Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Tue, 31 Jul 2018 12:53:34 +0200
From: Matthias Gerstner <>
Subject: blueman before version 2.0.6 is not enforcing authorization for
 polkit action


blueman [1] is a graphical interface for dealing with bluetooth devices
on Linux. It comes with a daemon running as root (blueman-mechanism)
that performs privileged operations.

During a code review [2] I noticed that blueman-mechanism in the stable
version 2.0.5 of blueman does not enforce the polkit action
'' for which a polkit policy is shipped. This
means that any user with access to the D-Bus system bus is able to
access the related API without authentication.

The result is an unspecified impact on the networking stack.
blueman-mechanism for example sets up a bridge device, changes system
wide IPv4 forwarding settings and runs a DHCP client like dnsmasq,
dhclient or dhcpcd.

After I contacted upstream about this, they released an updated stable
version blueman 2.0.6 containing a set of backported patches that
address this issue. These patches have already been present in the alpha
version branch of blueman for a longer time.




Matthias Gerstner <>
Dipl.-Wirtsch.-Inf. (FH), Security Engineer
Telefon: +49 911 740 53 290
GPG Key ID: 0x14C405C971923553

SUSE Linux GmbH
GF: Felix Imendörffer, Jane Smithard, Graham Norton
HRB 21284 (AG Nuernberg)

Download attachment "signature.asc" of type "application/pgp-signature" (834 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ