Your message dated Sat, 25 Apr 2026 10:50:40 +0000
with message-id <[email protected]>
and subject line Bug#1132939: fixed in xdg-dbus-proxy 0.1.4-3+deb12u1
has caused the Debian Bug report #1132939,
regarding CVE-2026-34080: Eavesdrop filter bypass allows message interception
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1132939: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132939
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: xdg-dbus-proxy
Version: 0.1.0-1
Severity: grave
Tags: security
Justification: user security hole
X-Debbugs-Cc: Debian Security Team <[email protected]>
Control: fixed -1 0.1.7-1
Forwarded:
https://github.com/flatpak/xdg-dbus-proxy/security/advisories/GHSA-vjp5-hjfm-7677
xdg-dbus-proxy older than 0.1.7 does not detect all legacy eavesdropping
match rules. A malicious or compromised Flatpak app could use this to
spy on D-Bus message bus traffic that the app was not meant to be able
to see.
For testing/unstable, this is fixed in xdg-dbus-proxy 0.1.7.
For trixie or older, we'll need a backport of upstream commit
<https://github.com/flatpak/xdg-dbus-proxy/commit/4d0d1d74d4f40260a79161163b4b2f7276bce0b0>,
or a backport of the full 0.1.7 upstream release (which seems to be
bugfix-only).
smcv
--- End Message ---
--- Begin Message ---
Source: xdg-dbus-proxy
Source-Version: 0.1.4-3+deb12u1
Done: Simon McVittie <[email protected]>
We believe that the bug you reported is fixed in the latest version of
xdg-dbus-proxy, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Simon McVittie <[email protected]> (supplier of updated xdg-dbus-proxy package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 15 Apr 2026 20:27:48 +0100
Source: xdg-dbus-proxy
Architecture: source
Version: 0.1.4-3+deb12u1
Distribution: bookworm-security
Urgency: high
Maintainer: Utopia Maintenance Team
<[email protected]>
Changed-By: Simon McVittie <[email protected]>
Closes: 1132939
Changes:
xdg-dbus-proxy (0.1.4-3+deb12u1) bookworm-security; urgency=high
.
* d/gbp.conf: Configure for bookworm
* d/p/Fix-GVariant-reference-leaks.patch:
Add patch from upstream 0.1.6 fixing some memory leaks.
As well as being a desirable bug fix, this is necessary for the fix
for CVE-2026-34080 to apply cleanly.
* d/p/flatpak-proxy-Use-g_autoptr-in-validate_arg0_match.patch,
d/p/Improve-detection-of-eavesdrop-true.patch:
Fix detection of eavesdrop=true match rules, resolving a vulnerability
in which a malicious or compromised Flatpak app could monitor D-Bus
traffic that it was not intended to be able to access.
(CVE-2026-34080) (Closes: #1132939)
Checksums-Sha1:
3d0cd110f4ecb9df6654b9be45d554dce25a4fc6 2232
xdg-dbus-proxy_0.1.4-3+deb12u1.dsc
b64d4c4d2c3e947b7edbe5b423eddcc5d2fbdcfb 122112
xdg-dbus-proxy_0.1.4.orig.tar.xz
584dae99326803af581dc579ddf7a28a2cfb72fd 6984
xdg-dbus-proxy_0.1.4-3+deb12u1.debian.tar.xz
984c83abeb4cf3a17f80b3cb09c3e071988a7d6a 7691
xdg-dbus-proxy_0.1.4-3+deb12u1_source.buildinfo
Checksums-Sha256:
5e4de92871f60585ef9c23241476ab8d651f3af169fb82c095f3e3f82e28b9cf 2232
xdg-dbus-proxy_0.1.4-3+deb12u1.dsc
1ec0eab53d1e49966d722352bcfd51ac402dce5190baedc749a8541e761670ab 122112
xdg-dbus-proxy_0.1.4.orig.tar.xz
40d561da6af2b94cffcf99bbcde771231a1fbdaf724d52fe2a5ae778d43b6fdb 6984
xdg-dbus-proxy_0.1.4-3+deb12u1.debian.tar.xz
9f5ffd782fd9e4ea2550cf2e04f9f5740e91de7c24cb80f5853850db3e5a768b 7691
xdg-dbus-proxy_0.1.4-3+deb12u1_source.buildinfo
Files:
1748f34fa84d9a181941c856c83d4d44 2232 admin optional
xdg-dbus-proxy_0.1.4-3+deb12u1.dsc
89d166170e871b3288e8980aee599ae4 122112 admin optional
xdg-dbus-proxy_0.1.4.orig.tar.xz
a202a42543a11466aaf370da4e814774 6984 admin optional
xdg-dbus-proxy_0.1.4-3+deb12u1.debian.tar.xz
a18a658489660ea4989a99d555b3f521 7691 admin optional
xdg-dbus-proxy_0.1.4-3+deb12u1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEegc60a5pT6Jb/2LlI1wJnT6zMHYFAmnnNCAACgkQI1wJnT6z
MHYoTw/9FnWgx0NoF3gyKQLMTlS26gg4PRAlUWfpIPUU19JsLHzFFf0F6drAlqcX
Mwp+6YR1j+zImKXJ8Xom5oWjKekH1kwiBPjW5pDqIz0kjULFTGhwEMZqIQTzZ82Z
jt30ii3w94ubqVJEeaaBrbot70znJTfbmEBPrX/iX/1Eo1WJK/J8nZ2JTVhk1YxG
LGxLXTM9X9TBz18CwI9/hrWCRm8bmnvjc+F5/7gZU6hQmhgHb3UTVi9Fffxpn8Cy
dWgfVePewFLw4OyZPNSM6p961ST5yutOmGheUPZYd8dJl9e4vjYX5wm6Jv3SCdXN
ygQucBOJM7hn0o/pBcA1QR5lRm75bUVRtdavjE7xy1TcUmHZK0N+wm8hW3ypcyuV
cTn0wdIUYwvx1spYNBo9goBwRf/0Pq5cafcFiz06H+ywZ4c89oM6vef7pfdjCUyV
l/qCF7QjyZnwF/q/vhFRcrzEd62YyG61sXI/Fwn8BfV4hWnSSZ3lt1BDTOblmYHk
KXrzrX7RrjozBG3R5SuGiDc7tFXcjh0+lQzfBkPkgLzlzmUqojO3bqJpETVy/tBi
4/NAAnwTopsa07GbGHnV1J91g59mKyaFMFuhbX2ljgq2L5S1LtHce8Os/ry33K7K
cBtFpxuuZ4x4DPNJQqzfOI76hdtRuwKPN3N7MbSUExjnMFovOLQ=
=NcQx
-----END PGP SIGNATURE-----
pgpXg_bYeM7Jv.pgp
Description: PGP signature
--- End Message ---
_______________________________________________
Pkg-utopia-maintainers mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-utopia-maintainers
