Package: midgard2-common Version: 10.05.7.1-2 Severity: critical Tags: security X-Debbugs-Cc: secur...@debian.org
I notified the Debian security team before public disclosure, and the Debian maintainer is already aware, but for completeness, here is a Debian bug: On 05/01/15 15:07, Simon McVittie wrote: > Type of vulnerability: CWE-284 Improper Access Control > Exploitable by: local users > Impact: could allow arbitrary code execution as root (dependent on > installed D-Bus system services) > Reporter: Simon McVittie, Collabora Ltd. > Upstream notified: 2014-12-19 > > Midgard2 is an open source content repository for data-intensive web and > desktop applications. > > While checking Debian for incorrect/dangerous D-Bus security policy > files (found in /etc/dbus-1/system.d/*.conf) I found this access control > rule in midgard2-common/10.05.7.1-2, part of the upstream project > midgard-core: > > <policy context="default"> <==== "applies to everyone" > <allow own="org.midgardproject" /> <==== probably undesired > <allow send_type="method_call"/> <==== definitely bad > <allow send_type="signal" /> <==== not good either > </policy> > > This is analogous to an overly permissive "chmod": it allows any process > on the system bus to send any method call or signal to any other process > on the system bus, including those that are normally forbidden either > explicitly or via the system bus' documented default-deny policy. Some > D-Bus system services perform additional authorization checks, either > via Polkit/PolicyKit or internally, but many services rely on the system > bus to apply their intended security model. > > For instance, depending on installed software, this vulnerability could > allow unprivileged local users to: > > * invoke Avahi's SetHostName() method > * communicate with bluetooth devices using BlueZ > * install printer drivers using system-config-printer > * run NetworkManager "dispatcher" scripts > * ... > > It seems likely that at least one of these services can be used for > arbitrary code execution as root, making this a severe vulnerability. -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
