diff mbox series

[meta-oe,7/8] xdg-desktop-portal: upgrade 1.20.3 -> 1.20.4

Message ID 20260420093323.357053-7-skandigraun@gmail.com
State Accepted
Headers show
Series [meta-networking,1/8] ngtcp2: upgrade 1.22.0 -> 1.22.1 | expand

Commit Message

Gyorgy Sarvari April 20, 2026, 9:33 a.m. UTC
Fixes CVE-2026-40354: https://github.com/flatpak/xdg-desktop-portal/releases/tag/1.20.4

Also mark the CVE explicitly patched, as it is tracked without version info
at this time.

The project now has a dependency on libglnx, which by default it tries to download
from the internet during configuring. To avoid that error, this dependency is added to the SRC_URI.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
---
 ...portal_1.20.3.bb => xdg-desktop-portal_1.20.4.bb} | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)
 rename meta-oe/recipes-support/xdg-desktop-portal/{xdg-desktop-portal_1.20.3.bb => xdg-desktop-portal_1.20.4.bb} (71%)
diff mbox series

Patch

diff --git a/meta-oe/recipes-support/xdg-desktop-portal/xdg-desktop-portal_1.20.3.bb b/meta-oe/recipes-support/xdg-desktop-portal/xdg-desktop-portal_1.20.4.bb
similarity index 71%
rename from meta-oe/recipes-support/xdg-desktop-portal/xdg-desktop-portal_1.20.3.bb
rename to meta-oe/recipes-support/xdg-desktop-portal/xdg-desktop-portal_1.20.4.bb
index e0aca558fd..be3c2be069 100644
--- a/meta-oe/recipes-support/xdg-desktop-portal/xdg-desktop-portal_1.20.3.bb
+++ b/meta-oe/recipes-support/xdg-desktop-portal/xdg-desktop-portal_1.20.4.bb
@@ -27,11 +27,17 @@  RDEPENDS:${PN} = "bubblewrap rtkit ${PORTAL_BACKENDS} fuse3-utils"
 inherit meson pkgconfig python3native features_check
 
 SRC_URI = " \
-	git://github.com/flatpak/xdg-desktop-portal.git;protocol=https;branch=xdg-desktop-portal-1.20 \
+	git://github.com/flatpak/xdg-desktop-portal.git;protocol=https;branch=xdg-desktop-portal-1.20;name=main;tag=${PV} \
+	git://gitlab.gnome.org/GNOME/libglnx.git;protocol=https;branch=master;name=libglnx;destsuffix=${BB_GIT_DEFAULT_DESTSUFFIX}/subprojects/libglnx \
 	file://0001-meson.build-add-a-hack-for-crosscompile.patch \
 "
 
-SRCREV = "23a76c392170dbbd26230f85ef56c3a57e52b857"
+SRCREV_main = "f5aec228c9eb0c9a70eadd6424d92c0ca8a78247"
+
+# this revision comes from subprojects/libglnx.wrap file of the main source repo
+SRCREV_libglnx = "ccea836b799256420788c463a638ded0636b1632"
+
+SRCREV_FORMAT = "main"
 
 FILES:${PN} += "${libdir}/systemd ${datadir}/dbus-1"
 
@@ -47,3 +53,5 @@  do_write_config:append() {
 bwrap = '${bindir}/bwrap'
 EOF
 }
+
+CVE_STATUS[CVE-2026-40354] = "fixed-version: fixed in 1.20.4"