[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] blueman before version 2.0.6 is not enforcing authorization for polkit action org.blu
From:       Matthias Gerstner <mgerstner () suse ! de>
Date:       2018-07-31 10:53:34
Message-ID: 20180731105334.GB29194 () f195 ! suse ! de
[Download RAW message or body]


Hello,

blueman [1] is a graphical interface for dealing with bluetooth devices
on Linux. It comes with a daemon running as root (blueman-mechanism)
that performs privileged operations.

During a code review [2] I noticed that blueman-mechanism in the stable
version 2.0.5 of blueman does not enforce the polkit action
'org.blueman.network.setup' for which a polkit policy is shipped. This
means that any user with access to the D-Bus system bus is able to
access the related API without authentication.

The result is an unspecified impact on the networking stack.
blueman-mechanism for example sets up a bridge device, changes system
wide IPv4 forwarding settings and runs a DHCP client like dnsmasq,
dhclient or dhcpcd.

After I contacted upstream about this, they released an updated stable
version blueman 2.0.6 containing a set of backported patches that
address this issue. These patches have already been present in the alpha
version branch of blueman for a longer time.

Regards

Matthias

[1]: https://github.com/blueman-project/blueman
[2]: https://bugzilla.suse.com/show_bug.cgi?id=1083066
[3]: https://github.com/blueman-project/blueman/releases/tag/2.0.6

-- 
Matthias Gerstner <matthias.gerstner@suse.de>
Dipl.-Wirtsch.-Inf. (FH), Security Engineer
https://www.suse.com/security
Telefon: +49 911 740 53 290
GPG Key ID: 0x14C405C971923553

SUSE Linux GmbH
GF: Felix Imendörffer, Jane Smithard, Graham Norton
HRB 21284 (AG Nuernberg)

["signature.asc" (application/pgp-signature)]

[prev in list] [next in list] [prev in thread] [next in thread]