[Pkg-bluetooth-maintainers] Bug#510644: Bug#510644: bluetooth.conf needs alterations for new D-Bus

Filippo Giunchedi filippo at debian.org
Sun Jan 4 13:27:33 UTC 2009

On Sun, Jan 04, 2009 at 01:29:44AM +0000, Simon McVittie wrote:
> Package: bluez-utils
> Version: 3.36-2
> Severity: serious
> Justification: blocker for #503532 (CVE-2008-4311) and far-fetched security hole
> Tags: fixed-upstream
> User: pkg-utopia-maintainers at lists.alioth.debian.org
> Usertags: CVE-2008-4311
> bluez-utils installs a D-Bus system policy file intending to allow users
> at the console to send BlueZ messages to hcid. However, it actually
> allows users at the console to send messages to the object path '/' on
> any service, slightly subverting access control for those other services.


> Furthermore, it might be insufficient to allow everything that hcid intends to
> allow; messages used to be allowed accidentally by a dbus-daemon bug, but
> with the dbus-daemon changes targeted for lenny, they will be denied
> unless explicitly allowed.
> <http://git.kernel.org/?p=bluetooth/bluez.git;a=history;f=src/bluetooth.conf;h=c0476237;hb=fb333f1c>
> shows the recent history of this file - the latest version,
> <http://git.kernel.org/?p=bluetooth/bluez.git;a=blob;f=src/bluetooth.conf;hb=06637b08>,
> appears to be appropriate.

I have tried with the experimental version of dbus and the said bluetooth.conf
file and it doesn't seem to work, though I'm investigating.

Filippo Giunchedi - http://esaurito.net
PGP key: 0x6B79D401
random quote follows:

Gretchen: Donnie Darko? What the hell kind of name is that? It's like
          some sort of superhero or something.
  Donnie: What makes you think I'm not?
-- from Donnie Darko (2001)

More information about the Pkg-bluetooth-maintainers mailing list