Bug 34533 - StarDict sends the user's X11 selection to the network
Summary: StarDict sends the user's X11 selection to the network
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 9
Hardware: All Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA9-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2025-08-04 20:17 CEST by Dave Hodgins
Modified: 2025-11-15 08:18 CET (History)
5 users (show)

See Also:
Source RPM: stardict-3.0.6.3-2.mga9.src.rpm
CVE: CVE-2025-55014
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Dave Hodgins 2025-08-04 20:17:48 CEST 
See https://seclists.org/oss-sec/2025/q3/75

I don't have stardict installed. Someone needs to confirm if the report is true
for the version in Mageia. If it is, the application should be banned from Mageia and added to task-obsolete
Morgan Leijström 2025-08-07 11:08:26 CEST

CC: (none) => fri
QA Contact: (none) => security
Component: RPM Packages => Security

Comment 1 David Walser 2025-08-07 13:58:34 CEST 
That sounds like something that could be fixed with a patch.  We've had to do the same to disable phoning home (though not to China) functionality in other packages before.
Comment 2 Dave Hodgins 2025-08-08 20:46:44 CEST 
https://seclists.org/oss-sec/2025/q3/81

Summary: stardict is spyware by design => StarDict sends the user's X11 selection to the network
CVE: (none) => CVE-2025-55014

Comment 3 Nicolas Salguero 2025-11-13 15:40:32 CET 
Suggested advisory:
========================

The updated package removes the YouDao plugin for StarDict, as Debian did, to fix a security vulnerability:

The YouDao plugin for StarDict, as used in stardict 3.0.7+git20220909+dfsg-6 in Debian trixie and elsewhere, sends an X11 selection to the dict.youdao.com and dict.cn servers via cleartext HTTP. (CVE-2025-55014)

References:
https://seclists.org/oss-sec/2025/q3/75
https://seclists.org/oss-sec/2025/q3/81
========================

Updated package in core/updates_testing:
========================
stardict-3.0.6.3-2.1.mga9

from SRPM:
stardict-3.0.6.3-2.1.mga9.src.rpm

Assignee: geiger.david68210 => qa-bugs
CC: (none) => nicolas.salguero
Status: NEW => ASSIGNED

katnatek 2025-11-13 19:36:49 CET

Keywords: (none) => advisory

Comment 4 Herman Viaene 2025-11-14 10:49:39 CET 
MGA9-64 server Plasma Wayland on Compaq H000SB.
No installation issues.
Fooled around with some English words (this is an English installation), sounds OK in my Dutch-speaking ears (you know what I mean). Tried a few Dutch words, with the sometimes strange results I expected.
Good enough for me.
Wait for someone with another language installed?

CC: (none) => herman.viaene

Comment 5 katnatek 2025-11-14 21:24:34 CET 
Before

strace stardict
write(25, "GET HTTP://dict.youdao.com/fsear"..., 173) = 173

installing stardict-3.0.6.3-2.1.mga9.x86_64.rpm from //home/katnatek/qa-testing/x86_64
Preparing...                     ###################################################################################################
      1/1: stardict              ###################################################################################################
      1/1: removing stardict-3.0.6.3-2.mga9.x86_64
                                 ###################################################################################################

I not find the "call home" line in strace looks good to me

Whiteboard: (none) => MGA9-64-OK

Comment 6 Thomas Andrews 2025-11-15 02:51:09 CET 
Validating.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Comment 7 Mageia Robot 2025-11-15 08:18:36 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2025-0298.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED
Note You need to log in before you can comment on or make changes to this bug.