On Sun, Jan 04, 2009 at 01:29:44AM +0000, Simon McVittie wrote: > Package: bluez-utils > Version: 3.36-2 > Severity: serious > Justification: blocker for #503532 (CVE-2008-4311) and far-fetched security > hole > Tags: fixed-upstream > User: pkg-utopia-maintain...@lists.alioth.debian.org > Usertags: CVE-2008-4311 > > bluez-utils installs a D-Bus system policy file intending to allow users > at the console to send BlueZ messages to hcid. However, it actually > allows users at the console to send messages to the object path '/' on > any service, slightly subverting access control for those other services.
Agreed. > > Furthermore, it might be insufficient to allow everything that hcid intends to > allow; messages used to be allowed accidentally by a dbus-daemon bug, but > with the dbus-daemon changes targeted for lenny, they will be denied > unless explicitly allowed. > > <http://git.kernel.org/?p=bluetooth/bluez.git;a=history;f=src/bluetooth.conf;h=c0476237;hb=fb333f1c> > shows the recent history of this file - the latest version, > <http://git.kernel.org/?p=bluetooth/bluez.git;a=blob;f=src/bluetooth.conf;hb=06637b08>, > appears to be appropriate. I have tried with the experimental version of dbus and the said bluetooth.conf file and it doesn't seem to work, though I'm investigating. thanks, filippo -- Filippo Giunchedi - http://esaurito.net PGP key: 0x6B79D401 random quote follows: Gretchen: Donnie Darko? What the hell kind of name is that? It's like some sort of superhero or something. Donnie: What makes you think I'm not? -- from Donnie Darko (2001) -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
