NIXPKGS-2026-0991

GitHub issue published on

Permalink CVE-2026-34080

updated 3 weeks, 5 days ago by @LeSuisse Activity log

Created suggestion 3 weeks, 5 days ago
@LeSuisse accepted 3 weeks, 5 days ago
@LeSuisse published on GitHub 3 weeks, 5 days ago

xdg-dbus-proxy has an eavesdrop filter bypass allowing message interception

xdg-dbus-proxy is a filtering proxy for D-Bus connections. Prior to 0.1.7, a policy parser vulnerability allows bypassing eavesdrop restrictions. The proxy checks for eavesdrop=true in policy rules but fails to handle eavesdrop ='true' (with a space before the equals sign) and similar cases. Clients can intercept D-Bus messages they should not have access to. This vulnerability is fixed in 0.1.7.

References

https://github.com/flatpak/xdg-dbus-proxy/security/advisories/GHSA-vjp5-hjfm-7677 x_refsource_CONFIRM

Affected products

xdg-dbus-proxy

==< 0.1.7

Matching in nixpkgs

pkgs.xdg-dbus-proxy

DBus proxy for Flatpak and others

nixos-unstable 0.1.6
- nixpkgs-unstable 0.1.6
- nixos-unstable-small 0.1.6
nixos-25.11 0.1.6
- nixos-25.11-small 0.1.6
- nixpkgs-25.11-darwin 0.1.6

Package maintainers

@jtojnar Jan Tojnar <jtojnar@gmail.com>

Nixpkgs security tracker

Details of issue NIXPKGS-2026-0991

References

Affected products

Matching in nixpkgs

pkgs.xdg-dbus-proxy

Package maintainers