Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: [email protected]
Control: affects -1 + src:firewalld
User: [email protected]
Usertags: pu
[ Reason ]
I'd like to fix an outstanding CVE that security-team tagged no-dsa
which is already fixed in bullseye, trixie/stable, testing & unstable.
[ Impact ]
An unprivileged local user can modify the active firewall rules.
[ Tests ]
https://debusine.debian.net/debian/developers/work-request/708125/
[ Risks ]
The change fixes the dbus access policy and should have no other affect
outside of dbus access to firewalld.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
Fix dbus access to 2 methods.
[ Other info ]
none
diff --git a/debian/changelog b/debian/changelog
index bf9b6138..a3827755 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+firewalld (1.3.3-1~deb12u2) bookworm; urgency=high
+
+ * Non-maintainer upload by the LTS Team.
+ * CVE-2026-4948: fix dbus policy for set{ZoneSettings2,PolicySettings}
+
+ -- Andreas Henriksson <[email protected]> Wed, 20 May 2026 10:02:28 +0200
+
firewalld (1.3.3-1~deb12u1) bookworm; urgency=medium
* Upload to bookworm.
diff --git a/debian/patches/CVE-2026-4948.patch b/debian/patches/CVE-2026-4948.patch
new file mode 100644
index 00000000..b5f26889
--- /dev/null
+++ b/debian/patches/CVE-2026-4948.patch
@@ -0,0 +1,33 @@
+From: Sizhe Zhao <[email protected]>
+Date: Tue, 31 Mar 2026 20:46:50 +0800
+Subject: fix(policy): use PK_ACTION_CONFIG for
+ set{ZoneSettings2,PolicySettings}
+
+Reference: https://access.redhat.com/security/cve/cve-2026-4948
+(cherry picked from commit 5fb3914ad830feff6cb2b0670457c60a323c6c6c)
+---
+ src/firewall/server/firewalld.py | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/firewall/server/firewalld.py b/src/firewall/server/firewalld.py
+index 895e963..6142a8d 100644
+--- a/src/firewall/server/firewalld.py
++++ b/src/firewall/server/firewalld.py
+@@ -925,7 +925,7 @@ class FirewallD(slip.dbus.service.Object):
+ log.debug1("getZoneSettings2(%s)", zone)
+ return self.fw.zone.get_config_with_settings_dict(zone)
+
+- @dbus_polkit_require_auth(config.dbus.PK_ACTION_CONFIG_INFO)
++ @dbus_polkit_require_auth(config.dbus.PK_ACTION_CONFIG)
+ @dbus_service_method(config.dbus.DBUS_INTERFACE_ZONE, in_signature='sa{sv}')
+ @dbus_handle_exceptions
+ def setZoneSettings2(self, zone, settings, sender=None):
+@@ -949,7 +949,7 @@ class FirewallD(slip.dbus.service.Object):
+ log.debug1("policy.getPolicySettings(%s)", policy)
+ return self.fw.policy.get_config_with_settings_dict(policy)
+
+- @dbus_polkit_require_auth(config.dbus.PK_ACTION_CONFIG_INFO)
++ @dbus_polkit_require_auth(config.dbus.PK_ACTION_CONFIG)
+ @dbus_service_method(config.dbus.DBUS_INTERFACE_POLICY, in_signature='sa{sv}')
+ @dbus_handle_exceptions
+ def setPolicySettings(self, policy, settings, sender=None):
diff --git a/debian/patches/series b/debian/patches/series
index 8c262ab8..f06968f2 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,2 +1,3 @@
Remove-etc-sysconfig-firewalld-support.patch
Switch-to-python3.patch
+CVE-2026-4948.patch
