Source: blueman Version: 2.1.3-2 Severity: grave Tags: security upstream Justification: user security hole X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Control: found -1 2.0.8-1 Control: fixed -1 2.0.8-1+deb10u1
Hi, The following vulnerability was published for blueman. CVE-2020-15238[0]: | Blueman is a GTK+ Bluetooth Manager. In Blueman before 2.1.4, the | DhcpClient method of the D-Bus interface to blueman-mechanism is prone | to an argument injection vulnerability. The impact highly depends on | the system configuration. If Polkit-1 is disabled and for versions | lower than 2.0.6, any local user can possibly exploit this. If | Polkit-1 is enabled for version 2.0.6 and later, a possible attacker | needs to be allowed to use the `org.blueman.dhcp.client` action. That | is limited to users in the wheel group in the shipped rules file that | do have the privileges anyway. On systems with ISC DHCP client | (dhclient), attackers can pass arguments to `ip link` with the | interface name that can e.g. be used to bring down an interface or add | an arbitrary XDP/BPF program. On systems with dhcpcd and without ISC | DHCP client, attackers can even run arbitrary scripts by passing | `-c/path/to/script` as an interface name. Patches are included in | 2.1.4 and master that change the DhcpClient D-Bus method(s) to accept | BlueZ network object paths instead of network interface names. A | backport to 2.0(.8) is also available. As a workaround, make sure that | Polkit-1-support is enabled and limit privileges for the | `org.blueman.dhcp.client` action to users that are able to run | arbitrary commands as root anyway in | /usr/share/polkit-1/rules.d/blueman.rules. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2020-15238 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15238 [1] https://github.com/blueman-project/blueman/security/advisories/GHSA-jpc9-mgw6-2xwx [2] https://bugs.launchpad.net/ubuntu/+source/blueman/+bug/1897287 [3] https://github.com/blueman-project/blueman/commit/02161d60e8e311b08fb18254615259085fcd668 Regards, Salvatore
