Now, you might think you’re safe as long as you don’t install that plugin. I have news for you: it’s a dependency for the GTK frontend, which Debian 13 installs and enables by default. So even if you never asked for it, it’s already there, quietly doing its thing.
So, if I’m reading this correctly, if you’re using X, as opposed to Wayland, then Debian 13 would leak whatever text you select unencrypted over HTTP to chinese servers. So, if your password manager selects the password in X, then your password would leak unencrypted, by default.
The phrasing in that quote is unclear. It could be read to mean Debian 13 installs the stardict-gtk package and enables the bad plugin if you install stardict yourself, rather than meaning that any of this is included as part of the default Debian installation.
I think this would indeed happen if you installed stardict yourself, because the stardict package depends on stardict-gtk, which recommends the stardict-plugin package, and the recommends relationship is treated as a dependency by default.
The questions on my mind are:
Is stardict installed by default in a new Debian 13 installation, or does this only affect people who install it themselves?
When will this malicious plugin be fixed or removed, not just in Debian, but in all distros that have it?
When will the package maintainer who defended the plugin’s behavior be dealt with?
I don’t think this is true. The stardict-gtk package gets installed on any system that installs the stardict package, regardless of what desktop environment is used, due to a hard dependency between those packages.
This isn’t quite accurate - the vulnerability only affects you if you have StarDict dictionary app installed AND running (it’s not installed by default in Debian 13), so your passwords aren’t being leaked just by using X, but it’s still a seriosu security issue that needs immediate fixing.
So, if I’m reading this correctly, if you’re using X, as opposed to Wayland, then Debian 13 would leak whatever text you select unencrypted over HTTP to chinese servers. So, if your password manager selects the password in X, then your password would leak unencrypted, by default.
The phrasing in that quote is unclear. It could be read to mean Debian 13 installs the stardict-gtk package and enables the bad plugin if you install stardict yourself, rather than meaning that any of this is included as part of the default Debian installation.
I think this would indeed happen if you installed stardict yourself, because the stardict package depends on stardict-gtk, which recommends the stardict-plugin package, and the recommends relationship is treated as a dependency by default.
The questions on my mind are:
You have to be using X and Gnome. Gnome is the default desktop environment, but not everyone installs and uses it.
I don’t think this is true. The stardict-gtk package gets installed on any system that installs the stardict package, regardless of what desktop environment is used, due to a hard dependency between those packages.
Ah yeah I misspoke. Gnome will provide it but it’ll probably come with other GTK software too.
This isn’t quite accurate - the vulnerability only affects you if you have StarDict dictionary app installed AND running (it’s not installed by default in Debian 13), so your passwords aren’t being leaked just by using X, but it’s still a seriosu security issue that needs immediate fixing.