Date: Tue, 31 Jul 2018 12:53:34 +0200 From: Matthias Gerstner <mgerstner@...e.de> To: oss-security@...ts.openwall.com Subject: blueman before version 2.0.6 is not enforcing authorization for polkit action org.blueman.network.setup Hello, blueman  is a graphical interface for dealing with bluetooth devices on Linux. It comes with a daemon running as root (blueman-mechanism) that performs privileged operations. During a code review  I noticed that blueman-mechanism in the stable version 2.0.5 of blueman does not enforce the polkit action 'org.blueman.network.setup' for which a polkit policy is shipped. This means that any user with access to the D-Bus system bus is able to access the related API without authentication. The result is an unspecified impact on the networking stack. blueman-mechanism for example sets up a bridge device, changes system wide IPv4 forwarding settings and runs a DHCP client like dnsmasq, dhclient or dhcpcd. After I contacted upstream about this, they released an updated stable version blueman 2.0.6 containing a set of backported patches that address this issue. These patches have already been present in the alpha version branch of blueman for a longer time. Regards Matthias : https://github.com/blueman-project/blueman : https://bugzilla.suse.com/show_bug.cgi?id=1083066 : https://github.com/blueman-project/blueman/releases/tag/2.0.6 -- Matthias Gerstner <matthias.gerstner@...e.de> Dipl.-Wirtsch.-Inf. (FH), Security Engineer https://www.suse.com/security Telefon: +49 911 740 53 290 GPG Key ID: 0x14C405C971923553 SUSE Linux GmbH GF: Felix Imendörffer, Jane Smithard, Graham Norton HRB 21284 (AG Nuernberg) Download attachment "signature.asc" of type "application/pgp-signature" (834 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ