XDG-Desktop-Portal 1.20.4 has been released to fix a security vulnerability that allowed sandboxed apps to trash arbitrary host files. The flaw stemmed from using GLib's g_file_trash, which relies on paths and was susceptible to symlink race attacks. The fix replaces path-based operations with file descriptor-based operations, eliminating the symlink race redirect risk. This release accompanies Flatpak 1.16.4, which addressed related sandbox escape and host file deletion vulnerabilities.
Sort: