12-05-2025
openSUSE Drops Deepin Desktop Amid Ongoing Security Concerns
The openSUSE project has officially removed the Deepin Desktop Environment from its Tumbleweed rolling release and the upcoming Leap 16.0, citing unresolved security vulnerabilities and a lack of effective cooperation from Deepin's upstream developers.
The decision follows the discovery of a critical privilege escalation flaw in the `dde-api-proxy` component, which acts as a D-Bus proxy between Deepin applications and system services. This vulnerability, assigned CVE-2025-23222, allows unprivileged local users to execute administrative operations without proper authentication. The flaw stems from the proxy's design, which forwards D-Bus messages from any user to backend services as if they originated from the root user, effectively bypassing standard security checks.
The SUSE Security Team reported the issue to Deepin's security contacts in December 2024. Initial attempts to communicate were met with silence, and although Deepin eventually acknowledged the problem and released a patch in January 2025, the fix was deemed inadequate. The patch introduced a new Polkit authorization check but relied on deprecated methods vulnerable to race conditions, leaving the system susceptible to similar exploits.
Further investigation revealed that the `deepin-feature-enable` package, introduced in April 2021, violated openSUSE's packaging policies by installing unverified components through a license agreement bypass. This discovery prompted a comprehensive review of DDE's integration with openSUSE, uncovering a pattern of persistent security issues dating back to 2017. Notable concerns included improper handling of D-Bus and Polkit features in components like `deepin-api`, `deepin-daemon`, and `deepin-file-manager`, leading to disabled functionalities and broken features within the desktop environment.
The openSUSE community had previously attempted to mitigate these issues by disabling D-Bus and Polkit features by default, resulting in limited functionality such as non-operational lock screens, inability to manage users and networks through the control center, and broken system sounds. Users who chose to enable these features were warned of potential security risks.
The removal of DDE from openSUSE highlights broader concerns about the security culture within the Deepin project. Past incidents, such as the inclusion of the CNZZ analytics tracker in the Deepin App Store in 2018, have raised questions about data privacy and the project's transparency. Although Deepin removed the tracker following public backlash, lingering doubts remain about the project's commitment to user security and privacy.
