|
|
Log in / Subscribe / Register

Ubuntu alert USN-8287-1 (xdg-desktop-portal)



From:
              noreply+usn-bot@canonical.com


To:
              ubuntu-security-announce@lists.ubuntu.com


Subject:
              [USN-8287-1] XDG Desktop Portal vulnerability


Date:
              Thu, 21 May 2026 15:13:40 +0000


Message-ID:
              <E1wQ55g-0003W1-HG@lists.ubuntu.com>


==========================================================================
Ubuntu Security Notice USN-8287-1
May 20, 2026

xdg-desktop-portal vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 25.10
- Ubuntu 24.04 LTS

Summary:

XDG Desktop Portal could be made to delete files.

Software Description:
- xdg-desktop-portal: A portal frontend service for Flatpak and other desktop containment
frameworks

Details:

It was discovered that XDG Desktop Portal incorrectly handled
trashing files. A local attacker could possibly use this issue to
delete arbitrary files on the host file system via a symlink attack.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 25.10
  xdg-desktop-portal              1.20.3+ds-1ubuntu1.1
  xdg-desktop-portal-dev          1.20.3+ds-1ubuntu1.1

Ubuntu 24.04 LTS
  xdg-desktop-portal              1.18.4-1ubuntu2.24.04.2
  xdg-desktop-portal-dev          1.18.4-1ubuntu2.24.04.2

In general, a standard system update will make all the necessary
changes.

References:
  https://ubuntu.com/security/notices/USN-8287-1
  CVE-2026-40354

Package Information:
  https://launchpad.net/ubuntu/+source/xdg-desktop-portal/1...
  https://launchpad.net/ubuntu/+source/xdg-desktop-portal/1...




Attachment: signature.asc (type=application/pgp-signature)

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEE+8neBLO2Hp/ppPlOcpJm3tlzhgEFAmoPIKYACgkQcpJm3tlz
hgEF/xAAu6RNlAVMteuwMOiYAVV1HfVfV8k2m6GCL0HA3bTj3/lykpFn7/hoWNIG
N+2/zZHFfhlkhhxpJ/iLB/4vUARrmNpBh6wU2+/mjVdMRmpAjNCRMCgS+C1Dfbth
3/v5zh3NVKtAa6J5ZRTjmnEaREWyNXEeoFampt675z0zqhEdJfIbm50dROQCSjvX
cMlStK+pD4sHaiCM8LGg+Vzumb53lLAUG641R59y8PjN6uTB6U5/RJ8MKdJOM9mf
ESuJocWYYMRiP7gAfFCPxEY5SArdbWTMiUNoGbs8MKzn2lbuPMem2wvVo6BRGhyy
6hJ/3zDM9c5eFphNnzDxA0SEW0lkIi5oLtf5j3tXO3C0VT9UnzMKAaT7UWyxdsYz
gYByszZSQ5ZIFfWKWw9tRszrSo9eMLR3/ZBe9w7I8tS0zqWWgEkmz4/YLFaV6HNW
gdsl8PqeWhpp1a/vITz+vqd4ybCWCXr/cXLWND/xN6GCxE6BB5GOK1+9Cd7clHa8
Gui71ODVM/Ajj/SmFiZVKJfFakh+53NCjZPLgjqW2I4nr+e2/vhpH4iMh6XxwFdr
cQnu4maX97ed8b4MVfTHP533GrOUBfJGUNUB78Mum+86JfS9vwREHVdPTPDiBrQj
l2a/D9DIdu7Hqnv24uxZLRz0epiLNGD9TFYZjtSYf6UPfovGBX4=
=kFwn
-----END PGP SIGNATURE-----
to post comments


Copyright © 2026, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds