[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] blueman before version 2.0.6 is not enforcing authorization for polkit action org.blu
From: Matthias Gerstner <mgerstner () suse ! de>
Date: 2018-07-31 10:53:34
Message-ID: 20180731105334.GB29194 () f195 ! suse ! de
[Download RAW message or body]
Hello,
blueman [1] is a graphical interface for dealing with bluetooth devices
on Linux. It comes with a daemon running as root (blueman-mechanism)
that performs privileged operations.
During a code review [2] I noticed that blueman-mechanism in the stable
version 2.0.5 of blueman does not enforce the polkit action
'org.blueman.network.setup' for which a polkit policy is shipped. This
means that any user with access to the D-Bus system bus is able to
access the related API without authentication.
The result is an unspecified impact on the networking stack.
blueman-mechanism for example sets up a bridge device, changes system
wide IPv4 forwarding settings and runs a DHCP client like dnsmasq,
dhclient or dhcpcd.
After I contacted upstream about this, they released an updated stable
version blueman 2.0.6 containing a set of backported patches that
address this issue. These patches have already been present in the alpha
version branch of blueman for a longer time.
Regards
Matthias
[1]: https://github.com/blueman-project/blueman
[2]: https://bugzilla.suse.com/show_bug.cgi?id=1083066
[3]: https://github.com/blueman-project/blueman/releases/tag/2.0.6
--
Matthias Gerstner <matthias.gerstner@suse.de>
Dipl.-Wirtsch.-Inf. (FH), Security Engineer
https://www.suse.com/security
Telefon: +49 911 740 53 290
GPG Key ID: 0x14C405C971923553
SUSE Linux GmbH
GF: Felix Imendörffer, Jane Smithard, Graham Norton
HRB 21284 (AG Nuernberg)
["signature.asc" (application/pgp-signature)]
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic