StarDict plugins on Debian 13 leak selected X11 text over HTTP to Chinese dictionary services, exposing potentially sensitive data.
  • @logicbomb@lemmy.worldEnglish
    913 days ago

    Now, you might think you’re safe as long as you don’t install that plugin. I have news for you: it’s a dependency for the GTK frontend, which Debian 13 installs and enables by default. So even if you never asked for it, it’s already there, quietly doing its thing.

    So, if I’m reading this correctly, if you’re using X, as opposed to Wayland, then Debian 13 would leak whatever text you select unencrypted over HTTP to chinese servers. So, if your password manager selects the password in X, then your password would leak unencrypted, by default.

    • whoOPEnglish
      613 days ago

      The phrasing in that quote is unclear. It could be read to mean Debian 13 installs the stardict-gtk package and enables the bad plugin if you install stardict yourself, rather than meaning that any of this is included as part of the default Debian installation.

      I think this would indeed happen if you installed stardict yourself, because the stardict package depends on stardict-gtk, which recommends the stardict-plugin package, and the recommends relationship is treated as a dependency by default.

      The questions on my mind are:

      • Is stardict installed by default in a new Debian 13 installation, or does this only affect people who install it themselves?
      • When will this malicious plugin be fixed or removed, not just in Debian, but in all distros that have it?
      • When will the package maintainer who defended the plugin’s behavior be dealt with?
    • @JTskulk@lemmy.worldEnglish
      213 days ago

      You have to be using X and Gnome. Gnome is the default desktop environment, but not everyone installs and uses it.

      • whoOPEnglish
        413 days ago

        You have to be using X and Gnome.

        I don’t think this is true. The stardict-gtk package gets installed on any system that installs the stardict package, regardless of what desktop environment is used, due to a hard dependency between those packages.

        • @JTskulk@lemmy.worldEnglish
          213 days ago

          Ah yeah I misspoke. Gnome will provide it but it’ll probably come with other GTK software too.

    • @MysteriousSophon21@lemmy.worldEnglish
      110 days ago

      This isn’t quite accurate - the vulnerability only affects you if you have StarDict dictionary app installed AND running (it’s not installed by default in Debian 13), so your passwords aren’t being leaked just by using X, but it’s still a seriosu security issue that needs immediate fixing.

  • @pastermil@sh.itjust.worksEnglish
    613 days ago

    I’ve tried a freshly installed trixie with default DE (GNOME) and didn’t see this package installed. Perhaps they’re changing stuff as of writing.

    Either way, having this in the repo is not okay. I hope they can address this as well.

    • whoOPEnglish
      313 days ago

      AFAICT, what matters is whether you have stardict installed and running, not whether you use Bookworm vs. Trixie. It looks like they both have the same version of the package in question, though I haven’t verified the behavior.