Package: stardict-plugin Version: 3.0.7+git20220909+dfsg-6 Severity: critical Tags: security X-Debbugs-Cc: Debian Security Team <[email protected]>
When I run "stardict", the following occurs: The YouDao plugin opens a calendar in its own window (see attached screenshot). That's disturbing. What's the relation with a dictionary??? Moreover, it interferes with other applications, once I select some text, showing a similar calendar window. Worse, "strace" shows that it sends whatever the user selects on the net!!! For instance, when I select "relation", strace shows: 911565 write(16, "GET HTTP://dict.youdao.com/fsearch?q=relation HTTP/1.0\r\nUser-Agent: Mozilla/4.0(compatible;MSIE 5.00;Windows 98)\r\nAccept: */*\r\nHost: dict.youdao.com\r\nConnection: close\r\n\r\n", 171) = 171 and also 911565 write(17, "GET HTTP://dict.cn/ws.php?utf8=true&q=relation HTTP/1.0\r\nUser-Agent: Mozilla/4.0(compatible;MSIE 5.00;Windows 98)\r\nAccept: */*\r\nHost: dict.cn\r\nConnection: close\r\n\r\n", 164) = 164 Imagine what could happen when the user selects some confidential data... Such a "feature" should never be enabled by default! -- System Information: Debian Release: 13.0 APT prefers unstable-debug APT policy: (500, 'unstable-debug'), (500, 'testing-security'), (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable-debug'), (500, 'proposed-updates-debug'), (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 6.7.12-amd64 (SMP w/16 CPU threads; PREEMPT) Kernel taint flags: TAINT_WARN Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages stardict-plugin depends on: ii libc6 2.41-11 ii libespeak-ng1 1.52.0+dfsg-5 ii libflite1 2.2-7 ii libgcc-s1 14.2.0-19 ii libglib2.0-0t64 2.84.3-1 ii libgucharmap-2-90-7 1:15.1.5-1+b1 ii libstdc++6 14.2.0-19 ii man-db 2.13.1-1 ii ncal 12.1.8 ii stardict-gtk 3.0.7+git20220909+dfsg-6 stardict-plugin recommends no packages. Versions of packages stardict-plugin suggests: pn stardict-plugin-cal <none> pn stardict-plugin-espeak <none> pn stardict-plugin-festival <none> pn stardict-plugin-fortune <none> pn stardict-plugin-info <none> pn stardict-plugin-spell <none> -- no debconf information -- Vincent Lefèvre <[email protected]> - Web: <https://www.vinc17.net/> 100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/> Work: CR INRIA - computer arithmetic / Pascaline project (LIP, ENS-Lyon)
