[Pkg-utopia-maintainers] Bug#1132939: CVE-2026-34080: Eavesdrop filter bypass allows message interception
Simon McVittie
smcv at debian.org
Tue Apr 7 21:09:26 BST 2026
Package: xdg-dbus-proxy
Version: 0.1.0-1
Severity: grave
Tags: security
Justification: user security hole
X-Debbugs-Cc: Debian Security Team <team at security.debian.org>
Control: fixed -1 0.1.7-1
Forwarded: https://github.com/flatpak/xdg-dbus-proxy/security/advisories/GHSA-vjp5-hjfm-7677
xdg-dbus-proxy older than 0.1.7 does not detect all legacy eavesdropping
match rules. A malicious or compromised Flatpak app could use this to
spy on D-Bus message bus traffic that the app was not meant to be able
to see.
For testing/unstable, this is fixed in xdg-dbus-proxy 0.1.7.
For trixie or older, we'll need a backport of upstream commit
<https://github.com/flatpak/xdg-dbus-proxy/commit/4d0d1d74d4f40260a79161163b4b2f7276bce0b0>,
or a backport of the full 0.1.7 upstream release (which seems to be
bugfix-only).
smcv
More information about the Pkg-utopia-maintainers
mailing list