Skip to content

Investigate resolving NU1903 for Tmds.DBus(.Protocol) in Avalonia/Uno desktop samples #499

Description

@adrianhall

Summary

Discovered while verifying #498 (the SQLitePCLRaw NU1903 fix for #492). Restoring the Avalonia and Uno desktop-head samples on Linux/macOS surfaces a separate, unrelated NU1903 high-severity restore warning:

warning NU1903: Package 'Tmds.DBus.Protocol' 0.21.2 has a known high severity vulnerability, https://github.com/advisories/GHSA-xrw6-gwf8-vvr9

and (for Uno's desktop head):

warning NU1903: Package 'Tmds.DBus' 0.16.0 has a known high severity vulnerability, https://github.com/advisories/GHSA-xrw6-gwf8-vvr9

What's known so far

  • Advisory: GHSA-xrw6-gwf8-vvr9 / CVE-2026-39959 — "malicious D-Bus peers can spoof signals, exhaust file descriptor resources, and cause denial of service". Patched versions: Tmds.DBus.Protocol 0.21.3 (fixes < 0.21.3 and >= 0.22.0, < 0.92.0), Tmds.DBus 0.92.0 (fixes < 0.92.0). Unlike Investigate resolving NU1903 for SQLitePCLRaw.lib.e_sqlite3 (no patched version exists) #492, a drop-in patched version genuinely exists here for both packages.
  • Confirmed dependency chain for the Avalonia desktop sample via project.assets.json: Avalonia.FreeDesktop/11.3.0Tmds.DBus.Protocol 2.1.2 (floor), used for Linux D-Bus integration (system tray, clipboard, etc. via the FreeDesktop backend pulled in by Avalonia.Desktop).
  • Reproduced on:
    • samples/todoapp/TodoApp.Avalonia/TodoApp.Avalonia.Desktop/TodoApp.Avalonia.Desktop.csprojdotnet restore floats Tmds.DBus.Protocol 0.21.2.
    • samples/todoapp/TodoApp.Uno/TodoApp.Uno/TodoApp.Uno.csproj (net10.0-desktop head) — floats Tmds.DBus 0.16.0. This restore attempt hit an unrelated, pre-existing NU1605 package-downgrade error (Uno.WinUI 5.5.87 vs 5.4.22, driven by a mismatch between global.json's Uno.Sdk version and CommunityToolkit.WinUI.Behaviors' floor), so the full dependency chain for the Tmds.DBus 0.16.0 floor wasn't confirmed — worth investigating together with, or ahead of, this NU1903.
  • Both samples use ManagePackageVersionsCentrally=false (or a per-sample local catalog for Uno), same as the SQLitePCLRaw samples fixed in fix: resolve NU1903 for SQLitePCLRaw.lib.e_sqlite3 by pinning SQLitePCLRaw 3.x #498, so the same explicit-PackageReference-override pattern should apply here if no newer Avalonia/Avalonia.FreeDesktop release already bumps the floor.

Ask

Investigate one of:

  1. Whether a newer Avalonia/Avalonia.Desktop/Avalonia.FreeDesktop release (past 11.3.0) already bumps its Tmds.DBus.Protocol dependency to >= 0.21.3, and bump the sample's Avalonia.* package versions if so.
  2. If not, add an explicit <PackageReference Include="Tmds.DBus.Protocol" Version="0.21.3" /> (or later) override to TodoApp.Avalonia.Desktop.csproj, mirroring the SQLitePCLRaw.bundle_e_sqlite3 override pattern used in fix: resolve NU1903 for SQLitePCLRaw.lib.e_sqlite3 by pinning SQLitePCLRaw 3.x #498.
  3. Resolve the pre-existing Uno.WinUI NU1605 package-downgrade issue on TodoApp.Uno's desktop head first (unrelated to this advisory but currently blocks confirming the Tmds.DBus 0.16.0 dependency chain there), then apply the equivalent Tmds.DBus >= 0.92.0 override if still needed.
  4. Confirm whether Tmds.DBus/Tmds.DBus.Protocol is reachable code (Linux D-Bus paths) in these samples at all before deciding this is worth a version bump vs. just documenting/suppressing.

Related

Metadata

Metadata

Assignees

No one assigned

    Labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions