this post was submitted on 07 Aug 2025
32 points (97.1% liked)

Linux

12514 readers
172 users here now

Welcome to c/linux!

Welcome to our thriving Linux community! Whether you're a seasoned Linux enthusiast or just starting your journey, we're excited to have you here. Explore, learn, and collaborate with like-minded individuals who share a passion for open-source software and the endless possibilities it offers. Together, let's dive into the world of Linux and embrace the power of freedom, customization, and innovation. Enjoy your stay and feel free to join the vibrant discussions that await you!

Rules:

  1. Stay on topic: Posts and discussions should be related to Linux, open source software, and related technologies.

  2. Be respectful: Treat fellow community members with respect and courtesy.

  3. Quality over quantity: Share informative and thought-provoking content.

  4. No spam or self-promotion: Avoid excessive self-promotion or spamming.

  5. No NSFW adult content

  6. Follow general lemmy guidelines.

founded 2 years ago
MODERATORS
MigratingtoLemmy@lemmy.world
32
StarDict Plugins in Debian 13 Raise Privacy Concerns (linuxiac.com)
submitted 6 days ago by who@feddit.org to c/linux@lemmy.world
9 comments fedilink hide all child comments
 

Details: https://seclists.org/oss-sec/2025/q3/75

CVE: https://nvd.nist.gov/vuln/detail/cve-2025-55014

top 9 comments
sorted by: hot top controversial new old
[–] logicbomb@lemmy.world 9 points 6 days ago (3 children)

Now, you might think you’re safe as long as you don’t install that plugin. I have news for you: it’s a dependency for the GTK frontend, which Debian 13 installs and enables by default. So even if you never asked for it, it’s already there, quietly doing its thing.

So, if I'm reading this correctly, if you're using X, as opposed to Wayland, then Debian 13 would leak whatever text you select unencrypted over HTTP to chinese servers. So, if your password manager selects the password in X, then your password would leak unencrypted, by default.

[–] MysteriousSophon21@lemmy.world 1 points 3 days ago

This isn't quite accurate - the vulnerability only affects you if you have StarDict dictionary app installed AND running (it's not installed by default in Debian 13), so your passwords aren't being leaked just by using X, but it's still a seriosu security issue that needs immediate fixing.

[–] who@feddit.org 6 points 6 days ago* (last edited 5 days ago)

The phrasing in that quote is unclear. It could be read to mean Debian 13 installs the stardict-gtk package and enables the bad plugin if you install stardict yourself, rather than meaning that any of this is included as part of the default Debian installation.

I think this would indeed happen if you installed stardict yourself, because the stardict package depends on stardict-gtk, which recommends the stardict-plugin package, and the recommends relationship is treated as a dependency by default.

The questions on my mind are:

  • Is stardict installed by default in a new Debian 13 installation, or does this only affect people who install it themselves?
  • When will this malicious plugin be fixed or removed, not just in Debian, but in all distros that have it?
  • When will the package maintainer who defended the plugin's behavior be dealt with?
[–] JTskulk@lemmy.world 2 points 6 days ago (1 children)

You have to be using X and Gnome. Gnome is the default desktop environment, but not everyone installs and uses it.

[–] who@feddit.org 4 points 6 days ago* (last edited 6 days ago) (1 children)

You have to be using X and Gnome.

I don't think this is true. The stardict-gtk package gets installed on any system that installs the stardict package, regardless of what desktop environment is used, due to a hard dependency between those packages.

[–] JTskulk@lemmy.world 2 points 6 days ago

Ah yeah I misspoke. Gnome will provide it but it'll probably come with other GTK software too.

[–] pastermil@sh.itjust.works 6 points 5 days ago

I've tried a freshly installed trixie with default DE (GNOME) and didn't see this package installed. Perhaps they're changing stuff as of writing.

Either way, having this in the repo is not okay. I hope they can address this as well.

[–] GreenKnight23@lemmy.world 1 points 6 days ago (1 children)

so if I continue using bookworm it's fine, right?

[–] who@feddit.org 3 points 5 days ago* (last edited 5 days ago)

AFAICT, what matters is whether you have stardict installed and running, not whether you use Bookworm vs. Trixie. It looks like they both have the same version of the package in question, though I haven't verified the behavior.