy older than 0.1.7 does not detect all legacy eavesdropping match rules. A malicious or compromised Flatpak app could use this to spy on D-Bus message bus traffic that the app was not meant to be able to see. For testing/unstable, this is fixed in xdg-dbus-proxy 0.1.7. For trixie or older, we'll need a backport of upstream commit <https://github.com/flatpak/xdg-dbus-proxy/commit/4d0d1d74d4f40260a79161163b4b2f7276bce0b0>, or a backport of the full 0.1.7 upstream release (which seems to be bugfix-only). smcv
