Package: release.debian.org Severity: normal Tags: wheezy User: [email protected] Usertags: pu
Hi, I just requested unblocking of the fso stack for unstable -> testing migration. I also prepared fixed packages for wheezy and the security team send me here. This is the debdiff for the proposed stable updates: === debdiff fso-datad_0.11.0-1.dsc fso-datad_0.11.0-1+deb7u1.dsc === diff -Nru fso-datad-0.11.0/debian/changelog fso-datad-0.11.0/debian/changelog --- fso-datad-0.11.0/debian/changelog 2012-05-26 10:29:47.000000000 +0200 +++ fso-datad-0.11.0/debian/changelog 2015-01-28 00:18:22.000000000 +0100 @@ -1,3 +1,9 @@ +fso-datad (0.11.0-1+deb7u1) wheezy-security; urgency=high + + * Fix DBus permissions (Closes: CVE-2014-8156) + + -- Sebastian Reichel <[email protected]> Wed, 28 Jan 2015 00:04:16 +0100 + fso-datad (0.11.0-1) unstable; urgency=low * New upstream release diff -Nru fso-datad-0.11.0/debian/patches/fix-dbus-permissions.patch fso-datad-0.11.0/debian/patches/fix-dbus-permissions.patch --- fso-datad-0.11.0/debian/patches/fix-dbus-permissions.patch 1970-01-01 01:00:00.000000000 +0100 +++ fso-datad-0.11.0/debian/patches/fix-dbus-permissions.patch 2015-01-28 00:15:03.000000000 +0100 @@ -0,0 +1,24 @@ +From: Sebastian Reichel <[email protected]> +Reported-By: Simon McVittie <[email protected]> +Last-Update: 2015-01-20 +Description: Fix Security Problem in DBus Configuration + Old configuration allows every local user to send arbitrary D-Bus + messages to the path /org/freesmartphone/Framework on *any* D-Bus + system service (rough HTTP analogy: send a POST to + http://server/org/freesmartphone/Framework on any server). +Bug-CVE: https://security-tracker.debian.org/tracker/CVE-2014-8156 + +Index: fso-datad/data/fsodatad.conf +=================================================================== +--- fso-datad.orig/data/fsodatad.conf ++++ fso-datad/data/fsodatad.conf +@@ -3,8 +3,7 @@ + <busconfig> + <policy context="default"> + <allow own="org.freesmartphone.odatad"/> +- <allow send_path="/org/freesmartphone/Time"/> +- <allow send_destination="org.freesmartphone.odatad"/> ++ <allow send_destination="org.freesmartphone.odatad" send_path="/org/freesmartphone/Time"/> + </policy> + <policy context="default"> + <allow send_interface="org.freedesktop.DBus.Introspectable"/> diff -Nru fso-datad-0.11.0/debian/patches/series fso-datad-0.11.0/debian/patches/series --- fso-datad-0.11.0/debian/patches/series 1970-01-01 01:00:00.000000000 +0100 +++ fso-datad-0.11.0/debian/patches/series 2015-01-28 00:15:24.000000000 +0100 @@ -0,0 +1 @@ +fix-dbus-permissions.patch === debdiff fso-deviced_0.11.4-1.dsc fso-deviced_0.11.4-1+deb7u1.dsc === diff -Nru fso-deviced-0.11.4/debian/changelog fso-deviced-0.11.4/debian/changelog --- fso-deviced-0.11.4/debian/changelog 2012-06-01 07:00:15.000000000 +0200 +++ fso-deviced-0.11.4/debian/changelog 2015-01-28 01:17:12.000000000 +0100 @@ -1,3 +1,9 @@ +fso-deviced (0.11.4-1+deb7u1) wheezy-security; urgency=high + + * Fix DBus permissions (Closes: CVE-2014-8156) + + -- Sebastian Reichel <[email protected]> Wed, 28 Jan 2015 00:40:54 +0100 + fso-deviced (0.11.4-1) unstable; urgency=low * New upstream release diff -Nru fso-deviced-0.11.4/debian/patches/fix-dbus-permissions.patch fso-deviced-0.11.4/debian/patches/fix-dbus-permissions.patch --- fso-deviced-0.11.4/debian/patches/fix-dbus-permissions.patch 1970-01-01 01:00:00.000000000 +0100 +++ fso-deviced-0.11.4/debian/patches/fix-dbus-permissions.patch 2015-01-28 00:40:03.000000000 +0100 @@ -0,0 +1,24 @@ +From: Sebastian Reichel <[email protected]> +Reported-By: Simon McVittie <[email protected]> +Last-Update: 2015-01-20 +Description: Fix Security Problem in DBus Configuration + Old configuration allows every local user to send arbitrary D-Bus + messages to the path /org/freesmartphone/Framework on *any* D-Bus + system service (rough HTTP analogy: send a POST to + http://server/org/freesmartphone/Framework on any server). +Bug-CVE: https://security-tracker.debian.org/tracker/CVE-2014-8156 + +Index: fso-deviced/data/fsodeviced.conf +=================================================================== +--- fso-deviced.orig/data/fsodeviced.conf ++++ fso-deviced/data/fsodeviced.conf +@@ -3,8 +3,7 @@ + <busconfig> + <policy context="default"> + <allow own="org.freesmartphone.odeviced"/> +- <allow send_path="/org/freesmartphone/Device"/> +- <allow send_destination="org.freesmartphone.odeviced"/> ++ <allow send_destination="org.freesmartphone.odeviced" send_path="/org/freesmartphone/Device"/> + </policy> + <policy context="default"> + <allow send_interface="org.freedesktop.DBus.Introspectable"/> diff -Nru fso-deviced-0.11.4/debian/patches/series fso-deviced-0.11.4/debian/patches/series --- fso-deviced-0.11.4/debian/patches/series 2012-06-01 07:00:15.000000000 +0200 +++ fso-deviced-0.11.4/debian/patches/series 2015-01-28 00:40:13.000000000 +0100 @@ -1 +1,2 @@ openmoko-wifi-2.6.39.patch +fix-dbus-permissions.patch === debdiff fso-frameworkd_0.9.5.9+git20110512-4.dsc fso-frameworkd_0.9.5.9+git20110512-4+deb7u1.dsc === diff -Nru fso-frameworkd-0.9.5.9+git20110512/debian/changelog fso-frameworkd-0.9.5.9+git20110512/debian/changelog --- fso-frameworkd-0.9.5.9+git20110512/debian/changelog 2012-03-28 05:04:21.000000000 +0200 +++ fso-frameworkd-0.9.5.9+git20110512/debian/changelog 2015-01-28 01:05:39.000000000 +0100 @@ -1,3 +1,9 @@ +fso-frameworkd (0.9.5.9+git20110512-4+deb7u1) wheezy-security; urgency=high + + * Fix DBus permissions (Closes: CVE-2014-8156) + + -- Sebastian Reichel <[email protected]> Wed, 28 Jan 2015 00:59:39 +0100 + fso-frameworkd (0.9.5.9+git20110512-4) unstable; urgency=low * make fso-frameworkd-gta01 and fso-frameworkd-gta02 armel only, diff -Nru fso-frameworkd-0.9.5.9+git20110512/debian/patches/fix-dbus-permissions.patch fso-frameworkd-0.9.5.9+git20110512/debian/patches/fix-dbus-permissions.patch --- fso-frameworkd-0.9.5.9+git20110512/debian/patches/fix-dbus-permissions.patch1970-01-01 01:00:00.000000000 +0100 +++ fso-frameworkd-0.9.5.9+git20110512/debian/patches/fix-dbus-permissions.patch2015-01-28 00:57:48.000000000 +0100 @@ -0,0 +1,96 @@ +From: Sebastian Reichel <[email protected]> +Reported-By: Simon McVittie <[email protected]> +Last-Update: 2015-01-20 +Description: Fix Security Problem in DBus Configuration + Old configuration allows every local user to send arbitrary D-Bus + messages to the path /org/freesmartphone/Framework on *any* D-Bus + system service (rough HTTP analogy: send a POST to + http://server/org/freesmartphone/Framework on any server). +Bug-CVE: https://security-tracker.debian.org/tracker/CVE-2014-8156 + +Index: fso-frameworkd/etc/dbus-1/system.d/frameworkd.conf +=================================================================== +--- fso-frameworkd.orig/etc/dbus-1/system.d/frameworkd.conf ++++ fso-frameworkd/etc/dbus-1/system.d/frameworkd.conf +@@ -3,70 +3,57 @@ + <busconfig> + <policy context="default"> + <allow own="org.freesmartphone.testing"/> +- <allow send_path="/org/freesmartphone/testing"/> +- <allow send_destination="org.freesmartphone.testing"/> ++ <allow send_destination="org.freesmartphone.testing" send_path="/org/freesmartphone/testing"/> + </policy> + <policy context="default"> + <allow own="org.freesmartphone.onetworkd"/> +- <allow send_path="/org/freesmartphone.onetworkd"/> +- <allow send_destination="org.freesmartphone.onetwork"/> ++ <allow send_destination="org.freesmartphone.onetwork" send_path="/org/freesmartphone.onetworkd"/> + </policy> + <policy context="default"> + <allow own="org.freesmartphone.frameworkd"/> +- <allow send_path="/org/freesmartphone/Framework"/> +- <allow send_destination="org.freesmartphone.frameworkd"/> ++ <allow send_destination="org.freesmartphone.frameworkd" send_path="/org/freesmartphone/Framework"/> + </policy> + <policy context="default"> + <allow own="org.freesmartphone.odeviced"/> +- <allow send_path="/"/> + <allow send_destination="org.freesmartphone.odeviced"/> + </policy> + <policy context="default"> + <allow own="org.freesmartphone.oeventsd"/> +- <allow send_path="/org/freesmartphone/Events"/> +- <allow send_destination="org.freesmartphone.oeventsd"/> ++ <allow send_destination="org.freesmartphone.oeventsd" send_path="/org/freesmartphone/Events"/> + </policy> + <policy context="default"> + <allow own="org.freesmartphone.ousaged"/> +- <allow send_path="/org/freesmartphone/Usage"/> +- <allow send_destination="org.freesmartphone.ousaged"/> ++ <allow send_destination="org.freesmartphone.ousaged" send_path="/org/freesmartphone/Usage"/> + </policy> + <policy context="default"> + <allow own="org.freesmartphone.ogsmd"/> +- <allow send_path="/org/freesmartphone/GSM"/> +- <allow send_destination="org.freesmartphone.ogsmd"/> ++ <allow send_destination="org.freesmartphone.ogsmd" send_path="/org/freesmartphone/GSM"/> + </policy> + <policy context="default"> + <allow own="org.freesmartphone.ogpsd"/> + <allow own="org.freedesktop.Gypsy"/> +- <allow send_path="/org/freedesktop/Gypsy"/> + <allow send_destination="org.freesmartphone.ogpsd"/> + <allow send_destination="org.freedesktop.gypsy"/> + </policy> + <policy context="default"> + <allow own="org.freesmartphone.opreferencesd"/> +- <allow send_path="/org/freesmartphone/Preferences"/> +- <allow send_destination="org.freesmartphone.opreferencesd"/> ++ <allow send_destination="org.freesmartphone.opreferencesd" send_path="/org/freesmartphone/Preferences"/> + </policy> + <policy context="default"> + <allow own="org.freesmartphone.ophoned"/> +- <allow send_path="/org/freesmartphone/Phone"/> +- <allow send_destination="org.freesmartphone.ophoned"/> ++ <allow send_destination="org.freesmartphone.ophoned" send_path="/org/freesmartphone/Phone"/> + </policy> + <policy context="default"> + <allow own="org.freesmartphone.opimd"/> +- <allow send_path="/org/freesmartphone/PIM"/> +- <allow send_destination="org.freesmartphone.opimd"/> ++ <allow send_destination="org.freesmartphone.opimd" send_path="/org/freesmartphone/PIM"/> + </policy> + <policy context="default"> + <allow own="org.freesmartphone.otimed"/> +- <allow send_path="/org/freesmartphone/Time"/> +- <allow send_destination="org.freesmartphone.otimed"/> ++ <allow send_destination="org.freesmartphone.otimed" send_path="/org/freesmartphone/Time"/> + </policy> + <policy context="default"> + <allow own="org.freesmartphone.omuxerd"/> +- <allow send_path="/org/freesmartphone/GSM/Muxer"/> +- <allow send_destination="org.freesmartphone.omuxerd"/> ++ <allow send_destination="org.freesmartphone.omuxerd" send_path="/org/freesmartphone/GSM/Muxer"/> + <allow send_interface="org.freesmartphone.GSM.MUX"/> + </policy> + <policy context="default"> diff -Nru fso-frameworkd-0.9.5.9+git20110512/debian/patches/series fso-frameworkd-0.9.5.9+git20110512/debian/patches/series --- fso-frameworkd-0.9.5.9+git20110512/debian/patches/series 2012-03-28 05:04:21.000000000 +0200 +++ fso-frameworkd-0.9.5.9+git20110512/debian/patches/series 2015-01-28 00:58:07.000000000 +0100 @@ -1,3 +1,4 @@ fix-setup.py fix-ogpsd.patch fix-message-notfication.patch +fix-dbus-permissions.patch === debdiff fso-gsmd_0.11.3-2.dsc fso-gsmd_0.11.3-2+deb7u1.dsc === diff -Nru fso-gsmd-0.11.3/debian/changelog fso-gsmd-0.11.3/debian/changelog --- fso-gsmd-0.11.3/debian/changelog 2012-06-27 02:41:45.000000000 +0200 +++ fso-gsmd-0.11.3/debian/changelog 2015-01-28 01:11:10.000000000 +0100 @@ -1,3 +1,9 @@ +fso-gsmd (0.11.3-2+deb7u1) wheezy-security; urgency=high + + * Fix DBus permissions (Closes: CVE-2014-8156) + + -- Sebastian Reichel <[email protected]> Wed, 28 Jan 2015 01:04:52 +0100 + fso-gsmd (0.11.3-2) unstable; urgency=low * fso-gsmd 0.11.3 requires libgsm0710mux 0.11.2 diff -Nru fso-gsmd-0.11.3/debian/patches/fix-dbus-permissions.patch fso-gsmd-0.11.3/debian/patches/fix-dbus-permissions.patch --- fso-gsmd-0.11.3/debian/patches/fix-dbus-permissions.patch 1970-01-01 01:00:00.000000000 +0100 +++ fso-gsmd-0.11.3/debian/patches/fix-dbus-permissions.patch 2015-01-28 01:06:55.000000000 +0100 @@ -0,0 +1,24 @@ +From: Sebastian Reichel <[email protected]> +Reported-By: Simon McVittie <[email protected]> +Last-Update: 2015-01-20 +Description: Fix Security Problem in DBus Configuration + Old configuration allows every local user to send arbitrary D-Bus + messages to the path /org/freesmartphone/Framework on *any* D-Bus + system service (rough HTTP analogy: send a POST to + http://server/org/freesmartphone/Framework on any server). +Bug-CVE: https://security-tracker.debian.org/tracker/CVE-2014-8156 + +Index: fso-gsmd/data/fsogsmd.conf +=================================================================== +--- fso-gsmd.orig/data/fsogsmd.conf ++++ fso-gsmd/data/fsogsmd.conf +@@ -3,8 +3,7 @@ + <busconfig> + <policy context="default"> + <allow own="org.freesmartphone.ogsmd"/> +- <allow send_path="/org/freesmartphone/GSM"/> +- <allow send_destination="org.freesmartphone.ogsmd"/> ++ <allow send_destination="org.freesmartphone.ogsmd" send_path="/org/freesmartphone/GSM"/> + </policy> + <policy context="default"> + <allow send_interface="org.freedesktop.DBus.Introspectable"/> diff -Nru fso-gsmd-0.11.3/debian/patches/series fso-gsmd-0.11.3/debian/patches/series --- fso-gsmd-0.11.3/debian/patches/series 2012-06-27 02:41:45.000000000 +0200 +++ fso-gsmd-0.11.3/debian/patches/series 2015-01-28 01:07:02.000000000 +0100 @@ -2,3 +2,4 @@ phonebook-storage-dir.patch sms-storage-dir.patch fix-pkglibdir.patch +fix-dbus-permissions.patch === debdiff fso-usaged_0.11.0-1.dsc fso-usaged_0.11.0-1+deb7u1.dsc === diff -Nru fso-usaged-0.11.0/debian/changelog fso-usaged-0.11.0/debian/changelog --- fso-usaged-0.11.0/debian/changelog 2012-05-26 11:44:02.000000000 +0200 +++ fso-usaged-0.11.0/debian/changelog 2015-01-28 01:09:39.000000000 +0100 @@ -1,3 +1,9 @@ +fso-usaged (0.11.0-1+deb7u1) wheezy-security; urgency=high + + * Fix DBus permissions (Closes: CVE-2014-8156) + + -- Sebastian Reichel <[email protected]> Wed, 28 Jan 2015 01:08:45 +0100 + fso-usaged (0.11.0-1) unstable; urgency=low * New upstream release diff -Nru fso-usaged-0.11.0/debian/patches/fix-dbus-permissions.patch fso-usaged-0.11.0/debian/patches/fix-dbus-permissions.patch --- fso-usaged-0.11.0/debian/patches/fix-dbus-permissions.patch 1970-01-01 01:00:00.000000000 +0100 +++ fso-usaged-0.11.0/debian/patches/fix-dbus-permissions.patch 2015-01-28 01:10:04.000000000 +0100 @@ -0,0 +1,24 @@ +From: Sebastian Reichel <[email protected]> +Reported-By: Simon McVittie <[email protected]> +Last-Update: 2015-01-20 +Description: Fix Security Problem in DBus Configuration + Old configuration allows every local user to send arbitrary D-Bus + messages to the path /org/freesmartphone/Framework on *any* D-Bus + system service (rough HTTP analogy: send a POST to + http://server/org/freesmartphone/Framework on any server). +Bug-CVE: https://security-tracker.debian.org/tracker/CVE-2014-8156 + +Index: fso-usaged/data/fsousaged.conf +=================================================================== +--- fso-usaged.orig/data/fsousaged.conf ++++ fso-usaged/data/fsousaged.conf +@@ -3,8 +3,7 @@ + <busconfig> + <policy context="default"> + <allow own="org.freesmartphone.ousaged"/> +- <allow send_path="/org/freesmartphone/Usage"/> +- <allow send_destination="org.freesmartphone.ousaged"/> ++ <allow send_destination="org.freesmartphone.ousaged" send_path="/org/freesmartphone/Usage"/> + </policy> + <policy context="default"> + <allow send_interface="org.freedesktop.DBus.Introspectable"/> diff -Nru fso-usaged-0.11.0/debian/patches/series fso-usaged-0.11.0/debian/patches/series --- fso-usaged-0.11.0/debian/patches/series 1970-01-01 01:00:00.000000000 +0100 +++ fso-usaged-0.11.0/debian/patches/series 2015-01-28 01:10:11.000000000 +0100 @@ -0,0 +1 @@ +fix-dbus-permissions.patch === debdiff phonefsod_0.1+git20110827-3.dsc phonefsod_0.1+git20110827-3+deb7u1.dsc === diff -Nru phonefsod-0.1+git20110827/debian/changelog phonefsod-0.1+git20110827/debian/changelog --- phonefsod-0.1+git20110827/debian/changelog 2012-03-30 01:53:42.000000000 +0200 +++ phonefsod-0.1+git20110827/debian/changelog 2015-01-28 01:12:26.000000000 +0100 @@ -1,3 +1,9 @@ +phonefsod (0.1+git20110827-3+deb7u1) wheezy-security; urgency=high + + * Fix DBus permissions (Closes: CVE-2014-8156) + + -- Sebastian Reichel <[email protected]> Wed, 28 Jan 2015 01:12:08 +0100 + phonefsod (0.1+git20110827-3) unstable; urgency=low * Fix #665595 diff -Nru phonefsod-0.1+git20110827/debian/patches/fix-dbus-permissions.patch phonefsod-0.1+git20110827/debian/patches/fix-dbus-permissions.patch --- phonefsod-0.1+git20110827/debian/patches/fix-dbus-permissions.patch 1970-01-01 01:00:00.000000000 +0100 +++ phonefsod-0.1+git20110827/debian/patches/fix-dbus-permissions.patch 2015-01-28 01:12:43.000000000 +0100 @@ -0,0 +1,24 @@ +From: Sebastian Reichel <[email protected]> +Reported-By: Simon McVittie <[email protected]> +Last-Update: 2015-01-20 +Description: Fix Security Problem in DBus Configuration + Old configuration allows every local user to send arbitrary D-Bus + messages to the path /org/freesmartphone/Framework on *any* D-Bus + system service (rough HTTP analogy: send a POST to + http://server/org/freesmartphone/Framework on any server). +Bug-CVE: https://security-tracker.debian.org/tracker/CVE-2014-8156 + +Index: phonefsod/data/dbus-1/phonefsod.conf +=================================================================== +--- phonefsod.orig/data/dbus-1/phonefsod.conf ++++ phonefsod/data/dbus-1/phonefsod.conf +@@ -1,8 +1,7 @@ + <busconfig> + <policy user="root"> + <allow own="org.shr.phonefso"/> +- <allow send_path="/org/shr/phonefso/Usage"/> +- <allow send_destination="org.shr.phonefso"/> ++ <allow send_destination="org.shr.phonefso" send_path="/org/shr/phonefso/Usage"/> + <allow receive_sender="org.shr.phonefso"/> + </policy> + </busconfig> diff -Nru phonefsod-0.1+git20110827/debian/patches/series phonefsod-0.1+git20110827/debian/patches/series --- phonefsod-0.1+git20110827/debian/patches/series 2012-03-30 01:53:42.000000000 +0200 +++ phonefsod-0.1+git20110827/debian/patches/series 2015-01-28 01:12:52.000000000 +0100 @@ -1,3 +1,4 @@ no-output-before-daemonization.patch fix-ld-as-needed.patch remove-invidiual-glib-header-includes.patch +fix-dbus-permissions.patch diff -Nru phonefsod-0.1+git20110827/debian/phonefsod.conf phonefsod-0.1+git20110827/debian/phonefsod.conf --- phonefsod-0.1+git20110827/debian/phonefsod.conf 2012-03-30 01:53:42.000000000 +0200 +++ phonefsod-0.1+git20110827/debian/phonefsod.conf 2015-01-28 01:13:16.000000000 +0100 @@ -4,8 +4,7 @@ </policy> <policy context="default"> - <allow send_path="/org/shr/phonefso/Usage"/> - <allow send_destination="org.shr.phonefso"/> + <allow send_destination="org.shr.phonefso" send_path="/org/shr/phonefso/Usage"/> <allow receive_sender="org.shr.phonefso"/> </policy> </busconfig> -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: https://lists.debian.org/[email protected]
