Package: xdg-desktop-portal
Version: 1.20.3+ds-3
Severity: grave
Tags: security
Justification: user security hole
X-Debbugs-Cc: Debian Security Team <[email protected]>
Forwarded:
https://github.com/flatpak/xdg-desktop-portal/security/advisories/GHSA-rqr9-jwwf-wxgj
xdg-desktop-portal's Trash portal allows sandboxed apps to ask for a
file or directory to be moved to the trash. Similar to CVE-2026-34078 in
Flatpak, a malicious or compromised Flatpak app could ask the portal to
trash a file that it owns, then replace that file with a symlink in an
attempt to cause the portal to trash the target of the symlink on the
host system. I'm not sure what the severity of this would be considered
to be, so I've reported it as RC for now, but please downgrade if RC is
considered excessive.
Currently no CVE ID has been allocated for this. I don't know whether
upstream plans to request one.
For testing/unstable, I'm preparing an upload of 1.20.4 now.
For trixie, I think the easiest way to fix the vulnerability will be to
backport 1.20.4 from testing/unstable, reverting any of the packaging
changes in 1.20.3+ds-2 and 1.20.3+ds-3 that are felt to be inappropriate
for a stable update. There are no changes between 1.20.3 and 1.20.4
other than those required to fix the vulnerability, but it adds a
"copylib" subproject (libglnx, the same one used in Flatpak) to
implement safe symlink traversal, so the diff is large.
For bookworm, it'll have to be a backport of individual changes. I
suggest prioritizing trixie > bookworm and flatpak > xdg-desktop-portal.
experimental will remain vulnerable until 1.21.1 is released, or until I
get a chance to convert the changes into patches, whichever is first.
I'm hoping that 1.21.1 will be released today.
smcv
