Bug 906718 – AUDIT-0: Review blueman 2.x alpha package

Bug 906718 - AUDIT-0: Review blueman 2.x alpha package


Summary:	AUDIT-0: Review blueman 2.x alpha package

Status:	RESOLVED FIXED

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Audits
Version:	unspecified
Hardware:	Other SUSE Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assigned To:	Security Team bot
QA Contact:	Security Team bot

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2014-11-23 16:38 UTC by Denisart Benjamin
Modified:	2017-02-06 15:36 UTC (History)
CC List:	3 users (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Denisart Benjamin 2014-11-23 16:38:37 UTC

See home:posophe:branches:Base:System/blueman
E: suse-dbus-unauthorized-service (Badness: 10000) /usr/share/dbus-1/system-services/org.blueman.Mechanism.service
E: suse-dbus-unauthorized-service (Badness: 10000) /etc/dbus-1/system.d/org.blueman.Mechanism.conf
I: polkit-untracked-privilege org.blueman.network.setup (??:no:auth_admin_keep)
I: polkit-untracked-privilege org.blueman.hal.manager (??:no:auth_admin_keep)
I: polkit-untracked-privilege org.blueman.bluez.config (??:no:auth_admin_keep)
E: polkit-unauthorized-privilege (Badness: 10000) org.blueman.dhcp.client (??:no:yes)
I: polkit-cant-acquire-privilege org.blueman.network.setup (??:no:auth_admin_keep)
I: polkit-cant-acquire-privilege org.blueman.hal.manager (??:no:auth_admin_keep)
I: polkit-cant-acquire-privilege org.blueman.dhcp.client (??:no:yes)
I: polkit-cant-acquire-privilege org.blueman.bluez.config (??:no:auth_admin_keep)


Blueman will be the next bluetooth manager into mate DE and I would like to push Mate unstable to Factory.

Thanks

Comment 1 Denisart Benjamin 2014-11-23 16:39:44 UTC

sr#262767

Comment 2 Marcus Meissner 2014-11-23 23:04:25 UTC

dhcp.client with "yes" ... likely not a good idea.

we will take a look

Comment 3 Denisart Benjamin 2015-02-18 11:48:49 UTC

I really need someone have a look on blueman 2.x before Mate 1.10 release.
Thanks

Comment 4 Denisart Benjamin 2015-10-05 13:06:51 UTC

Update : Now stable 2.0.1 release
The files requiring a review are now reduced to two files :
E: suse-dbus-unauthorized-service (Badness: 10000) /usr/share/dbus-1/system-services/org.blueman.Mechanism.service
E: suse-dbus-unauthorized-service (Badness: 10000) /etc/dbus-1/system.d/org.blueman.Mechanism.conf

Comment 5 Sebastian Krahmer 2016-01-05 09:43:50 UTC

Still the same issues with blueman. Every DBUS function running as root,
allowed to be called by anyone without any authorization.

CVE-2015-8612 as an recent example.

Cant be whitelisted.

Comment 6 Denisart Benjamin 2016-01-06 13:58:42 UTC

Ok I relay on upstream

Comment 7 Stefan Seyfried 2016-07-04 11:18:31 UTC

CVE-2015-8612 is fixed upstream.

Debian stretch and sid contain blueman 2.0.4 (which contains the fix). This CVE is the only one reported in the debian security database.

https://security-tracker.debian.org/tracker/source-package/blueman

If it is good enough for debian, it might be good enough for openSUSE?

Comment 8 Denisart Benjamin 2017-01-29 18:04:39 UTC

It has been fixed especially for openSUSE. Please re-evaluate

Comment 9 Sebastian Krahmer 2017-01-30 08:55:31 UTC

Please see https://bugzilla.suse.com/show_bug.cgi?id=1006601
They fixed the particular issue but most of the functions
are still w/o polkit rules.

Comment 10 Sebastian Krahmer 2017-02-06 15:36:25 UTC

solved via bsc#987141