Control: tags -1 - security Control: Severity -1 wishlist Hi, 在 2025/8/4 08:07, Vincent Lefevre 写道: > Package: stardict-plugin > Version: 3.0.7+git20220909+dfsg-6 > Severity: critical > Tags: security > X-Debbugs-Cc: Debian Security Team <[email protected]> > > When I run "stardict", the following occurs: > > The YouDao plugin opens a calendar in its own window (see attached > screenshot). That's disturbing. What's the relation with a dictionary??? It has not attached screenshot in this bug report. forget to attach?
The stardict-plugin install many plugin for stardict.
YouDao plugin is one of them.
I guess the calendar is come from stardict_multi_cmd plugin(Multi Command
virtual dictionary.),
user can disable this plugin in "Manage Plugins".
>
> Moreover, it interferes with other applications, once I select
> some text, showing a similar calendar window. Worse, "strace"
> shows that it sends whatever the user selects on the net!!!
The stardict has "Scan" function, when user enable this function,
after user select some text, it will trigger stardict do translate for this
selected text.
This function also show in the package description:
use apt show stardict-plugin, it listed:
* Scanning mouse selection and showing pop-up windows with translation of
selected words
>
> For instance, when I select "relation", strace shows:
>
> 911565 write(16, "GET HTTP://dict.youdao.com/fsearch?q=relation
> HTTP/1.0\r\nUser-Agent: Mozilla/4.0(compatible;MSIE 5.00;Windows
> 98)\r\nAccept: */*\r\nHost: dict.youdao.com\r\nConnection: close\r\n\r\n",
> 171) = 171
>
> and also
>
> 911565 write(17, "GET HTTP://dict.cn/ws.php?utf8=true&q=relation
> HTTP/1.0\r\nUser-Agent: Mozilla/4.0(compatible;MSIE 5.00;Windows
> 98)\r\nAccept: */*\r\nHost: dict.cn\r\nConnection: close\r\n\r\n", 164) = 164
Use Internet dictionary server to query, it's the function of these plugin.
>
> Imagine what could happen when the user selects some confidential
> data...
Why the user selects some confidential data to query dictionary?
>
> Such a "feature" should never be enabled by default!
If user install stardict-plugin package, default enabled the plugin of this
package is better.
If user don't like one of these plugin, he can disable it by himself.
Regards,
--
肖盛文 xiao sheng wen -- Debian Developer(atzlinux)
Debian QA page: https://qa.debian.org/developer.php?login=atzlinux%40debian.org
Debian salsa: https://salsa.debian.org/atzlinux-guest
GnuPG Public Key: 0x00186602339240CB
OpenPGP_0x00186602339240CB.asc
Description: OpenPGP public key
OpenPGP_signature.asc
Description: OpenPGP digital signature
