Your message dated Sat, 11 Jul 2026 10:32:47 +0000
with message-id <[email protected]>
and subject line Released in 13.6
has caused the Debian Bug report #1141297,
regarding trixie-pu: package dolphin/4:25.04.3-1+deb13u1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1141297: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1141297
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: trixie
X-Debbugs-Cc: [email protected], [email protected]
Control: affects -1 + src:dolphin
User: [email protected]
Usertags: pu
* CVE-2026-41525: Sandbox escape
diffstat for dolphin-25.04.3 dolphin-25.04.3
changelog | 7
+
patches/0001-dolphinviewcontainer-do-not-implicitly-open-director.patch | 44
++++++++++
patches/series | 1
3 files changed, 52 insertions(+)
diff -Nru dolphin-25.04.3/debian/changelog dolphin-25.04.3/debian/changelog
--- dolphin-25.04.3/debian/changelog 2025-07-23 09:19:05.000000000 +0300
+++ dolphin-25.04.3/debian/changelog 2026-07-02 20:11:18.000000000 +0300
@@ -1,3 +1,10 @@
+dolphin (4:25.04.3-1+deb13u1) trixie; urgency=medium
+
+ * Non-maintainer upload.
+ * CVE-2026-41525: Sandbox escape
+
+ -- Adrian Bunk <[email protected]> Thu, 02 Jul 2026 20:11:18 +0300
+
dolphin (4:25.04.3-1) unstable; urgency=medium
[ Aurélien COUDERC ]
diff -Nru
dolphin-25.04.3/debian/patches/0001-dolphinviewcontainer-do-not-implicitly-open-director.patch
dolphin-25.04.3/debian/patches/0001-dolphinviewcontainer-do-not-implicitly-open-director.patch
---
dolphin-25.04.3/debian/patches/0001-dolphinviewcontainer-do-not-implicitly-open-director.patch
1970-01-01 02:00:00.000000000 +0200
+++
dolphin-25.04.3/debian/patches/0001-dolphinviewcontainer-do-not-implicitly-open-director.patch
2026-07-02 20:10:57.000000000 +0300
@@ -0,0 +1,44 @@
+From cfd995e74fd5ab716e21231f8bf63e8aa508c2a4 Mon Sep 17 00:00:00 2001
+From: Harald Sitter <[email protected]>
+Date: Tue, 10 Feb 2026 12:55:11 +0100
+Subject: dolphinviewcontainer: do not implicitly open directories as files
+
+we already have xdg-run, we don't need another runner interface ;)
+
+notably if the user disabled the ask-before-execute guard rail from KIO,
+they would also implicitly allow other applications to execute any file
+by invoking it through dolphin, that would be a bit silly and isn't the
+point of the guard rail opt-out.
+
+when detecting a file we now instead open the parent
+
+Should improve
+CCBUG: 516830
+---
+ src/dolphinviewcontainer.cpp | 10 +---------
+ 1 file changed, 1 insertion(+), 9 deletions(-)
+
+diff --git a/src/dolphinviewcontainer.cpp b/src/dolphinviewcontainer.cpp
+index e13f4a87b..10567db85 100644
+--- a/src/dolphinviewcontainer.cpp
++++ b/src/dolphinviewcontainer.cpp
+@@ -724,15 +724,7 @@ void DolphinViewContainer::slotUrlIsFileError(const QUrl
&url)
+ {
+ const KFileItem item(url);
+
+- // Find out if the file can be opened in the view (for example, this is
the
+- // case if the file is an archive). The mime type must be known for that.
+- item.determineMimeType();
+- const QUrl &folderUrl = DolphinView::openItemAsFolderUrl(item, true);
+- if (!folderUrl.isEmpty()) {
+- setUrl(folderUrl);
+- } else {
+- slotItemActivated(item);
+- }
++ setUrl(KIO::upUrl(item.url()));
+ }
+
+ void DolphinViewContainer::slotItemActivated(const KFileItem &item)
+--
+2.47.3
+
diff -Nru dolphin-25.04.3/debian/patches/series
dolphin-25.04.3/debian/patches/series
--- dolphin-25.04.3/debian/patches/series 2025-07-23 09:19:05.000000000
+0300
+++ dolphin-25.04.3/debian/patches/series 2026-07-02 20:11:16.000000000
+0300
@@ -7,3 +7,4 @@
upstream_3e4d9ca1_fix-incorrect-view-reset-when-unmounting-similarly-named-devices.patch
upstream_6dd55251_DolphinView-display-errorMessage-when-copy-errors-occurs.patch
upstream_c4ffe88c_DolphinView-display-errorMessage-when-copy-errors-occurs.patch
+0001-dolphinviewcontainer-do-not-implicitly-open-director.patch
--- End Message ---
--- Begin Message ---
Version: 13.6
This update was released as part of 13.6.
--- End Message ---