Ubuntu
xdg-desktop-portal package

Update xdg-desktop-portal to 1.18.4

Bug #2062394 reported by Jeremy Bícha
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
xdg-desktop-portal (Ubuntu)
Fix Released
High
Unassigned
Noble
Fix Committed
High
Unassigned

Bug Description

Impact
------
This is a new release in the stable 1.18.x series. It includes part of a CVE security fix; the more important part of the CVE is in flatpak but there is some hardening on the xdg-desktop-portal side.

https://github.com/flatpak/xdg-desktop-portal/releases/tag/1.18.4

https://github.com/flatpak/xdg-desktop-portal/compare/1.18.3...1.18.4

Test Plan
---------
Run the tests from https://wiki.ubuntu.com/DesktopTeam/TestPlans/XdgDesktopPortalGnome

What Could Go Wrong
------------------
xdg-desktop-portal is critical functionality for Snaps and Flatpaks including providing the file chooser dialogs for both of the only security supported web browsers in Ubuntu: firefox and chromium (both as snaps)

xdg-desktop-portal is included in every official Ubuntu desktop flavor as it has become essential functionality for modern desktops. When used by desktops, there is a separate backend package to provide the UI. For Ubuntu Desktop, this is xdg-desktop-portal-gnome. Several other desktops use xdg-desktop-portal-gtk (even Ubuntu Desktop uses it as a dependency of -gnome) but there are other backends that follow the standard naming convention xdg-desktop-portal-*

xdg-desktop-portal also is used in some apps that are distributed as .deb packages, for instance it is used for the Set as Background feature in the Nautilus file browser.

Other Info
----------
(none)

See original description

CVE References

Jeremy Bícha (jbicha)
description: updated
information type: Public → Public Security
Changed in xdg-desktop-portal (Ubuntu):
status: Triaged → In Progress
Jeremy Bícha (jbicha)
Changed in xdg-desktop-portal (Ubuntu):
status: In Progress → Fix Committed
status: Fix Committed → In Progress
Revision history for this message
Steve Langasek (vorlon) wrote : Proposed package upload rejected

An upload of xdg-desktop-portal to noble-proposed has been rejected from the upload queue for the following reason: "merge changelog includes references to long-fixed bugs, needs cleanup".

Jeremy Bícha (jbicha)
description: updated
description: updated
Changed in xdg-desktop-portal (Ubuntu Noble):
importance: Undecided → High
status: New → In Progress
Changed in xdg-desktop-portal (Ubuntu):
status: In Progress → Fix Committed
Revision history for this message
Steve Langasek (vorlon) wrote : Please test proposed package

Hello Jeremy, or anyone else affected,

Accepted xdg-desktop-portal into noble-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/xdg-desktop-portal/1.18.4-1ubuntu2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-noble to verification-done-noble. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-noble. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in xdg-desktop-portal (Ubuntu Noble):
status: In Progress → Fix Committed
tags: added: verification-needed verification-needed-noble
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package xdg-desktop-portal - 1.18.4-1ubuntu3

---------------
xdg-desktop-portal (1.18.4-1ubuntu3) oracular; urgency=medium

  * Upload to oracular

xdg-desktop-portal (1.18.4-1ubuntu2) noble; urgency=medium

  * Merge with Debian (LP: #2062394). Remaining change:
    - Import https://github.com/flatpak/xdg-desktop-portal/pull/705 as a
      distro-patch to add a portal for managing WebExtensions native messaging
      servers

xdg-desktop-portal (1.18.4-1) unstable; urgency=medium

  * New upstream stable release
    - Don't allow sandboxed apps to specify commands starting with '-'
      when generating .desktop files, mitigating CVE-2024-32462 in Flatpak
    - Do not store device access permission as "denied by user" if there
      was an error
    - Fix a crash when config files don't specify a default backend

 -- Jeremy Bícha <email address hidden> Thu, 02 May 2024 14:14:32 -0400

Changed in xdg-desktop-portal (Ubuntu):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.