Your message dated Wed, 08 Apr 2026 10:49:51 +0000
with message-id <[email protected]>
and subject line Bug#1132958: fixed in xdg-desktop-portal 1.20.4+ds-1
has caused the Debian Bug report #1132958,
regarding xdg-desktop-portal: GHSA-rqr9-jwwf-wxgj: Race condition in trash
portal vs. symlinks
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1132958: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132958
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: xdg-desktop-portal
Version: 1.20.3+ds-3
Severity: grave
Tags: security
Justification: user security hole
X-Debbugs-Cc: Debian Security Team <[email protected]>
Forwarded:
https://github.com/flatpak/xdg-desktop-portal/security/advisories/GHSA-rqr9-jwwf-wxgj
xdg-desktop-portal's Trash portal allows sandboxed apps to ask for a
file or directory to be moved to the trash. Similar to CVE-2026-34078 in
Flatpak, a malicious or compromised Flatpak app could ask the portal to
trash a file that it owns, then replace that file with a symlink in an
attempt to cause the portal to trash the target of the symlink on the
host system. I'm not sure what the severity of this would be considered
to be, so I've reported it as RC for now, but please downgrade if RC is
considered excessive.
Currently no CVE ID has been allocated for this. I don't know whether
upstream plans to request one.
For testing/unstable, I'm preparing an upload of 1.20.4 now.
For trixie, I think the easiest way to fix the vulnerability will be to
backport 1.20.4 from testing/unstable, reverting any of the packaging
changes in 1.20.3+ds-2 and 1.20.3+ds-3 that are felt to be inappropriate
for a stable update. There are no changes between 1.20.3 and 1.20.4
other than those required to fix the vulnerability, but it adds a
"copylib" subproject (libglnx, the same one used in Flatpak) to
implement safe symlink traversal, so the diff is large.
For bookworm, it'll have to be a backport of individual changes. I
suggest prioritizing trixie > bookworm and flatpak > xdg-desktop-portal.
experimental will remain vulnerable until 1.21.1 is released, or until I
get a chance to convert the changes into patches, whichever is first.
I'm hoping that 1.21.1 will be released today.
smcv
--- End Message ---
--- Begin Message ---
Source: xdg-desktop-portal
Source-Version: 1.20.4+ds-1
Done: Simon McVittie <[email protected]>
We believe that the bug you reported is fixed in the latest version of
xdg-desktop-portal, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Simon McVittie <[email protected]> (supplier of updated xdg-desktop-portal
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 08 Apr 2026 11:30:32 +0100
Source: xdg-desktop-portal
Architecture: source
Version: 1.20.4+ds-1
Distribution: unstable
Urgency: medium
Maintainer: Utopia Maintenance Team
<[email protected]>
Changed-By: Simon McVittie <[email protected]>
Closes: 1132958
Changes:
xdg-desktop-portal (1.20.4+ds-1) unstable; urgency=medium
.
* New upstream release
- This version fixes a vulnerability in which a malicious or compromised
Flatpak app could send any file or directory to the trash, including
those outside its sandbox.
(GHSA-rqr9-jwwf-wxgj) (Closes: #1132958)
Checksums-Sha1:
854bbd9d8f8b8d6b34fd54a7986a2ded348c140c 3316
xdg-desktop-portal_1.20.4+ds-1.dsc
4350334996f8ccaf408d458155ca689d44a16f44 883080
xdg-desktop-portal_1.20.4+ds.orig.tar.xz
fb3463f5bbb40517870a35fd87050c221163646e 16148
xdg-desktop-portal_1.20.4+ds-1.debian.tar.xz
421e4af7fa6cbd5761215f00e32e40eec8aa7c62 18782
xdg-desktop-portal_1.20.4+ds-1_source.buildinfo
Checksums-Sha256:
45332f29c8d82cb9eee3bd4e258db62fcae6ce1fe48384471ef0b99e53c2642f 3316
xdg-desktop-portal_1.20.4+ds-1.dsc
6bc4edaafdd71e55eafce8fa55cfc7ab2cb38b82f271c003b76472349d797153 883080
xdg-desktop-portal_1.20.4+ds.orig.tar.xz
c62783844a2a32dd281472e912fb4b0d078faf7eff4d13d2394d5fe33a0e8fc7 16148
xdg-desktop-portal_1.20.4+ds-1.debian.tar.xz
3e4e595f44372e71f79cc70fae6f358b04e20f6bd0fa7f028bb02ebb92b1449f 18782
xdg-desktop-portal_1.20.4+ds-1_source.buildinfo
Files:
ad7fdb470c5556ee4be2adffbd18021a 3316 admin optional
xdg-desktop-portal_1.20.4+ds-1.dsc
df4e240150e42e8d95ed9d0095d89856 883080 admin optional
xdg-desktop-portal_1.20.4+ds.orig.tar.xz
8d72c97c3e75e913239f900d6f64c69e 16148 admin optional
xdg-desktop-portal_1.20.4+ds-1.debian.tar.xz
8064b647d9512e8919224878f6aac0bf 18782 admin optional
xdg-desktop-portal_1.20.4+ds-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEegc60a5pT6Jb/2LlI1wJnT6zMHYFAmnWLx4ACgkQI1wJnT6z
MHa4chAAo23TLbP8KrveRG3uwMNo/OoAH1cEifjBKD1UuRmyS6BlUrSwS6uwR4Ab
JRqQdqvVBE0e8FR+1Xm67/bE8WR7L4ZKGFNYd6OtGx3bExLo6GjaMakiaTrcazQ7
oiovluJ4eXj5zwYeL0WE4VXVOQNvl8a2zZz01PzCsgNI5nw/Lv2JAdWhUckxkz62
VWt29oaizo1Hn5X3RDuzuvBcbbzr88aN2wTnIjOE8Fatj9TS2VdF8Bz4x9OfvaXb
qOVqIkts8A0OC80QfquLcJXOHj9HzIIBE9cO3LbA3KbubvFG3PYurAPUQERXLAXc
P8kH7YWD51E6uiHLQ1OYjPQHszv7sB/rqMt5G6cQA/rf8YX9/b02fKExAxAcBTNK
SafDSKjRukk2GarIc/03EisDEeD7eHvSLbUs+xG8AEhr4h9vyf+lzx1U6qhlsuE4
anjojaktf8JFo1P0TpyCwPQspiQO+DE7w6mA4xg5+r/QKZERmLrW9LWe6AW3avGq
8+gEiG9YN3qFLiV0S8XzCNoxprJW+1C5fZrwYv/D3APrRqYLTW3ANaBaX6SzbYYh
QSODA4cMcCW7dTVb1qFoZ8RpTldWMKK9ZSzGBmKo0lI+f6egFjU4sAXaIeTDSu5Q
TPi+/IyrZq0mrFLGw4iHwOJ5pFNBU0u8GtkyoZwZ9uiYGbeY1pE=
=A76U
-----END PGP SIGNATURE-----
pgp4PHyCDyvtB.pgp
Description: PGP signature
--- End Message ---
_______________________________________________
Pkg-utopia-maintainers mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-utopia-maintainers
