UbuntuUpdates.org

Package "xdg-desktop-portal"

Name: xdg-desktop-portal

Description:

desktop integration portal for Flatpak and Snap
Latest version: 1.20.3+ds-1ubuntu1.1
Release: questing (25.10)
Level: security
Repository: main
Homepage: https://flatpak.github.io/xdg-desktop-portal/

Links

All versions of this package
Bug fixes

List of files in package
Repository home page

Download "xdg-desktop-portal"

32-bit deb package
64-bit deb package
APT INSTALL

Other versions of "xdg-desktop-portal" in Questing

Repository Area Version
base universe 1.20.3+ds-1ubuntu1
base main 1.20.3+ds-1ubuntu1
security universe 1.20.3+ds-1ubuntu1.1
updates main 1.20.3+ds-1ubuntu1.1
updates universe 1.20.3+ds-1ubuntu1.1

Changelog

Version: 1.20.3+ds-1ubuntu1.1 2026-05-20 19:07:24 UTC

  xdg-desktop-portal (1.20.3+ds-1ubuntu1.1) questing-security; urgency=medium

  * SECURITY UPDATE: Symlink Redirection Attack in g_file_trash
    - debian/patches/CVE-2026-40354-pre1.patch: Add libglnx dependency in
      meson.build and subprojects/libglnx.wrap
    - debian/patches/CVE-2026-40354-1.patch: Use File Descriptors rather than
      g_file_trash to avoid race conditions when trashing file in src/trash.c
    - debian/patches/CVE-2026-40354-2.patch: Fix trashing files on older
      versions of glib in src/trash.c
    - CVE-2026-40354
  * xdg-desktop-portal_1.20.3+ds.orig-libglnx.tar.gz: Add vendored libglnx
    at ccea836b799256420788c463a638ded0636b1632.
  * debian/rules: Add symlink to vendored libglnx in submodules/libglnx
  * debian/clean: Remove vendored libglnx symlink after build

 -- Kyle Kernick <email address hidden> Thu, 23 Apr 2026 10:17:55 -0600
CVE-2026-40354 Flatpak xdg-desktop-portal before 1.20.4 and 1.21.x before 1.21.1 allows any Flatpak app to trash any file in the host context via a symlink attack o


About   -   Send Feedback to @ubuntu_updates