[From nobody Sat Apr 18 16:23:05 2026 Received: (at submit) by bugs.debian.org; 7 Apr 2026 20:09:34 +0000 X-Spam-Checker-Version: SpamAssassin 4.0.1-bugs.debian.org_2005_01_02 (2024-03-25) on buxtehude.debian.org X-Spam-Level: X-Spam-Status: No, score=-117.6 required=4.0 tests=BAYES_00, BODY_INCLUDES_PACKAGE,DKIMWL_WL_HIGH,DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,DKIM_VALID_EF,FOURLA,FROMDEVELOPER,FVGT_m_MULTI_ODD, HAS_PACKAGE,MD5_SHA1_SUM,SPF_HELO_NONE,SPF_NONE,UNPARSEABLE_RELAY, USER_IN_DKIM_WELCOMELIST autolearn=ham autolearn_force=no version=4.0.1-bugs.debian.org_2005_01_02 X-Spam-Bayes: score:0.0000 Tokens: new, 23; hammy, 140; neutral, 29; spammy, 1. spammytokens:0.987-1--eavesdrop hammytokens:0.000-+--Hx-spam-relays-external:sk:stravin, 0.000-+--H*RT:sk:stravin, 0.000-+--Hx-spam-relays-external:311, 0.000-+--H*RT:311, 0.000-+--H*RT:108 Return-path: <smcv@debian.org> Received: from stravinsky.debian.org ([2001:41b8:202:deb::311:108]:40252) by buxtehude.debian.org with esmtps (TLS1.3:ECDHE_SECP256R1__RSA_PSS_RSAE_SHA256__AES_256_GCM:256) (Exim 4.96) (envelope-from <smcv@debian.org>) id 1wACju-003yXL-2K for submit@bugs.debian.org; Tue, 07 Apr 2026 20:09:34 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debian.org; s=smtpauto.stravinsky; h=X-Debian-User:Content-Type:MIME-Version:Message-ID: Subject:To:From:Date:Reply-To:Cc:Content-Transfer-Encoding:Content-ID: Content-Description:In-Reply-To:References; bh=yk3hskYgMrxoSVAiBvUryc/fpt4SFrpOjFovvlzZ4GQ=; b=I1l4nCvb1QF5WMPGb90eN3FbDS Dw1iT1QT6qGznlTEiAK2aghZmYsH9KmbzMf4I0qQ0nNcT84YH42Tj5cMwnrAvkfEFOx4kCtIxgFfo BTc/eLYVX3dTO9uh4EZKt6I45LkuYt2qwKbXr6ZUckiLcDOZehiY2Ik0rrHB5gO2Xp7SCR4g1N//X gtzLkbnvyXcRDW8M+oSx5ilAb8jWKyg/FMCMfwvxdIZlSKqoKN4zdZ6UYKirM/Ipey40ma18kgRcu UW7ImUAmseMSwCa9DCp1X8l6zB+St2oW063Eylfl3WIRxnEzv421fQBHy8LNQ24Hyds1txIS1hOHi 0axCC0iA==; Received: from authenticated user by stravinsky.debian.org with esmtpsa (TLS1.3:ECDHE_SECP256R1__RSA_PSS_RSAE_SHA256__AES_256_GCM:256) (Exim 4.96) (envelope-from <smcv@debian.org>) id 1wACju-007tBp-1i for submit@bugs.debian.org; Tue, 07 Apr 2026 20:09:33 +0000 Date: Tue, 7 Apr 2026 21:09:26 +0100 From: Simon McVittie <smcv@debian.org> To: Debian Bug Tracking System <submit@bugs.debian.org> Subject: CVE-2026-34080: Eavesdrop filter bypass allows message interception Message-ID: <adVkdirtmKuoaGQK@definition.pseudorandom.co.uk> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline X-Mutt-Fcc: =.lists.debian/ X-Reportbug-Version: 13.2.0 X-Debian-User: smcv Delivered-To: submit@bugs.debian.org Package: xdg-dbus-proxy Version: 0.1.0-1 Severity: grave Tags: security Justification: user security hole X-Debbugs-Cc: Debian Security Team <team@security.debian.org> Control: fixed -1 0.1.7-1 Forwarded: https://github.com/flatpak/xdg-dbus-proxy/security/advisories/GHSA-vjp5-hjfm-7677 xdg-dbus-proxy older than 0.1.7 does not detect all legacy eavesdropping match rules. A malicious or compromised Flatpak app could use this to spy on D-Bus message bus traffic that the app was not meant to be able to see. For testing/unstable, this is fixed in xdg-dbus-proxy 0.1.7. For trixie or older, we'll need a backport of upstream commit <https://github.com/flatpak/xdg-dbus-proxy/commit/4d0d1d74d4f40260a79161163b4b2f7276bce0b0>, or a backport of the full 0.1.7 upstream release (which seems to be bugfix-only). smcv ]