On Tue, 07 Apr 2026 at 21:09:26 +0100, Simon McVittie wrote:
For trixie or older, we'll need a backport of upstream commit
<https://github.com/flatpak/xdg-dbus-proxy/commit/4d0d1d74d4f40260a79161163b4b2f7276bce0b0>,
or a backport of the full 0.1.7 upstream release (which seems to be
bugfix-only).
I assumed the single commit for the security fix is more likely to be
accepted.
debdiff and source package here:
https://people.debian.org/~smcv/temp/2026/CVE-2026-34080/
functionally-equivalent test-build with a slightly lower version number:
https://people.debian.org/~smcv/temp/2026/CVE-2026-34080/testbuild/
Briefly tested in a trixie GNOME VM. I didn't attempt to reproduce the
vulnerability, I only checked that a Flatpak app worked normally and
could contact D-Bus services (org.gnome.Epiphany talking to
xdg-desktop-portal).
Does the security team want to do a DSA for this?
smcv
