Bug 906718 - AUDIT-0: Review blueman 2.x alpha package
AUDIT-0: Review blueman 2.x alpha package
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Audits
Other SUSE Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
Depends on:
  Show dependency treegraph
Reported: 2014-11-23 16:38 UTC by Denisart Benjamin
Modified: 2017-02-06 15:36 UTC (History)
3 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Denisart Benjamin 2014-11-23 16:38:37 UTC
See home:posophe:branches:Base:System/blueman
E: suse-dbus-unauthorized-service (Badness: 10000) /usr/share/dbus-1/system-services/org.blueman.Mechanism.service
E: suse-dbus-unauthorized-service (Badness: 10000) /etc/dbus-1/system.d/org.blueman.Mechanism.conf
I: polkit-untracked-privilege org.blueman.network.setup (??:no:auth_admin_keep)
I: polkit-untracked-privilege org.blueman.hal.manager (??:no:auth_admin_keep)
I: polkit-untracked-privilege org.blueman.bluez.config (??:no:auth_admin_keep)
E: polkit-unauthorized-privilege (Badness: 10000) org.blueman.dhcp.client (??:no:yes)
I: polkit-cant-acquire-privilege org.blueman.network.setup (??:no:auth_admin_keep)
I: polkit-cant-acquire-privilege org.blueman.hal.manager (??:no:auth_admin_keep)
I: polkit-cant-acquire-privilege org.blueman.dhcp.client (??:no:yes)
I: polkit-cant-acquire-privilege org.blueman.bluez.config (??:no:auth_admin_keep)

Blueman will be the next bluetooth manager into mate DE and I would like to push Mate unstable to Factory.

Comment 1 Denisart Benjamin 2014-11-23 16:39:44 UTC
Comment 2 Marcus Meissner 2014-11-23 23:04:25 UTC
dhcp.client with "yes" ... likely not a good idea.

we will take a look
Comment 3 Denisart Benjamin 2015-02-18 11:48:49 UTC
I really need someone have a look on blueman 2.x before Mate 1.10 release.
Comment 4 Denisart Benjamin 2015-10-05 13:06:51 UTC
Update : Now stable 2.0.1 release
The files requiring a review are now reduced to two files :
E: suse-dbus-unauthorized-service (Badness: 10000) /usr/share/dbus-1/system-services/org.blueman.Mechanism.service
E: suse-dbus-unauthorized-service (Badness: 10000) /etc/dbus-1/system.d/org.blueman.Mechanism.conf
Comment 5 Sebastian Krahmer 2016-01-05 09:43:50 UTC
Still the same issues with blueman. Every DBUS function running as root,
allowed to be called by anyone without any authorization.

CVE-2015-8612 as an recent example.

Cant be whitelisted.
Comment 6 Denisart Benjamin 2016-01-06 13:58:42 UTC
Ok I relay on upstream
Comment 7 Stefan Seyfried 2016-07-04 11:18:31 UTC
CVE-2015-8612 is fixed upstream.

Debian stretch and sid contain blueman 2.0.4 (which contains the fix). This CVE is the only one reported in the debian security database.


If it is good enough for debian, it might be good enough for openSUSE?
Comment 8 Denisart Benjamin 2017-01-29 18:04:39 UTC
It has been fixed especially for openSUSE. Please re-evaluate
Comment 9 Sebastian Krahmer 2017-01-30 08:55:31 UTC
Please see https://bugzilla.suse.com/show_bug.cgi?id=1006601
They fixed the particular issue but most of the functions
are still w/o polkit rules.
Comment 10 Sebastian Krahmer 2017-02-06 15:36:25 UTC
solved via bsc#987141