From d696debe794d891bef1a3c658d1ab0e044a375ba Mon Sep 17 00:00:00 2001 From: Gyorgy Sarvari Date: Mon, 20 Apr 2026 11:33:22 +0200 Subject: [PATCH] xdg-desktop-portal: upgrade 1.20.3 -> 1.20.4 Fixes CVE-2026-40354: https://github.com/flatpak/xdg-desktop-portal/releases/tag/1.20.4 Also mark the CVE explicitly patched, as it is tracked without version info at this time. The project now has a dependency on libglnx, which by default it tries to download from the internet during configuring. To avoid that error, this dependency is added to the SRC_URI. Signed-off-by: Gyorgy Sarvari Signed-off-by: Khem Raj --- ...portal_1.20.3.bb => xdg-desktop-portal_1.20.4.bb} | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) rename meta-oe/recipes-support/xdg-desktop-portal/{xdg-desktop-portal_1.20.3.bb => xdg-desktop-portal_1.20.4.bb} (71%) diff --git a/meta-oe/recipes-support/xdg-desktop-portal/xdg-desktop-portal_1.20.3.bb b/meta-oe/recipes-support/xdg-desktop-portal/xdg-desktop-portal_1.20.4.bb similarity index 71% rename from meta-oe/recipes-support/xdg-desktop-portal/xdg-desktop-portal_1.20.3.bb rename to meta-oe/recipes-support/xdg-desktop-portal/xdg-desktop-portal_1.20.4.bb index e0aca558fd..bb48b59dd8 100644 --- a/meta-oe/recipes-support/xdg-desktop-portal/xdg-desktop-portal_1.20.3.bb +++ b/meta-oe/recipes-support/xdg-desktop-portal/xdg-desktop-portal_1.20.4.bb @@ -27,11 +27,17 @@ RDEPENDS:${PN} = "bubblewrap rtkit ${PORTAL_BACKENDS} fuse3-utils" inherit meson pkgconfig python3native features_check SRC_URI = " \ - git://github.com/flatpak/xdg-desktop-portal.git;protocol=https;branch=xdg-desktop-portal-1.20 \ + git://github.com/flatpak/xdg-desktop-portal.git;protocol=https;branch=xdg-desktop-portal-1.20;name=main;tag=${PV} \ + git://gitlab.gnome.org/GNOME/libglnx.git;protocol=https;branch=master;name=libglnx;destsuffix=${BB_GIT_DEFAULT_DESTSUFFIX}/subprojects/libglnx \ file://0001-meson.build-add-a-hack-for-crosscompile.patch \ " -SRCREV = "23a76c392170dbbd26230f85ef56c3a57e52b857" +SRCREV_main = "f5aec228c9eb0c9a70eadd6424d92c0ca8a78247" + +# this revision comes from subprojects/libglnx.wrap file of the main source repo +SRCREV_libglnx = "ccea836b799256420788c463a638ded0636b1632" + +SRCREV_FORMAT = "main" FILES:${PN} += "${libdir}/systemd ${datadir}/dbus-1" @@ -47,3 +53,5 @@ do_write_config:append() { bwrap = '${bindir}/bwrap' EOF } + +CVE_STATUS[CVE-2026-40354] = "fixed-version: fixed in 1.20.4"