Re: Security: Be careful with StarDict!

[Max Nikulin <manikulin@gmail.com>]

On 06/08/2025 10:18, Vincent Lefevre wrote:
> On 2025-08-06 09:33:12 +0700, Max Nikulin wrote:
> > I believe, proper tags are neither security+critical not wishlist, but
> > something in between.
>
> Note that passwords can easily be leaked.

I see, earlier I even mentioned protocol that allows clipboard manager 
to ignore text copied by password managers.

However I am in doubts if setting excessively high severity a few days 
before release is the best way to handle the issue. Are you trying to 
remove stardict packages from trixie completely? I do not think, 
bookworm users, who have the application installed, will like it.

Now we have a version uploaded to unstable with one of two plugins 
completely removed. Formally #806960 has been fixed, but in a bit 
strange way. I consider it as a consequence of urgency.

May the maintainer and the upstream provide minimal patches that disable 
by default (through a global config file or compile-time), but allow 
users to enable
- all network dictionaries,
- scanning selection and clipboard.

Another option is to split network dictionaries to separate packages 
with "Suggests" instead of "Recommends" dependency.

Updates for trixie and bookworm (the latter is less probable) may be 
published after trixie release.

The scope and severity of #1110370 may be adjusted.

On 06/08/2025 09:49, Vincent Lefevre wrote:
> On 2025-08-06 09:33:12 +0700, Max Nikulin wrote:
> > At least some applications show apparent indicator that camera or microphone
> > is on or that screen capture is active. Applications relaying selected text
> > to remote server may show similar popup when this mode is active.
>
> In my case, there is a popup, but:
>   * It appears only after something is selected, so this is too late
>     (it does not ask for confirmation before sending data to the
>     remote servers).
>   * It does not say that the selection is sent to remote servers.

In general I agree, on the other hand I find it unlikely that user 
decided to select something confidential before discovering the popup. 
Common sense may suggest that application may store query history at 
least locally. I do not object that the issue must be fixed, but it can 
be done routinely.

Actually I have in mind some kind of indicator that is present even when 
nothing is selected.

On 06/08/2025 18:29, Dan Ritter wrote:
> When these are user-run programs, the usual answer is to require a
> per-user config file (e.g. ~/.$NAME, or ~/.config/$NAME/conf or whatever)

Of course. It can be a button in some GUI dialog that saves a preference 
to a config file.

> I also note that the Description for stardict does not mention
> that it is primarily a client for remote servers. Compare the
> Description for "dict":

While dict is a client, stardict may be considered an application with 
primary local dictionaries and later added feature to query in network 
dictionaries as well. I hope, it was just overlooked during application 
development that not all users will appreciate the feature by default.