blueman: CVE-2020-15238

Debian Bug report logs - #973718
blueman: CVE-2020-15238

Reply or subscribe to this bug.

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: blueman: CVE-2020-15238

Date: Tue, 03 Nov 2020 22:06:28 +0100

Source: blueman
Version: 2.1.3-2
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
Control: found -1 2.0.8-1
Control: fixed -1 2.0.8-1+deb10u1

Hi,

The following vulnerability was published for blueman.

CVE-2020-15238[0]:
| Blueman is a GTK+ Bluetooth Manager. In Blueman before 2.1.4, the
| DhcpClient method of the D-Bus interface to blueman-mechanism is prone
| to an argument injection vulnerability. The impact highly depends on
| the system configuration. If Polkit-1 is disabled and for versions
| lower than 2.0.6, any local user can possibly exploit this. If
| Polkit-1 is enabled for version 2.0.6 and later, a possible attacker
| needs to be allowed to use the `org.blueman.dhcp.client` action. That
| is limited to users in the wheel group in the shipped rules file that
| do have the privileges anyway. On systems with ISC DHCP client
| (dhclient), attackers can pass arguments to `ip link` with the
| interface name that can e.g. be used to bring down an interface or add
| an arbitrary XDP/BPF program. On systems with dhcpcd and without ISC
| DHCP client, attackers can even run arbitrary scripts by passing
| `-c/path/to/script` as an interface name. Patches are included in
| 2.1.4 and master that change the DhcpClient D-Bus method(s) to accept
| BlueZ network object paths instead of network interface names. A
| backport to 2.0(.8) is also available. As a workaround, make sure that
| Polkit-1-support is enabled and limit privileges for the
| `org.blueman.dhcp.client` action to users that are able to run
| arbitrary commands as root anyway in
| /usr/share/polkit-1/rules.d/blueman.rules.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2020-15238
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15238
[1] https://github.com/blueman-project/blueman/security/advisories/GHSA-jpc9-mgw6-2xwx
[2] https://bugs.launchpad.net/ubuntu/+source/blueman/+bug/1897287
[3] https://github.com/blueman-project/blueman/commit/02161d60e8e311b08fb18254615259085fcd668

Regards,
Salvatore

Message #14 received at 973718@bugs.debian.org (full text, mbox, reply):

From: Christopher Schramm <debian@cschramm.eu>

To: Salvatore Bonaccorso <carnil@debian.org>, 973718@bugs.debian.org, Nobuhiro Iwamatsu <iwamatsu@debian.org>

Subject: Re: Bug#973718: blueman: CVE-2020-15238

Date: Tue, 3 Nov 2020 22:17:28 +0100

Hi Salvatore,

2.1.4-1 is waiting at https://mentors.debian.net/package/blueman/. I can 
add the CVE number and / or this bug to the changelog if you like.

Unfortunately my sponsor Nobuhiro seems to be unavailable.

Regards

Message #19 received at 973718@bugs.debian.org (full text, mbox, reply):

From: Nobuhiro Iwamatsu <iwamatsu@debian.org>

To: Christopher Schramm <debian@cschramm.eu>

Cc: Salvatore Bonaccorso <carnil@debian.org>, 973718@bugs.debian.org

Subject: Re: Bug#973718: blueman: CVE-2020-15238

Date: Wed, 4 Nov 2020 08:09:49 +0900

Hi,

Sorry,.I will check this,If there is no problem, upload it.

Best regards,
  Nobuhiro

2020年11月4日(水) 6:17 Christopher Schramm <debian@cschramm.eu>:

>
> Hi Salvatore,
>
> 2.1.4-1 is waiting at https://mentors.debian.net/package/blueman/. I can
> add the CVE number and / or this bug to the changelog if you like.
>
> Unfortunately my sponsor Nobuhiro seems to be unavailable.
>
> Regards



--
Nobuhiro Iwamatsu
   iwamatsu at {nigauri.org / debian.org}
   GPG ID: 40AD1FA6

Message #24 received at 973718@bugs.debian.org (full text, mbox, reply):

From: Nobuhiro Iwamatsu <iwamatsu@debian.org>

To: Christopher Schramm <debian@cschramm.eu>

Cc: Salvatore Bonaccorso <carnil@debian.org>, 973718@bugs.debian.org

Subject: Re: Bug#973718: blueman: CVE-2020-15238

Date: Wed, 4 Nov 2020 08:22:19 +0900

Hi,

I added some comment on https://mentors.debian.net/. Could  you check it?

Best regards,
  Nobuhiro

2020年11月4日(水) 8:09 Nobuhiro Iwamatsu <iwamatsu@debian.org>:
>
> Hi,
>
> Sorry,.I will check this,If there is no problem, upload it.
>
> Best regards,
>   Nobuhiro
>
> 2020年11月4日(水) 6:17 Christopher Schramm <debian@cschramm.eu>:
>
> >
> > Hi Salvatore,
> >
> > 2.1.4-1 is waiting at https://mentors.debian.net/package/blueman/. I can
> > add the CVE number and / or this bug to the changelog if you like.
> >
> > Unfortunately my sponsor Nobuhiro seems to be unavailable.
> >
> > Regards
>
>
>
> --
> Nobuhiro Iwamatsu
>    iwamatsu at {nigauri.org / debian.org}
>    GPG ID: 40AD1FA6



-- 
Nobuhiro Iwamatsu
   iwamatsu at {nigauri.org / debian.org}
   GPG ID: 40AD1FA6

Message #29 received at 973718-close@bugs.debian.org (full text, mbox, reply):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>

To: 973718-close@bugs.debian.org

Subject: Bug#973718: fixed in blueman 2.1.4-1

Date: Thu, 05 Nov 2020 00:48:20 +0000

Source: blueman
Source-Version: 2.1.4-1
Done: Christopher Schramm <debian@cschramm.eu>

We believe that the bug you reported is fixed in the latest version of
blueman, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 973718@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Christopher Schramm <debian@cschramm.eu> (supplier of updated blueman package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Tue, 6 Oct 2020 09:05:00 +0200
Source: blueman
Architecture: source
Version: 2.1.4-1
Distribution: unstable
Urgency: high
Maintainer: Christopher Schramm <debian@cschramm.eu>
Changed-By: Christopher Schramm <debian@cschramm.eu>
Closes: 973718
Changes:
 blueman (2.1.4-1) unstable; urgency=high
 .
   * New release (Closes: #973718 (CVE-2020-15238))
   * Enable Polkit-1 support
   * Improve packaging
     * Drop cdbs
     * Update standards version
     * Fix whitespaces in d/changelog and d/rules
     * Add d/upstream/metadata and d/watch
     * Add Vcs-* fields to d/control
     * Use DEP5 format in d/copyright
     * Enable hardening
     * Add lintian overrides
Checksums-Sha1:
 35880a7336a00498145b8080fbb62cf469d20e7a 2006 blueman_2.1.4-1.dsc
 50e0cea349341198c2568d50712999137a077c60 2300643 blueman_2.1.4.orig.tar.gz
 5ee16465df14dbc2ac5cb5c6ff80945c448d64b6 5760 blueman_2.1.4-1.debian.tar.xz
 212034e4c9f728171cffe5fc06ad8dc78c02f4d2 8490 blueman_2.1.4-1_amd64.buildinfo
Checksums-Sha256:
 5b43e125fc48fc9ad6a1510537c09d94df92351a918219320358a0498cecd5e3 2006 blueman_2.1.4-1.dsc
 c8c218bd60a2e5b9ecfd2708366974b7901e5291f009abd1fc63083d7aa9529d 2300643 blueman_2.1.4.orig.tar.gz
 392eb770fc0fb831cb5ffa39eb46dd5e47c87a5b236233253aa03109f2fbe862 5760 blueman_2.1.4-1.debian.tar.xz
 abe56d6de778233631bf7c49a757659fdc021ef42455f3d1664e6c5aeafbca30 8490 blueman_2.1.4-1_amd64.buildinfo
Files:
 e17f68f08e69f6c6fd9fb417dd42d606 2006 x11 optional blueman_2.1.4-1.dsc
 ac0fa255ddcb2b52ee1bffda45a9a2aa 2300643 x11 optional blueman_2.1.4.orig.tar.gz
 cc1a50a2bd9b3017d7d4c1669c61a1af 5760 x11 optional blueman_2.1.4-1.debian.tar.xz
 476f2d781f6089c5ccc5477d478cf512 8490 x11 optional blueman_2.1.4-1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEXmKe5SMhlzV7hM9DMiR/u0CtH6YFAl+jRrIACgkQMiR/u0Ct
H6Zm1A/+IegqPQbSJV2kEo6f9G0y6sOkJ7X1V4ts99Vs3aSuS6M2VhbsvxPMY2qU
s7NkcV6AkpsSkiJddhIfHOch4fLCY03M1kPJTlli6svZjT+SDPoWEC4HGPg47Bl+
sud+BBRTNkRrYDKEkl0F/g9f1UYabv8eIcH8+Bw7SLeUP1byijKKW2JGgll6hA13
tG6L7MgkqHJinbHUgp9CNJzBfRQFxlydMOA9BJTGVT0Bm1jhQHQ/n9i2Bum/R0VH
+z6AOTvgSmdWp0lbbP8BrAZzQmmoOsA+Y/zrfOEoMCJC8k9B0HfWeHkUEq6jlhx6
Xt4OKE3x9I+X9Dkm5O8sYJuS/hYAm2uVWmdbmVSnI48sJ+gjxAMbR4n1I5ClC80k
4UY5wXt6bKcnKgJag2nmu/bnTowUsE7FVQ/SFyZuxi+q9Nde7j2vty6qWfW0dGtt
jPgQMpkS2iZ34+/qkvxu6fSBlOOpT9i0zV1GSXnNqDZV6iB9rpPPuCsIFvwXfslB
3SJr0DMAO1XbcYTV13Qew1/6NwucBqP4nZekTusFfo2XVBtp1kZlnyqhfpBET0FU
AXjz8KifMjs0ZCXhR18ZgdSkESzSICrQy6UhZdeJOI2WAWqpje/M73OmwgNTE1RE
AxqfsnJ8iYW7b6NyQp6f8v6Z0nm5ieupgnNkl/mraSv7k5W+xnI=
=P+k2
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.