Control: tags 1094257 + pending
Dear maintainer, I've prepared an NMU for bluez (versioned as 5.82-1.1) and uploaded it to DELAYED/2. Please feel free to tell me if I should cancel it (I can assume maintainer upload is preferred). Regards, Salvatore
diffstat for bluez-5.82 bluez-5.82 changelog | 7 ++ patches/Do-not-start-mpris-proxy-for-system-users.patch | 38 ++++++++++++++++ patches/series | 1 3 files changed, 46 insertions(+) diff -Nru bluez-5.82/debian/changelog bluez-5.82/debian/changelog --- bluez-5.82/debian/changelog 2025-04-11 16:59:52.000000000 +0200 +++ bluez-5.82/debian/changelog 2025-06-03 20:48:11.000000000 +0200 @@ -1,3 +1,10 @@ +bluez (5.82-1.1) unstable; urgency=medium + + * Non-maintainer upload. + * Do not start mpris-proxy for system users (Closes: #1094257) + + -- Salvatore Bonaccorso <car...@debian.org> Tue, 03 Jun 2025 20:48:11 +0200 + bluez (5.82-1) unstable; urgency=medium * Team upload diff -Nru bluez-5.82/debian/patches/Do-not-start-mpris-proxy-for-system-users.patch bluez-5.82/debian/patches/Do-not-start-mpris-proxy-for-system-users.patch --- bluez-5.82/debian/patches/Do-not-start-mpris-proxy-for-system-users.patch 1970-01-01 01:00:00.000000000 +0100 +++ bluez-5.82/debian/patches/Do-not-start-mpris-proxy-for-system-users.patch 2025-06-03 20:48:11.000000000 +0200 @@ -0,0 +1,38 @@ +From: Antonio Russo <aeru...@aerusso.net> +Date: Mon, 2 Jun 2025 21:37:20 -0600 +Subject: Do not start mpris-proxy for system users +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit +Origin: https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit?id=99861c249c866e1c4f911f3c3da6de9cef2c3f02 +Bug-Debian: https://bugs.debian.org/1094257 + +A default installation of bluez results in the systemd user unit +mpris-proxy.service being started for all users---including root. +This unnecessarily exposes system users to any security +vulnerabilities in mpris-proxy. + +Inhibit this default behavior by using ConditionUser=!@system. + +Reviewed-by: Guido G??nther <a...@sigxcpu.org> +Reviewed-by: Paul Menzel <pmen...@molgen.mpg.de> +Reviewed-by: Andrew Sayers <kernel....@pileofstuff.org> +--- + tools/mpris-proxy.service.in | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/tools/mpris-proxy.service.in b/tools/mpris-proxy.service.in +index c49d255b311d..6ae56c6720b9 100644 +--- a/tools/mpris-proxy.service.in ++++ b/tools/mpris-proxy.service.in +@@ -4,6 +4,7 @@ Documentation=man:mpris-proxy(1) + + Wants=dbus.socket + After=dbus.socket dbus.service ++ConditionUser=!@system + + [Service] + Type=simple +-- +2.49.0 + diff -Nru bluez-5.82/debian/patches/series bluez-5.82/debian/patches/series --- bluez-5.82/debian/patches/series 2025-04-11 16:59:52.000000000 +0200 +++ bluez-5.82/debian/patches/series 2025-06-03 20:48:11.000000000 +0200 @@ -12,3 +12,4 @@ raspi-bcm43xx-load-firmware.patch raspi-bcm43xx-3wire.patch ubuntu_error_restart.patch +Do-not-start-mpris-proxy-for-system-users.patch
