Your message dated Thu, 05 Nov 2020 00:48:20 +0000 with message-id <e1katrs-000akn...@fasolo.debian.org> and subject line Bug#973718: fixed in blueman 2.1.4-1 has caused the Debian Bug report #973718, regarding blueman: CVE-2020-15238 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 973718: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=973718 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: blueman Version: 2.1.3-2 Severity: grave Tags: security upstream Justification: user security hole X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Control: found -1 2.0.8-1 Control: fixed -1 2.0.8-1+deb10u1 Hi, The following vulnerability was published for blueman. CVE-2020-15238[0]: | Blueman is a GTK+ Bluetooth Manager. In Blueman before 2.1.4, the | DhcpClient method of the D-Bus interface to blueman-mechanism is prone | to an argument injection vulnerability. The impact highly depends on | the system configuration. If Polkit-1 is disabled and for versions | lower than 2.0.6, any local user can possibly exploit this. If | Polkit-1 is enabled for version 2.0.6 and later, a possible attacker | needs to be allowed to use the `org.blueman.dhcp.client` action. That | is limited to users in the wheel group in the shipped rules file that | do have the privileges anyway. On systems with ISC DHCP client | (dhclient), attackers can pass arguments to `ip link` with the | interface name that can e.g. be used to bring down an interface or add | an arbitrary XDP/BPF program. On systems with dhcpcd and without ISC | DHCP client, attackers can even run arbitrary scripts by passing | `-c/path/to/script` as an interface name. Patches are included in | 2.1.4 and master that change the DhcpClient D-Bus method(s) to accept | BlueZ network object paths instead of network interface names. A | backport to 2.0(.8) is also available. As a workaround, make sure that | Polkit-1-support is enabled and limit privileges for the | `org.blueman.dhcp.client` action to users that are able to run | arbitrary commands as root anyway in | /usr/share/polkit-1/rules.d/blueman.rules. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2020-15238 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15238 [1] https://github.com/blueman-project/blueman/security/advisories/GHSA-jpc9-mgw6-2xwx [2] https://bugs.launchpad.net/ubuntu/+source/blueman/+bug/1897287 [3] https://github.com/blueman-project/blueman/commit/02161d60e8e311b08fb18254615259085fcd668 Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: blueman Source-Version: 2.1.4-1 Done: Christopher Schramm <deb...@cschramm.eu> We believe that the bug you reported is fixed in the latest version of blueman, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 973...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Christopher Schramm <deb...@cschramm.eu> (supplier of updated blueman package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Tue, 6 Oct 2020 09:05:00 +0200 Source: blueman Architecture: source Version: 2.1.4-1 Distribution: unstable Urgency: high Maintainer: Christopher Schramm <deb...@cschramm.eu> Changed-By: Christopher Schramm <deb...@cschramm.eu> Closes: 973718 Changes: blueman (2.1.4-1) unstable; urgency=high . * New release (Closes: #973718 (CVE-2020-15238)) * Enable Polkit-1 support * Improve packaging * Drop cdbs * Update standards version * Fix whitespaces in d/changelog and d/rules * Add d/upstream/metadata and d/watch * Add Vcs-* fields to d/control * Use DEP5 format in d/copyright * Enable hardening * Add lintian overrides Checksums-Sha1: 35880a7336a00498145b8080fbb62cf469d20e7a 2006 blueman_2.1.4-1.dsc 50e0cea349341198c2568d50712999137a077c60 2300643 blueman_2.1.4.orig.tar.gz 5ee16465df14dbc2ac5cb5c6ff80945c448d64b6 5760 blueman_2.1.4-1.debian.tar.xz 212034e4c9f728171cffe5fc06ad8dc78c02f4d2 8490 blueman_2.1.4-1_amd64.buildinfo Checksums-Sha256: 5b43e125fc48fc9ad6a1510537c09d94df92351a918219320358a0498cecd5e3 2006 blueman_2.1.4-1.dsc c8c218bd60a2e5b9ecfd2708366974b7901e5291f009abd1fc63083d7aa9529d 2300643 blueman_2.1.4.orig.tar.gz 392eb770fc0fb831cb5ffa39eb46dd5e47c87a5b236233253aa03109f2fbe862 5760 blueman_2.1.4-1.debian.tar.xz abe56d6de778233631bf7c49a757659fdc021ef42455f3d1664e6c5aeafbca30 8490 blueman_2.1.4-1_amd64.buildinfo Files: e17f68f08e69f6c6fd9fb417dd42d606 2006 x11 optional blueman_2.1.4-1.dsc ac0fa255ddcb2b52ee1bffda45a9a2aa 2300643 x11 optional blueman_2.1.4.orig.tar.gz cc1a50a2bd9b3017d7d4c1669c61a1af 5760 x11 optional blueman_2.1.4-1.debian.tar.xz 476f2d781f6089c5ccc5477d478cf512 8490 x11 optional blueman_2.1.4-1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEXmKe5SMhlzV7hM9DMiR/u0CtH6YFAl+jRrIACgkQMiR/u0Ct H6Zm1A/+IegqPQbSJV2kEo6f9G0y6sOkJ7X1V4ts99Vs3aSuS6M2VhbsvxPMY2qU s7NkcV6AkpsSkiJddhIfHOch2fLCY03M1kPJTlli6svZjT+SDPoWEC4HGPg47Bl+ sud+BBRTNkRrYDKEkl0F/g9f1UYabv8eIcH8+Bw7SLeUP1byijKKW2JGgll6hA13 tG6L7MgkqHJinbHUgp9CNJzBfRQFxlydMOA9BJTGVT0Bm1jhQHQ/n9i2Bum/R0VH +z6AOTvgSmdWp0lbbP8BrAZzQmmoOsA+Y/zrfOEoMCJC8k9B0HfWeHkUEq6jlhx6 Xt4OKE3x9I+X9Dkm5O8sYJuS/hYAm2uVWmdbmVSnI48sJ+gjxAMbR4n1I5ClC80k 4UY5wXt6bKcnKgJag2nmu/bnTowUsE7FVQ/SFyZuxi+q9Nde7j2vty6qWfW0dGtt jPgQMpkS2iZ34+/qkvxu6fSBlOOpT9i0zV1GSXnNqDZV6iB9rpPPuCsIFvwXfslB 3SJr0DMAO1XbcYTV13Qew1/6NwucBqP4nZekTusFfo2XVBtp1kZlnyqhfpBET0FU AXjz8KifMjs0ZCXhR18ZgdSkESzSICrQy6UhZdeJOI2WAWqpje/M73OmwgNTE1RE AxqfsnJ8iYW7b6NyQp6f8v6Z0nm5ieupgnNkl/mraSv7k5W+xnI= =P+k2 -----END PGP SIGNATURE-----
--- End Message ---
