The YouDao plugin for StarDict, as used in stardict 3.0.7+git20220909+dfsg-6 in Debian trixie and elsewhere, sends an X11 selection to the dict.youdao.com and dict.cn servers via cleartext HTTP.
Weakness
The product makes resources available to untrusted parties when those resources are only intended to be accessed by the product.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Stardict | Ubuntu | plucky | * |
References
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1110370
- https://lists.debian.org/debian-user/2025/08/msg00076.html
- https://packages.debian.org/trixie/stardict
- https://packages.debian.org/trixie/stardict-gtk
- https://stardict-4.sourceforge.net/index_en.php
- https://www.openwall.com/lists/oss-security/2025/08/04/1
- http://www.openwall.com/lists/oss-security/2025/08/08/2
- https://lwn.net/SubscriberLink/1032732/3334850da49689e1/
- https://news.ycombinator.com/item?id=44872313