Bug#973718: blueman: CVE-2020-15238

2020-11-03 Thread Nobuhiro Iwamatsu 
Hi,

I added some comment on https://mentors.debian.net/. Could  you check it?

Best regards,
  Nobuhiro

2020年11月4日(水) 8:09 Nobuhiro Iwamatsu :
>
> Hi,
>
> Sorry,.I will check this,If there is no problem, upload it.
>
> Best regards,
>   Nobuhiro
>
> 2020年11月4日(水) 6:17 Christopher Schramm :
>
> >
> > Hi Salvatore,
> >
> > 2.1.4-1 is waiting at https://mentors.debian.net/package/blueman/. I can
> > add the CVE number and / or this bug to the changelog if you like.
> >
> > Unfortunately my sponsor Nobuhiro seems to be unavailable.
> >
> > Regards
>
>
>
> --
> Nobuhiro Iwamatsu
>iwamatsu at {nigauri.org / debian.org}
>GPG ID: 40AD1FA6



-- 
Nobuhiro Iwamatsu
   iwamatsu at {nigauri.org / debian.org}
   GPG ID: 40AD1FA6

Bug#973718: blueman: CVE-2020-15238

2020-11-03 Thread Nobuhiro Iwamatsu 
Hi,

Sorry,.I will check this,If there is no problem, upload it.

Best regards,
  Nobuhiro

2020年11月4日(水) 6:17 Christopher Schramm :

>
> Hi Salvatore,
>
> 2.1.4-1 is waiting at https://mentors.debian.net/package/blueman/. I can
> add the CVE number and / or this bug to the changelog if you like.
>
> Unfortunately my sponsor Nobuhiro seems to be unavailable.
>
> Regards



--
Nobuhiro Iwamatsu
   iwamatsu at {nigauri.org / debian.org}
   GPG ID: 40AD1FA6

Bug#973718: blueman: CVE-2020-15238

2020-11-03 Thread Christopher Schramm 

Hi Salvatore,

2.1.4-1 is waiting at https://mentors.debian.net/package/blueman/. I can 
add the CVE number and / or this bug to the changelog if you like.


Unfortunately my sponsor Nobuhiro seems to be unavailable.

Regards

Bug#973718: blueman: CVE-2020-15238

2020-11-03 Thread Salvatore Bonaccorso 
Source: blueman
Version: 2.1.3-2
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: car...@debian.org, Debian Security Team 
Control: found -1 2.0.8-1
Control: fixed -1 2.0.8-1+deb10u1

Hi,

The following vulnerability was published for blueman.

CVE-2020-15238[0]:
| Blueman is a GTK+ Bluetooth Manager. In Blueman before 2.1.4, the
| DhcpClient method of the D-Bus interface to blueman-mechanism is prone
| to an argument injection vulnerability. The impact highly depends on
| the system configuration. If Polkit-1 is disabled and for versions
| lower than 2.0.6, any local user can possibly exploit this. If
| Polkit-1 is enabled for version 2.0.6 and later, a possible attacker
| needs to be allowed to use the `org.blueman.dhcp.client` action. That
| is limited to users in the wheel group in the shipped rules file that
| do have the privileges anyway. On systems with ISC DHCP client
| (dhclient), attackers can pass arguments to `ip link` with the
| interface name that can e.g. be used to bring down an interface or add
| an arbitrary XDP/BPF program. On systems with dhcpcd and without ISC
| DHCP client, attackers can even run arbitrary scripts by passing
| `-c/path/to/script` as an interface name. Patches are included in
| 2.1.4 and master that change the DhcpClient D-Bus method(s) to accept
| BlueZ network object paths instead of network interface names. A
| backport to 2.0(.8) is also available. As a workaround, make sure that
| Polkit-1-support is enabled and limit privileges for the
| `org.blueman.dhcp.client` action to users that are able to run
| arbitrary commands as root anyway in
| /usr/share/polkit-1/rules.d/blueman.rules.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2020-15238
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15238
[1] 
https://github.com/blueman-project/blueman/security/advisories/GHSA-jpc9-mgw6-2xwx
[2] https://bugs.launchpad.net/ubuntu/+source/blueman/+bug/1897287
[3] 
https://github.com/blueman-project/blueman/commit/02161d60e8e311b08fb18254615259085fcd668

Regards,
Salvatore