[Pkg-utopia-maintainers] Bug#1132939: xdg-dbus-proxy CVE-2026-34080: Eavesdrop filter bypass allows message interception
Simon McVittie
smcv at debian.org
Fri Apr 10 23:50:56 BST 2026
On Tue, 07 Apr 2026 at 21:09:26 +0100, Simon McVittie wrote:
>For trixie or older, we'll need a backport of upstream commit
><https://github.com/flatpak/xdg-dbus-proxy/commit/4d0d1d74d4f40260a79161163b4b2f7276bce0b0>,
>or a backport of the full 0.1.7 upstream release (which seems to be
>bugfix-only).
I assumed the single commit for the security fix is more likely to be
accepted.
debdiff and source package here:
https://people.debian.org/~smcv/temp/2026/CVE-2026-34080/
functionally-equivalent test-build with a slightly lower version number:
https://people.debian.org/~smcv/temp/2026/CVE-2026-34080/testbuild/
Briefly tested in a trixie GNOME VM. I didn't attempt to reproduce the
vulnerability, I only checked that a Flatpak app worked normally and
could contact D-Bus services (org.gnome.Epiphany talking to
xdg-desktop-portal).
Does the security team want to do a DSA for this?
smcv
More information about the Pkg-utopia-maintainers
mailing list