Bug#776616: unblock: fso stack
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
Please unblock packages:
* fso-datad
* fso-deviced
* fso-frameworkd
* fso-gsmd
* fso-usaged
* phonefsod
Reason:
security update regarding dbus configuration.
Debdiff:
I think it's pointless to include 6 almost identical debdiff files here.
The only change in each package is a new patch fixing the DBus
configuration. Here is the patch for fso-datad:
$ cat debian/patches/fix-dbus-permissions.patch
From: Sebastian Reichel <sre@debian.org>
Reported-By: Simon McVittie <simon.mcvittie@collabora.co.uk>
Last-Update: 2015-01-20
Description: Fix Security Problem in DBus Configuration
Old configuration allows every local user to send arbitrary D-Bus
messages to the path /org/freesmartphone/Framework on *any* D-Bus
system service (rough HTTP analogy: send a POST to
http://server/org/freesmartphone/Framework on any server).
Bug-CVE: https://security-tracker.debian.org/tracker/CVE-2014-8156
Index: fso-datad/data/fsodatad.conf
===================================================================
--- fso-datad.orig/data/fsodatad.conf
+++ fso-datad/data/fsodatad.conf
@@ -3,8 +3,7 @@
<busconfig>
<policy context="default">
<allow own="org.freesmartphone.odatad"/>
- <allow send_path="/org/freesmartphone/Time"/>
- <allow send_destination="org.freesmartphone.odatad"/>
+ <allow send_destination="org.freesmartphone.odatad" send_path="/org/freesmartphone/Time"/>
</policy>
<policy context="default">
<allow send_interface="org.freedesktop.DBus.Introspectable"/>
Commands:
unblock fso-datad/0.12.0-3
unblock fso-deviced/0.12.0-5
unblock fso-frameworkd/0.9.5.9+git20110512-5
unblock fso-gsmd/0.12.0-4
unblock fso-usaged/0.12.0-3
unblock phonefsod/0.1+git20121018-2
Reply to: