Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Tue, 31 Jul 2018 12:53:34 +0200
From: Matthias Gerstner <mgerstner@...e.de>
To: oss-security@...ts.openwall.com
Subject: blueman before version 2.0.6 is not enforcing authorization for
 polkit action org.blueman.network.setup

Hello,

blueman [1] is a graphical interface for dealing with bluetooth devices
on Linux. It comes with a daemon running as root (blueman-mechanism)
that performs privileged operations.

During a code review [2] I noticed that blueman-mechanism in the stable
version 2.0.5 of blueman does not enforce the polkit action
'org.blueman.network.setup' for which a polkit policy is shipped. This
means that any user with access to the D-Bus system bus is able to
access the related API without authentication.

The result is an unspecified impact on the networking stack.
blueman-mechanism for example sets up a bridge device, changes system
wide IPv4 forwarding settings and runs a DHCP client like dnsmasq,
dhclient or dhcpcd.

After I contacted upstream about this, they released an updated stable
version blueman 2.0.6 containing a set of backported patches that
address this issue. These patches have already been present in the alpha
version branch of blueman for a longer time.

Regards

Matthias

[1]: https://github.com/blueman-project/blueman
[2]: https://bugzilla.suse.com/show_bug.cgi?id=1083066
[3]: https://github.com/blueman-project/blueman/releases/tag/2.0.6

-- 
Matthias Gerstner <matthias.gerstner@...e.de>
Dipl.-Wirtsch.-Inf. (FH), Security Engineer
https://www.suse.com/security
Telefon: +49 911 740 53 290
GPG Key ID: 0x14C405C971923553

SUSE Linux GmbH
GF: Felix Imendörffer, Jane Smithard, Graham Norton
HRB 21284 (AG Nuernberg)

Download attachment "signature.asc" of type "application/pgp-signature" (834 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ