Version in base suite: 25.04.2-1 Base version: kdeconnect_25.04.2-1 Target version: kdeconnect_25.04.2-1+deb13u1 Base file: /srv/ftp-master.debian.org/ftp/pool/main/k/kdeconnect/kdeconnect_25.04.2-1.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/k/kdeconnect/kdeconnect_25.04.2-1+deb13u1.dsc changelog | 6 + patches/check-that-device-id-doesnt-change-during-handshake.patch | 37 ++++++++++ patches/series | 1 3 files changed, 44 insertions(+) gpgv: Signature made Fri Nov 21 19:23:26 2025 UTC gpgv: using RSA key B6E62F3D12AC38495C0DA90510C293B6C37C4E36 gpgv: Note: signatures using the SHA1 algorithm are rejected gpgv: Can't check signature: Bad public key dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpxgb9tegt/kdeconnect_25.04.2-1+deb13u1.dsc: no acceptable signature found diff -Nru kdeconnect-25.04.2/debian/changelog kdeconnect-25.04.2/debian/changelog --- kdeconnect-25.04.2/debian/changelog 2025-06-06 23:20:50.000000000 +0000 +++ kdeconnect-25.04.2/debian/changelog 2025-11-21 12:31:30.000000000 +0000 @@ -1,3 +1,9 @@ +kdeconnect (25.04.2-1+deb13u1) trixie-security; urgency=medium + + * Cherrypick 1d757349d0f517ef12c119565ffb1f79503fbcdf + + -- Moritz Mühlenhoff Fri, 21 Nov 2025 19:30:47 +0100 + kdeconnect (25.04.2-1) unstable; urgency=medium [ Aurélien COUDERC ] diff -Nru kdeconnect-25.04.2/debian/patches/check-that-device-id-doesnt-change-during-handshake.patch kdeconnect-25.04.2/debian/patches/check-that-device-id-doesnt-change-during-handshake.patch --- kdeconnect-25.04.2/debian/patches/check-that-device-id-doesnt-change-during-handshake.patch 1970-01-01 00:00:00.000000000 +0000 +++ kdeconnect-25.04.2/debian/patches/check-that-device-id-doesnt-change-during-handshake.patch 2025-11-21 12:30:43.000000000 +0000 @@ -0,0 +1,37 @@ +From 1d757349d0f517ef12c119565ffb1f79503fbcdf Mon Sep 17 00:00:00 2001 +From: Albert Vaca Cintora +Date: Sun, 16 Nov 2025 17:56:53 +0100 +Subject: [PATCH] Check that the device ID doesn't change during the handshake + +--- kdeconnect-25.04.2.orig/core/backends/lan/lanlinkprovider.cpp ++++ kdeconnect-25.04.2/core/backends/lan/lanlinkprovider.cpp +@@ -427,6 +427,7 @@ void LanLinkProvider::encrypted() + + NetworkPacket *identityPacket = m_receivedIdentityPackets[socket].np; + ++ QString deviceId = identityPacket->get(QStringLiteral("deviceId")); + int protocolVersion = identityPacket->get(QStringLiteral("protocolVersion"), -1); + if (protocolVersion >= 8) { + disconnect(socket, &QObject::destroyed, nullptr, nullptr); +@@ -435,7 +436,7 @@ void LanLinkProvider::encrypted() + NetworkPacket myIdentity = KdeConnectConfig::instance().deviceInfo().toIdentityPacket(); + socket->write(myIdentity.serialize()); + socket->flush(); +- connect(socket, &QIODevice::readyRead, this, [this, socket, protocolVersion]() { ++ connect(socket, &QIODevice::readyRead, this, [this, socket, protocolVersion, deviceId]() { + if (!socket->canReadLine()) { + // This can happen if the packet is large enough to be split in two chunks + return; +@@ -452,6 +453,12 @@ void LanLinkProvider::encrypted() + int newProtocolVersion = secureIdentityPacket->get(QStringLiteral("protocolVersion"), 0); + if (newProtocolVersion != protocolVersion) { + qCWarning(KDECONNECT_CORE) << "Protocol version changed half-way through the handshake:" << protocolVersion << "->" << newProtocolVersion; ++ return; ++ } ++ QString newDeviceId = secureIdentityPacket->get(QStringLiteral("deviceId")); ++ if (newDeviceId != deviceId) { ++ qCWarning(KDECONNECT_CORE) << "Device ID changed half-way through the handshake:" << deviceId << "->" << newDeviceId; ++ return; + } + DeviceInfo deviceInfo = DeviceInfo::FromIdentityPacketAndCert(*secureIdentityPacket, socket->peerCertificate()); + diff -Nru kdeconnect-25.04.2/debian/patches/series kdeconnect-25.04.2/debian/patches/series --- kdeconnect-25.04.2/debian/patches/series 1970-01-01 00:00:00.000000000 +0000 +++ kdeconnect-25.04.2/debian/patches/series 2025-11-21 12:30:17.000000000 +0000 @@ -0,0 +1 @@ +check-that-device-id-doesnt-change-during-handshake.patch