Bug#776480: lintian: [dbus] add the check that found CVE-2014-8148 and CVE-2014-8156

Wed, 28 Jan 2015 06:18:38 -0800 

Package: lintian
Version: 2.5.30
Severity: wishlist
Tags: patch

Patches also available from:
ssh://git.debian.org/git/users/smcv/lintian.git dbus

Using the results of the checks I added in #762609, I enhanced the
checks to ignore non-problematic situations and give more context
when reporting problems. Investigating the remaining packages further,
I found two security vulnerabilities: CVE-2014-8148 in midgard2-common,
and CVE-2014-8156 in various freesmartphone.org packages.

Now that both of those are unembargoed, I would like to land the
enhanced checks in lintian. I would also like to mark the D-Bus checks
as non-experimental.

Here are some selected results with annotations:

W: bluez: dbus-policy-at-console etc/dbus-1/system.d/bluetooth.conf <policy 
at_console="true"><allow send_destination="org.bluez"/>
^^^ this is deprecated, but not a security vulnerability

E: fso-frameworkd: dbus-policy-excessively-broad 
etc/dbus-1/system.d/frameworkd.conf <policy context="default"><allow 
send_path="/org/freesmartphone/testing"/>
^^^ this is one of several similar issues making up CVE-2014-8156

W: fso-frameworkd: dbus-policy-without-send-destination 
etc/dbus-1/system.d/frameworkd.conf <policy context="default"><allow 
send_interface="org.freedesktop.DBus.Introspectable"/>
^^^ this is a bug, but not a security vulnerability as such

E: midgard2-common: dbus-policy-excessively-broad 
etc/dbus-1/system.d/midgard_dbus.conf <policy context="default"><allow 
send_type="method_call"/>
^^^ this is part of CVE-2014-8148

The commit "Transcode checks/dbus.pm to UTF-8" might not apply correctly
from the attached patches if it suffers the same MTA damage as the one
you applied: please obtain it from
ssh://git.debian.org/git/users/smcv/lintian.git if necessary.
(isutf8 checks/dbus.pm, using isutf8 from moreutils, should return 0.)

Regards,
    S


-- 
To UNSUBSCRIBE, email to debian-lint-maint-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: 
https://lists.debian.org/20150128141448.ga9...@reptile.pseudorandom.co.uk

Reply via email to