Skip to content

Unchecked privileged actions in org.blueman.Mechanism D-Bus interface

Low
cschramm published GHSA-27ww-5vfj-j2vp Oct 26, 2020

Package

No package listed

Affected versions

<= 2.0.5

Patched versions

>= 2.0.6

Description

Impact

The org.blueman.Mechanism D-Bus interface allowed local users to launch DHCP clients and PPP daemons and setting rfkill states.

Patches

blueman 2.0.6 added authorization for those actions via Polkit-1. Polkit-1 support needs to be enabled (that's the default if the polkit-agent-1 package is available on the build system). blueman 2.0.7 started shipping default convenience rules that allow those actions to users of the wheel group.

References

https://github.com/blueman-project/blueman/releases/tag/2.0.6

For more information

If you have any questions or comments about this advisory:

Severity

Low

CVE ID

No known CVE

Weaknesses

No CWEs