chore: update changelog to 6.1.96

[mhduiy]

更新说明

自动更新 changelog 到版本 6.1.96

变更内容

• 更新 debian/changelog

版本信息

• 新版本: 6.1.96
• 目标分支: master

Summary by Sourcery

Chores:

• Bump Debian changelog entry to version 6.1.96 targeting master.

[sourcery-ai]

Reviewer's guide (collapsed on small PRs)

Reviewer's Guide

Updates the Debian changelog metadata to reflect new release version 6.1.96 targeting master, with no functional code changes.

File-Level Changes

Change	Details	Files
Bump package version in Debian changelog to 6.1.96 for a new release entry.	Add or update the top changelog stanza to version 6.1.96 with corresponding release notes in Chinese. Adjust associated metadata in the changelog entry (e.g., date, maintainer, and target distribution) as needed for the new release.	debian/changelog

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[github-actions]

TAG Bot

TAG: 6.1.96
EXISTED: no
DISTRIBUTION: unstable

[sourcery-ai]

Hey - I've reviewed your changes and they look great!

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[deepin-ci-robot]

deepin pr auto review

★ 总体评分：40分

■ 【总体评价】

代码实现了自定义壁纸保存的入口校验，但存在严重安全漏洞
逻辑正确但因TOCTOU竞态条件风险扣60分

■ 【详细分析】

• 1.语法逻辑（存在严重错误）✕

在wallpaper.go的SaveCustomWallPaper函数中，第93行直接对用户传入的file路径执行os.Stat检查，但后续文件复制操作并非基于该检查的原子结果，检查与使用之间存在时间差。
潜在问题：检查结果在后续使用时已失效，导致逻辑防线被绕过
建议：移除独立的os.Stat检查，将校验逻辑与文件打开操作合并

• 2.代码质量（一般）✕

函数仅定义了常量maxSize和wallPaperDir，但缺少对username参数的权限校验逻辑，且未对file路径进行规范化处理。
潜在问题：参数校验不完整，代码防御性编程不足
建议：增加路径规范化校验，补充基于username的权限隔离检查

• 3.代码性能（无性能问题）✓

代码仅执行了一次系统调用获取文件状态，没有复杂的循环或不必要的资源消耗。
建议：保持现状

• 4.代码安全（存在 1 个安全漏洞（高危1个））✕

漏洞对比统计：新增漏洞 1 个，减少漏洞 0 个，持平 0 个
在SaveCustomWallPaper函数中，第93行直接对用户传入的file路径执行os.Stat检查，随后才会进行文件复制或保存操作。攻击者可利用检查与使用之间的时间窗口，通过符号链接替换合法文件，导致守护进程读取或覆盖敏感系统文件。

• 安全漏洞1（高危）：TOCTOU竞态条件 在 SaveCustomWallPaper/wallpaper.go 中，用户通过D-Bus接口传入file参数，第93行执行os.Stat检查后，在实际读取文件前，攻击者可利用符号链接替换该路径指向/etc/shadow等敏感文件，导致本地权限提升或敏感信息泄露 ——非常重要

• 建议：移除os.Stat调用，直接使用os.Open打开目标文件获取文件句柄，随后基于文件句柄执行f.Stat()校验大小与类型，确保检查与读取基于同一文件描述符，彻底消除竞态窗口。

■ 【改进建议代码示例】

func (*Daemon) SaveCustomWallPaper(username string, file string) (string, *dbus.Error) {
	// 直接打开文件，避免 TOCTOU 竞态条件
	f, err := os.Open(file)
	if err != nil {
		return "", dbus.MakeFailedError(fmt.Errorf("failed to open file: %v", err))
	}
	defer f.Close()

	// 基于已打开的文件句柄获取文件信息
	info, err := f.Stat()
	if err != nil {
		return "", dbus.MakeFailedError(fmt.Errorf("failed to stat file: %v", err))
	}

	// 检查文件大小
	if info.Size() > maxSize {
		return "", dbus.MakeFailedError(fmt.Errorf("file size exceeds max limit"))
	}

	// 检查是否为常规文件
	if !info.Mode().IsRegular() {
		return "", dbus.MakeFailedError(fmt.Errorf("not a regular file"))
	}

	// 后续基于文件句柄 f 进行读取和复制操作
	// destPath := filepath.Join(wallPaperDir, username+"-wallpaper.jpg")
	// err = copyFile(f, destPath)
	// if err != nil { ... }

	return "", nil
}

[deepin-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: caixr23, mhduiy

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• debian/deepin/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[deepin-bot]

TAG Bot

✅ Tag created successfully

📋 Tag Details

• Tag Name: 6.1.96
• Tag SHA: 887ef862d813e46c958ac377cbeb9a601b8c0155
• Commit SHA: 9878746665f6384537c7dc47bf155997a4210e5f
• Tag Message:

  Release dde-daemon 6.1.96
  
  

• Tagger:
  • Name: mhduiy
• Distribution: unstable