Debian 13 is just days away from launch, and according to the developers, all known bugs have been fixed—so it’s ready to roll. So far, so good. But a recent discussion around the upcoming Trixie release has raised some red flags. Here’s what’s going on.
Vincent Lefevre, from France’s national institute for research in digital science and tech, has voiced serious concerns about a potential privacy issue tied to one of the apps included in the final Debian 13 release. The app in question? StarDict.
It’s totally normal if you’ve never heard of it—thankfully, the app isn’t all that popular. We’re talking about a dictionary lookup application that allows users to search for definitions, translations, and explanations of words using various dictionary databases.
It uses online servers as a backend, and its GTK-based UI sends your search queries to them. So far, that all sounds pretty normal—but here’s where things start to get concerning.
When used with certain plugins, it automatically sends user-selected text from any X11-based application over the internet to remote servers, without user consent or even a warning.
While the package itself is described simply as a multilingual dictionary app, it automatically pulls in a plugin package (stardict-plugin) via Debian’s Recommends mechanism. This plugin bundle includes network-based dictionary lookups that trigger on the system’s X11 selection—essentially, any text a user highlights.
Once triggered, StarDict sends the selected text in plaintext over HTTP to third-party servers in China, namely dict.youdao.com and dict.cn. And to make matters worse, these requests are made over unencrypted HTTP, making the data visible to anyone monitoring the network—whether on a local LAN or through a compromised router.
Let me break it down in simpler terms. Suppose you’re running an X session on Debian 13 and you marked some text—like your credit card number, username, password, or whatever—to paste it somewhere else. In that case, that info is already silently on its way to servers in China without you even realizing it.
Why? Because StarDict, with the stardict-plugin installed, automatically sends any text you select to those servers—and once again, it does so over plain, unencrypted HTTP.
Now, you might think you’re safe as long as you don’t install that plugin. I have news for you: it’s a dependency for the GTK frontend, which Debian 13 installs and enables by default. So even if you never asked for it, it’s already there, quietly doing its thing.
For example, to confirm what he said, Lefevre shows that when he selects “relation” in some application, a strace on stardict shows:
911565 write(16, "GET HTTP://dict.youdao.com/fsearch?q=relation HTTP/1.0\r\nUser-Agent: Mozilla/4.0(compatible;MSIE 5.00;Windows 98)\r\nAccept: */*\r\nHost: dict.youdao.com\r\nConnection: close\r\n\r\n", 171) = 171
911565 write(17, "GET HTTP://dict.cn/ws.php?utf8=true&q=relation HTTP/1.0\r\nUser-Agent: Mozilla/4.0(compatible;MSIE 5.00;Windows 98)\r\nAccept: */*\r\nHost: dict.cn\r\nConnection: close\r\n\r\n", 164) = 164Code language: JavaScript (javascript)In a message to the Debian mailing list, Lefevre shares his concerns:
Be careful with StarDict! By default, when the application is running, it sends whatever the user selects (from other applications) to Chinese servers!
A comment from a Debian developer followed that—I’ll let you be the judge of that.
Yes, that’s a feature: it will lookup your selections in local and online dictionaries, and by default it searches English-Chinese dictionaries. You can disable it in the settings by enabling “Only scan while the modifier key is being pressed” under “Scan Selection”, or disable the network dictionary plugins (dict.cn and youdao.com).
If you use Wayland, application will be sandboxed by default, so it won’t be able to get selections from other apps anyway.
Lefevre’s expected response is more than reasonable:
Such a feature should have never been enabled by default.
Feature? Seriously? I’d love to meet the user who installs StarDict and immediately heads to the settings to turn off this so-called “feature”—or disables the plugin’s network access entirely.
I don’t know how to put it any more plainly: this is absolutely unacceptable. And when we’re talking about Debian—a project known for its commitment to open source, reliability, and user privacy—it’s honestly hard to wrap your head around how something like this made it through.
Things get even more confusing when you realize that just a few years ago, this exact issue was reported as a CVE vulnerability in Debian (CVE-2009-2260). But now, in Trixie, it’s being treated as a feature. Honestly, I’m not even sure what to say—this whole thing just doesn’t make any sense.
Finally, to wrap things up, it’s worth pointing out that this StarDict behavior can only happen in an X session. If you’re running Debian 13 with Wayland, then you’re safe, thanks to the protocol’s sandboxed design. And at this point, I guess folks who think Wayland is some kind of big tech conspiracy being forced on users without good reason might want to rethink that stance.
With Debian 13 just around the corner, my advice is simple: steer clear of StarDict. Yeah, it’s 2025, and using an old-school desktop app like that is pretty unusual—but still, you never know. If you care about your privacy, it’s best just to avoid it altogether.
By the way, not only Debian is concerned, any distribution packaging this software (making it available, I guess none install stardict by default) is concerned, that is, arch linux, fedora, and probably others.
Upstream is also be concerned.
As for Debian, we can only deplore miscommunication bringing underestimation of the issue for the few persons who had an hand on it.
It also brings a renewed attention on how clipboard applications do their things.
Review of every possible and obscure application is not something we should take for granted.
Thank you to both Mr. Vincent Lefevre for calling it out, and to Linuxiac for reporting on it. This is indeed unacceptable behaviour, especially from an organization like Debian. If this is a “feature”, then so was the “NSAKEY” in Microsoft Windows, or the various backdoors and snooping tools in RSA, Check Point, Cisco, Juniper, Microsoft, Apple, etc. software. It would even appear to be against the Debian Social Contract, specifically item #4, “Our priorities are *our users* and free software” (emphasis mine).
Thank goodness that at least being F/OSS, this behaviour in StarDict’s configuration can be caught and called out. This, everyone, is a textbook example of why Free Software is the way to go, for those who really are looking for freedom.
Stardict is not default in any build. It’s available for users to install. Only then it arrives with dafeechurs enabled by default.
@Benno: According to the changelog, this has been fixed only for dict.cn, not for YouDao.
The bug has been first reported 10 years ago and has been fixed today.
debian bug #806960
It is an annoying trait of the debian builds.. debian does seem more international than most though e.g. I’ve seen a lot of databases of foreign languages for all of the apps in the weekly-live-builds of debian (for LibreOffice, Firefox, etc. ), things I really don’t want by default and I have to filter out of the updates (i.e. purge). I just want one language by default. If I need something else then *I’d* like to do the downloading. Oddly enough though, StarDict wasn’t in the LXQt build or updates (so far). I don’t know if I’m lucky or what? I see the app in synaptic but, it’s not installed. I don’t want it of course. But, what is going on? I have a hard time believing debian decided this was a good thing to include by default @@