Impact
The org.blueman.Mechanism D-Bus interface allowed local users to launch DHCP clients and PPP daemons and setting rfkill states.
Patches
blueman 2.0.6 added authorization for those actions via Polkit-1. Polkit-1 support needs to be enabled (that's the default if the polkit-agent-1
package is available on the build system). blueman 2.0.7 started shipping default convenience rules that allow those actions to users of the wheel group.
References
https://github.com/blueman-project/blueman/releases/tag/2.0.6
For more information
If you have any questions or comments about this advisory:
Impact
The org.blueman.Mechanism D-Bus interface allowed local users to launch DHCP clients and PPP daemons and setting rfkill states.
Patches
blueman 2.0.6 added authorization for those actions via Polkit-1. Polkit-1 support needs to be enabled (that's the default if the
polkit-agent-1
package is available on the build system). blueman 2.0.7 started shipping default convenience rules that allow those actions to users of the wheel group.References
https://github.com/blueman-project/blueman/releases/tag/2.0.6
For more information
If you have any questions or comments about this advisory: