Your message dated Thu, 07 Jul 2016 13:27:10 +0000
with message-id <[email protected]>
and subject line Bug#829381: Removed package(s) from unstable
has caused the Debian Bug report #774630,
regarding CVE-2014-8148: midgard-core configures D-Bus system bus to be insecure
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
774630: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774630
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: midgard2-common
Version: 10.05.7.1-2
Severity: critical
Tags: security
X-Debbugs-Cc: [email protected]
I notified the Debian security team before public disclosure, and the
Debian maintainer is already aware, but for completeness, here is a
Debian bug:
On 05/01/15 15:07, Simon McVittie wrote:
> Type of vulnerability: CWE-284 Improper Access Control
> Exploitable by: local users
> Impact: could allow arbitrary code execution as root (dependent on
> installed D-Bus system services)
> Reporter: Simon McVittie, Collabora Ltd.
> Upstream notified: 2014-12-19
>
> Midgard2 is an open source content repository for data-intensive web and
> desktop applications.
>
> While checking Debian for incorrect/dangerous D-Bus security policy
> files (found in /etc/dbus-1/system.d/*.conf) I found this access control
> rule in midgard2-common/10.05.7.1-2, part of the upstream project
> midgard-core:
>
> <policy context="default"> <==== "applies to everyone"
> <allow own="org.midgardproject" /> <==== probably undesired
> <allow send_type="method_call"/> <==== definitely bad
> <allow send_type="signal" /> <==== not good either
> </policy>
>
> This is analogous to an overly permissive "chmod": it allows any process
> on the system bus to send any method call or signal to any other process
> on the system bus, including those that are normally forbidden either
> explicitly or via the system bus' documented default-deny policy. Some
> D-Bus system services perform additional authorization checks, either
> via Polkit/PolicyKit or internally, but many services rely on the system
> bus to apply their intended security model.
>
> For instance, depending on installed software, this vulnerability could
> allow unprivileged local users to:
>
> * invoke Avahi's SetHostName() method
> * communicate with bluetooth devices using BlueZ
> * install printer drivers using system-config-printer
> * run NetworkManager "dispatcher" scripts
> * ...
>
> It seems likely that at least one of these services can be used for
> arbitrary code execution as root, making this a severe vulnerability.
--- End Message ---
--- Begin Message ---
Version: 10.05.7.1-2+rm
Dear submitter,
as the package midgard2-core has just been removed from the Debian archive
unstable we hereby close the associated bug reports. We are sorry
that we couldn't deal with your issue properly.
For details on the removal, please see https://bugs.debian.org/829381
The version of this package that was in Debian prior to this removal
can still be found using http://snapshot.debian.org/.
This message was generated automatically; if you believe that there is
a problem with it please contact the archive administrators by mailing
[email protected].
Debian distribution maintenance software
pp.
Scott Kitterman (the ftpmaster behind the curtain)
--- End Message ---
