[ubuntu/questing-security] xdg-desktop-portal 1.20.3+ds-1ubuntu1.1 (Accepted)
Kyle Kernick
kyle.kernick at canonical.com
Wed May 20 17:40:37 UTC 2026
xdg-desktop-portal (1.20.3+ds-1ubuntu1.1) questing-security; urgency=medium
* SECURITY UPDATE: Symlink Redirection Attack in g_file_trash
- debian/patches/CVE-2026-40354-pre1.patch: Add libglnx dependency in
meson.build and subprojects/libglnx.wrap
- debian/patches/CVE-2026-40354-1.patch: Use File Descriptors rather than
g_file_trash to avoid race conditions when trashing file in src/trash.c
- debian/patches/CVE-2026-40354-2.patch: Fix trashing files on older
versions of glib in src/trash.c
- CVE-2026-40354
* xdg-desktop-portal_1.20.3+ds.orig-libglnx.tar.gz: Add vendored libglnx
at ccea836b799256420788c463a638ded0636b1632.
* debian/rules: Add symlink to vendored libglnx in submodules/libglnx
* debian/clean: Remove vendored libglnx symlink after build
Date: 2026-04-29 23:40:10.045016+00:00
Changed-By: Kyle Kernick <kyle.kernick at canonical.com>
https://launchpad.net/ubuntu/+source/xdg-desktop-portal/1.20.3+ds-1ubuntu1.1
-------------- next part --------------
Sorry, changesfile not available.
More information about the Questing-changes
mailing list