Bug#776480: lintian: [dbus] add the check that found CVE-2014-8148 and CVE-2014-8156
Package: lintian
Version: 2.5.30
Severity: wishlist
Tags: patch
Patches also available from:
ssh://git.debian.org/git/users/smcv/lintian.git dbus
Using the results of the checks I added in #762609, I enhanced the
checks to ignore non-problematic situations and give more context
when reporting problems. Investigating the remaining packages further,
I found two security vulnerabilities: CVE-2014-8148 in midgard2-common,
and CVE-2014-8156 in various freesmartphone.org packages.
Now that both of those are unembargoed, I would like to land the
enhanced checks in lintian. I would also like to mark the D-Bus checks
as non-experimental.
Here are some selected results with annotations:
W: bluez: dbus-policy-at-console etc/dbus-1/system.d/bluetooth.conf <policy at_console="true"><allow send_destination="org.bluez"/>
^^^ this is deprecated, but not a security vulnerability
E: fso-frameworkd: dbus-policy-excessively-broad etc/dbus-1/system.d/frameworkd.conf <policy context="default"><allow send_path="/org/freesmartphone/testing"/>
^^^ this is one of several similar issues making up CVE-2014-8156
W: fso-frameworkd: dbus-policy-without-send-destination etc/dbus-1/system.d/frameworkd.conf <policy context="default"><allow send_interface="org.freedesktop.DBus.Introspectable"/>
^^^ this is a bug, but not a security vulnerability as such
E: midgard2-common: dbus-policy-excessively-broad etc/dbus-1/system.d/midgard_dbus.conf <policy context="default"><allow send_type="method_call"/>
^^^ this is part of CVE-2014-8148
The commit "Transcode checks/dbus.pm to UTF-8" might not apply correctly
from the attached patches if it suffers the same MTA damage as the one
you applied: please obtain it from
ssh://git.debian.org/git/users/smcv/lintian.git if necessary.
(isutf8 checks/dbus.pm, using isutf8 from moreutils, should return 0.)
Regards,
S
Reply to: