oss-sec mailing list archives
blueman before version 2.0.6 is not enforcing authorization for polkit action org.blueman.network.setup
From: Matthias Gerstner <mgerstner () suse de>
Date: Tue, 31 Jul 2018 12:53:34 +0200
Hello, blueman [1] is a graphical interface for dealing with bluetooth devices on Linux. It comes with a daemon running as root (blueman-mechanism) that performs privileged operations. During a code review [2] I noticed that blueman-mechanism in the stable version 2.0.5 of blueman does not enforce the polkit action 'org.blueman.network.setup' for which a polkit policy is shipped. This means that any user with access to the D-Bus system bus is able to access the related API without authentication. The result is an unspecified impact on the networking stack. blueman-mechanism for example sets up a bridge device, changes system wide IPv4 forwarding settings and runs a DHCP client like dnsmasq, dhclient or dhcpcd. After I contacted upstream about this, they released an updated stable version blueman 2.0.6 containing a set of backported patches that address this issue. These patches have already been present in the alpha version branch of blueman for a longer time. Regards Matthias [1]: https://github.com/blueman-project/blueman [2]: https://bugzilla.suse.com/show_bug.cgi?id=1083066 [3]: https://github.com/blueman-project/blueman/releases/tag/2.0.6 -- Matthias Gerstner <matthias.gerstner () suse de> Dipl.-Wirtsch.-Inf. (FH), Security Engineer https://www.suse.com/security Telefon: +49 911 740 53 290 GPG Key ID: 0x14C405C971923553 SUSE Linux GmbH GF: Felix Imendörffer, Jane Smithard, Graham Norton HRB 21284 (AG Nuernberg)
Attachment:
signature.asc
Description:
Current thread:
- blueman before version 2.0.6 is not enforcing authorization for polkit action org.blueman.network.setup Matthias Gerstner (Jul 31)