Your message dated Mon, 13 Apr 2026 18:50:31 +0000
with message-id <[email protected]>
and subject line Bug#1132958: fixed in xdg-desktop-portal 1.21.1+ds-1
has caused the Debian Bug report #1132958,
regarding xdg-desktop-portal: GHSA-rqr9-jwwf-wxgj: Race condition in trash
portal vs. symlinks
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1132958: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132958
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: xdg-desktop-portal
Version: 1.20.3+ds-3
Severity: grave
Tags: security
Justification: user security hole
X-Debbugs-Cc: Debian Security Team <[email protected]>
Forwarded:
https://github.com/flatpak/xdg-desktop-portal/security/advisories/GHSA-rqr9-jwwf-wxgj
xdg-desktop-portal's Trash portal allows sandboxed apps to ask for a
file or directory to be moved to the trash. Similar to CVE-2026-34078 in
Flatpak, a malicious or compromised Flatpak app could ask the portal to
trash a file that it owns, then replace that file with a symlink in an
attempt to cause the portal to trash the target of the symlink on the
host system. I'm not sure what the severity of this would be considered
to be, so I've reported it as RC for now, but please downgrade if RC is
considered excessive.
Currently no CVE ID has been allocated for this. I don't know whether
upstream plans to request one.
For testing/unstable, I'm preparing an upload of 1.20.4 now.
For trixie, I think the easiest way to fix the vulnerability will be to
backport 1.20.4 from testing/unstable, reverting any of the packaging
changes in 1.20.3+ds-2 and 1.20.3+ds-3 that are felt to be inappropriate
for a stable update. There are no changes between 1.20.3 and 1.20.4
other than those required to fix the vulnerability, but it adds a
"copylib" subproject (libglnx, the same one used in Flatpak) to
implement safe symlink traversal, so the diff is large.
For bookworm, it'll have to be a backport of individual changes. I
suggest prioritizing trixie > bookworm and flatpak > xdg-desktop-portal.
experimental will remain vulnerable until 1.21.1 is released, or until I
get a chance to convert the changes into patches, whichever is first.
I'm hoping that 1.21.1 will be released today.
smcv
--- End Message ---
--- Begin Message ---
Source: xdg-desktop-portal
Source-Version: 1.21.1+ds-1
Done: Simon McVittie <[email protected]>
We believe that the bug you reported is fixed in the latest version of
xdg-desktop-portal, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Simon McVittie <[email protected]> (supplier of updated xdg-desktop-portal
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 13 Apr 2026 19:08:31 +0100
Source: xdg-desktop-portal
Architecture: source
Version: 1.21.1+ds-1
Distribution: experimental
Urgency: medium
Maintainer: Utopia Maintenance Team
<[email protected]>
Changed-By: Simon McVittie <[email protected]>
Closes: 1132958
Changes:
xdg-desktop-portal (1.21.1+ds-1) experimental; urgency=medium
.
* New upstream development prerelease
- This version fixes a vulnerability in which a malicious or compromised
Flatpak app could send any file or directory to the trash, including
those outside its sandbox.
(GHSA-rqr9-jwwf-wxgj) (Closes: #1132958)
* Merge packaging from unstable
* Drop patches that were applied upstream
* Standards-Version: 4.7.4 (no changes required)
* Normalize formatting of packaging (debputy reformat)
Checksums-Sha1:
7870408a854e1909b62705fbb4507e169f89700c 3339
xdg-desktop-portal_1.21.1+ds-1.dsc
72b7add6d0794ac9d6a566dab8eea98ff99ba300 906776
xdg-desktop-portal_1.21.1+ds.orig.tar.xz
94c8b442de89b14ac356b8d471f2b45227257610 15768
xdg-desktop-portal_1.21.1+ds-1.debian.tar.xz
706b2830f2eafa123ed56b7505c07a39ab647c36 18415
xdg-desktop-portal_1.21.1+ds-1_source.buildinfo
Checksums-Sha256:
b768d47a4ffcd78eac7e8cf71e683bcdbcea5288e664f9a78fe6ed5362f5d8d5 3339
xdg-desktop-portal_1.21.1+ds-1.dsc
21586f1612520a707b3675c50a34350a44566c67b9faeddf7ac15743ff23a457 906776
xdg-desktop-portal_1.21.1+ds.orig.tar.xz
28ceb62b41e45a422d5ce059c929026a2eae9ef6c2c559ddcebd197023e1f3ea 15768
xdg-desktop-portal_1.21.1+ds-1.debian.tar.xz
1137de6027e3bcccf953c4dd81db596348e7da9d8383210bbedeb9d0e072cfd3 18415
xdg-desktop-portal_1.21.1+ds-1_source.buildinfo
Files:
4aae23f093420cdd558e56f83505d7d2 3339 admin optional
xdg-desktop-portal_1.21.1+ds-1.dsc
3fcdccf33d532d39bfa91ad0bd5dc3bc 906776 admin optional
xdg-desktop-portal_1.21.1+ds.orig.tar.xz
83801a49960d4298886e324a7fa47ea3 15768 admin optional
xdg-desktop-portal_1.21.1+ds-1.debian.tar.xz
707cebd21349f4c970bf4aa0f14e4c65 18415 admin optional
xdg-desktop-portal_1.21.1+ds-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEegc60a5pT6Jb/2LlI1wJnT6zMHYFAmndN80ACgkQI1wJnT6z
MHa2kQ/9HNq/aiwMPyBib/PBhF6IfoL39XT3llGb3V6r72Y7j0z1dXe75/c+6ZgU
4qIv5eok7MD9X7t9nQsPyxCsPJT7CrajTK5YcVILs4ctmmlgtwkV1n7i+6Z62Lqz
SZG8eBqKxRVzzBrha41/SZEE88pcp+4SWJLrJu4d3YYWkLbC/uzAs5WcVU4TPhKk
ODZu3w+Eb2DXMUxIarj0U1eg4dtRtw7DTB7xKZjfXadf7MBOLso+an844fM8P44O
jKxM5TQfddysqibTES0pG/zlbeFsP39kEUn2zdbAvg/5mueeZFRhIhbApoLHMeYT
jhqSZr8eU2Xv6Jxkp+BU0woWmZsAwQk7260hb5vO1OFRvWfXz7Yt3aOmvwDvwu5L
fTmOV1+sF2u0lfK0m2Yy8m6nP7AjamkpVhfhJdumrGoSzbwzvC5X0xQdyneJHGot
GmS4nY0kVu0mlxkqIcPoQeOZLUd/8Rvr+SC/jLUHYHtqG8IfZJLxuN2x7fgTaXTk
v0NdAshlCC8WNHzHEPUDtrdDY73lfTSzqNZ0EHUn8Jo02w9mUBCDKoZ9yr9VkIad
zwxuiLooEtyE9hPf6lUZUQT9woQb9SreXF3BwfCIz4c9qIOl6Z1EJ8dcBdrYgTD6
jC+wuKV/LXfvo5SOc0LDo2p7kBjV4IVgnKMc9ylMKZgEQRht/bg=
=oh8q
-----END PGP SIGNATURE-----
pgpXaI46F4Vyv.pgp
Description: PGP signature
--- End Message ---
_______________________________________________
Pkg-utopia-maintainers mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-utopia-maintainers
