On Fri, Apr 10, 2026 at 11:50:56PM +0100, Simon McVittie wrote:
> On Tue, 07 Apr 2026 at 21:09:26 +0100, Simon McVittie wrote:
> > For trixie or older, we'll need a backport of upstream commit
> > <https://github.com/flatpak/xdg-dbus-proxy/commit/4d0d1d74d4f40260a79161163b4b2f7276bce0b0>,
> > or a backport of the full 0.1.7 upstream release (which seems to be
> > bugfix-only).
>
> I assumed the single commit for the security fix is more likely to be
> accepted.
>
> debdiff and source package here:
> https://people.debian.org/~smcv/temp/2026/CVE-2026-34080/
>
> functionally-equivalent test-build with a slightly lower version number:
> https://people.debian.org/~smcv/temp/2026/CVE-2026-34080/testbuild/
>
> Briefly tested in a trixie GNOME VM. I didn't attempt to reproduce the
> vulnerability, I only checked that a Flatpak app worked normally and could
> contact D-Bus services (org.gnome.Epiphany talking to xdg-desktop-portal).
>
> Does the security team want to do a DSA for this?
Let's also fix this via a DSA. debdiff looks good, please build with -sa
and upload to security-master. Is 0.1.4 from bookworm also affected?
Cheers,
Moritz
