Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > linux.debian.bugs.dist > #1289342

Bug#1132939: xdg-dbus-proxy CVE-2026-34080: Eavesdrop filter bypass allows message interception

From Moritz Mühlenhoff <jmm@inutil.org>
Newsgroups linux.debian.bugs.dist
Subject Bug#1132939: xdg-dbus-proxy CVE-2026-34080: Eavesdrop filter bypass allows message interception
Date 2026-04-12 19:50 +0200
Message-ID <MJ76x-eDtJ-1@gated-at.bofh.it> (permalink)
References <MHl3X-dr7I-1@gated-at.bofh.it> <MIsZr-ebGM-3@gated-at.bofh.it> <MHl3X-dr7I-1@gated-at.bofh.it> <MIsZr-ebGM-3@gated-at.bofh.it>
Organization linux.* mail to news gateway

Show all headers | View raw

On Fri, Apr 10, 2026 at 11:50:56PM +0100, Simon McVittie wrote:
> On Tue, 07 Apr 2026 at 21:09:26 +0100, Simon McVittie wrote:
> > For trixie or older, we'll need a backport of upstream commit
> > <https://github.com/flatpak/xdg-dbus-proxy/commit/4d0d1d74d4f40260a79161163b4b2f7276bce0b0>,
> > or a backport of the full 0.1.7 upstream release (which seems to be
> > bugfix-only).
> 
> I assumed the single commit for the security fix is more likely to be
> accepted.
> 
> debdiff and source package here:
> https://people.debian.org/~smcv/temp/2026/CVE-2026-34080/
> 
> functionally-equivalent test-build with a slightly lower version number:
> https://people.debian.org/~smcv/temp/2026/CVE-2026-34080/testbuild/
> 
> Briefly tested in a trixie GNOME VM. I didn't attempt to reproduce the
> vulnerability, I only checked that a Flatpak app worked normally and could
> contact D-Bus services (org.gnome.Epiphany talking to xdg-desktop-portal).
> 
> Does the security team want to do a DSA for this?

Let's also fix this via a DSA. debdiff looks good, please build with -sa
and upload to security-master. Is 0.1.4 from bookworm also affected?

Cheers,
        Moritz

Back to linux.debian.bugs.dist | Previous | NextNext in thread | Find similar

Thread

Bug#1132939: xdg-dbus-proxy CVE-2026-34080: Eavesdrop filter bypass allows message interception Moritz Mühlenhoff <jmm@inutil.org> - 2026-04-12 19:50 +0200
  Bug#1132939: xdg-dbus-proxy CVE-2026-34080: Eavesdrop filter bypass allows message interception Simon McVittie <smcv@debian.org> - 2026-04-12 21:00 +0200
  Bug#1132939: xdg-dbus-proxy CVE-2026-34080: Eavesdrop filter bypass allows message interception Moritz Mühlenhoff <jmm@inutil.org> - 2026-04-13 23:00 +0200
    Bug#1132958: xdg-desktop-portal: GHSA-rqr9-jwwf-wxgj: Race condition in trash portal vs. symlinks Simon McVittie <smcv@debian.org> - 2026-04-14 21:30 +0200
    Bug#1132939: xdg-dbus-proxy CVE-2026-34080: Eavesdrop filter bypass allows message interception Simon McVittie <smcv@debian.org> - 2026-04-15 23:20 +0200

csiph-web