Date: Tue, 31 Jul 2018 12:53:34 +0200 From: Matthias Gerstner <mgerstner@...e.de> To: oss-security@...ts.openwall.com Subject: blueman before version 2.0.6 is not enforcing authorization for polkit action org.blueman.network.setup Hello, blueman  is a graphical interface for dealing with bluetooth devices on Linux. It comes with a daemon running as root (blueman-mechanism) that performs privileged operations. During a code review  I noticed that blueman-mechanism in the stable version 2.0.5 of blueman does not enforce the polkit action 'org.blueman.network.setup' for which a polkit policy is shipped. This means that any user with access to the D-Bus system bus is able to access the related API without authentication. The result is an unspecified impact on the networking stack. blueman-mechanism for example sets up a bridge device, changes system wide IPv4 forwarding settings and runs a DHCP client like dnsmasq, dhclient or dhcpcd. After I contacted upstream about this, they released an updated stable version blueman 2.0.6 containing a set of backported patches that address this issue. These patches have already been present in the alpha version branch of blueman for a longer time. Regards Matthias : https://github.com/blueman-project/blueman : https://bugzilla.suse.com/show_bug.cgi?id=1083066 : https://github.com/blueman-project/blueman/releases/tag/2.0.6 -- Matthias Gerstner <matthias.gerstner@...e.de> Dipl.-Wirtsch.-Inf. (FH), Security Engineer https://www.suse.com/security Telefon: +49 911 740 53 290 GPG Key ID: 0x14C405C971923553 SUSE Linux GmbH GF: Felix Imendörffer, Jane Smithard, Graham Norton HRB 21284 (AG Nuernberg) Download attachment "signature.asc" of type "application/pgp-signature" (834 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.