oss-sec mailing list archives

xdg-desktop-portal GHSA-rqr9-jwwf-wxgj: Trashing of arbitrary host files


From: Simon McVittie <smcv () debian org>
Date: Sat, 11 Apr 2026 00:08:55 +0100

xdg-desktop-portal's Trash portal is designed to allow sandboxed apps to
ask for a file or directory accessible to the app to be moved to the trash.

Similar to CVE-2026-34078 in Flatpak (but less serious), Codean Labs
reported that a malicious or compromised Flatpak app could ask the portal
to trash a file that it owns, then replace that file with a symlink,
exploit a time-of-check/time-of-use mismatch and make the portal trash
the target of the symlink on the host system instead.

This is fixed in stable release 1.20.4 and development prerelease 1.21.1.

https://github.com/flatpak/xdg-desktop-portal/security/advisories/GHSA-rqr9-jwwf-wxgj


Current thread: