Hi, On Sat, May 17, 2025 at 03:17:20PM +0200, Salvatore Bonaccorso wrote: > Hi, > > On Fri, May 09, 2025 at 12:25:11PM -0400, Jeremy Bícha wrote: > > On Fri, May 9, 2025 at 11:27 AM Antonio Russo <aeru...@aerusso.net> wrote: > > > I'm tagging this bug as a security bug because it needlessly > > > starts a process that should not be running as root. > > > > Have you sent your patch to the security contact at > > https://www.bluez.org/development/security-bugs/ yet? > > I noticed that there is a upstream report here: > https://lore.kernel.org/linux-bluetooth/a15e6919-9000-4628-baec-a2d2cc327...@aerusso.net/
I've followed up there. Thanks for pulling me into the loop. > FWIW, while there are security concerns, I think it needs to be > handled upstream first, and Debian not diverge. So once this is > applied upstream it might or might not flow in time into trixie before > release. What situations would the user service for root be spawned? It's not used for su, sudo or ssh as far as I can tell. This leaves tty and graphical logins (which we can ignore as they're unsafe anyway). Are there other cases? If not I'd say lowering severity and waiting a bit longer to see what upstream says should be o.k. That said, the patch isn't huge so cherry-picking it into the next upload wouldn't hurt either. Cheers, -- Guido
