From 4dc55a80c8e541acd70b9b40e927e1d2368abd2e Mon Sep 17 00:00:00 2001 From: Simon McVittie Date: Wed, 17 Apr 2024 18:13:11 +0100 Subject: [PATCH] Update NEWS Signed-off-by: Simon McVittie --- NEWS | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/NEWS b/NEWS index 81c2595e..f6b920ac 100644 --- a/NEWS +++ b/NEWS @@ -2,7 +2,14 @@ Changes in 1.14.6 ~~~~~~~~~~~~~~~~~ Released: not yet -Bug fixes: +Security fixes: + + * Don't allow an executable name to be misinterpreted as a command-line + option for bwrap(1). This prevents a sandbox escape where a malicious + or compromised app could ask xdg-desktop-portal to generate a .desktop + file with access to files outside the sandbox. (CVE-2024-32462) + +Other bug fixes: * Don't parse `` as the application name (#5700)