Bug#776617: wheezy-pu: fso stack

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#776617: wheezy-pu: fso stack
From: Sebastian Reichel <sre@debian.org>
Date: Fri, 30 Jan 2015 01:43:16 +0100
Message-id: <[🔎] 20150130004316.11780.18429.reportbug@earth.universe>
Reply-to: Sebastian Reichel <sre@debian.org>, 776617@bugs.debian.org
Package: release.debian.org
Severity: normal
Tags: wheezy
User: release.debian.org@packages.debian.org
Usertags: pu

Hi,

I just requested unblocking of the fso stack for unstable -> testing
migration. I also prepared fixed packages for wheezy and the security
team send me here.

This is the debdiff for the proposed stable updates:

=== debdiff fso-datad_0.11.0-1.dsc fso-datad_0.11.0-1+deb7u1.dsc ===

diff -Nru fso-datad-0.11.0/debian/changelog fso-datad-0.11.0/debian/changelog
--- fso-datad-0.11.0/debian/changelog	2012-05-26 10:29:47.000000000 +0200
+++ fso-datad-0.11.0/debian/changelog	2015-01-28 00:18:22.000000000 +0100
@@ -1,3 +1,9 @@
+fso-datad (0.11.0-1+deb7u1) wheezy-security; urgency=high
+
+  * Fix DBus permissions (Closes: CVE-2014-8156)
+
+ -- Sebastian Reichel <sre@debian.org>  Wed, 28 Jan 2015 00:04:16 +0100
+
 fso-datad (0.11.0-1) unstable; urgency=low
 
   * New upstream release 
diff -Nru fso-datad-0.11.0/debian/patches/fix-dbus-permissions.patch fso-datad-0.11.0/debian/patches/fix-dbus-permissions.patch
--- fso-datad-0.11.0/debian/patches/fix-dbus-permissions.patch	1970-01-01 01:00:00.000000000 +0100
+++ fso-datad-0.11.0/debian/patches/fix-dbus-permissions.patch	2015-01-28 00:15:03.000000000 +0100
@@ -0,0 +1,24 @@
+From: Sebastian Reichel <sre@debian.org>
+Reported-By: Simon McVittie <simon.mcvittie@collabora.co.uk>
+Last-Update: 2015-01-20
+Description: Fix Security Problem in DBus Configuration
+ Old configuration allows every local user to send arbitrary D-Bus
+ messages to the path /org/freesmartphone/Framework on *any* D-Bus
+ system service (rough HTTP analogy: send a POST to
+ http://server/org/freesmartphone/Framework on any server).
+Bug-CVE: https://security-tracker.debian.org/tracker/CVE-2014-8156
+
+Index: fso-datad/data/fsodatad.conf
+===================================================================
+--- fso-datad.orig/data/fsodatad.conf
++++ fso-datad/data/fsodatad.conf
+@@ -3,8 +3,7 @@
+ <busconfig>
+     <policy context="default">
+         <allow own="org.freesmartphone.odatad"/>
+-        <allow send_path="/org/freesmartphone/Time"/>
+-        <allow send_destination="org.freesmartphone.odatad"/>
++        <allow send_destination="org.freesmartphone.odatad" send_path="/org/freesmartphone/Time"/>
+     </policy>
+     <policy context="default">
+         <allow send_interface="org.freedesktop.DBus.Introspectable"/>
diff -Nru fso-datad-0.11.0/debian/patches/series fso-datad-0.11.0/debian/patches/series
--- fso-datad-0.11.0/debian/patches/series	1970-01-01 01:00:00.000000000 +0100
+++ fso-datad-0.11.0/debian/patches/series	2015-01-28 00:15:24.000000000 +0100
@@ -0,0 +1 @@
+fix-dbus-permissions.patch

=== debdiff fso-deviced_0.11.4-1.dsc fso-deviced_0.11.4-1+deb7u1.dsc ===

diff -Nru fso-deviced-0.11.4/debian/changelog fso-deviced-0.11.4/debian/changelog
--- fso-deviced-0.11.4/debian/changelog	2012-06-01 07:00:15.000000000 +0200
+++ fso-deviced-0.11.4/debian/changelog	2015-01-28 01:17:12.000000000 +0100
@@ -1,3 +1,9 @@
+fso-deviced (0.11.4-1+deb7u1) wheezy-security; urgency=high
+
+  * Fix DBus permissions (Closes: CVE-2014-8156)
+
+ -- Sebastian Reichel <sre@debian.org>  Wed, 28 Jan 2015 00:40:54 +0100
+
 fso-deviced (0.11.4-1) unstable; urgency=low
 
   * New upstream release
diff -Nru fso-deviced-0.11.4/debian/patches/fix-dbus-permissions.patch fso-deviced-0.11.4/debian/patches/fix-dbus-permissions.patch
--- fso-deviced-0.11.4/debian/patches/fix-dbus-permissions.patch	1970-01-01 01:00:00.000000000 +0100
+++ fso-deviced-0.11.4/debian/patches/fix-dbus-permissions.patch	2015-01-28 00:40:03.000000000 +0100
@@ -0,0 +1,24 @@
+From: Sebastian Reichel <sre@debian.org>
+Reported-By: Simon McVittie <simon.mcvittie@collabora.co.uk>
+Last-Update: 2015-01-20
+Description: Fix Security Problem in DBus Configuration
+ Old configuration allows every local user to send arbitrary D-Bus
+ messages to the path /org/freesmartphone/Framework on *any* D-Bus
+ system service (rough HTTP analogy: send a POST to
+ http://server/org/freesmartphone/Framework on any server).
+Bug-CVE: https://security-tracker.debian.org/tracker/CVE-2014-8156
+
+Index: fso-deviced/data/fsodeviced.conf
+===================================================================
+--- fso-deviced.orig/data/fsodeviced.conf
++++ fso-deviced/data/fsodeviced.conf
+@@ -3,8 +3,7 @@
+ <busconfig>
+     <policy context="default">
+         <allow own="org.freesmartphone.odeviced"/>
+-        <allow send_path="/org/freesmartphone/Device"/>
+-        <allow send_destination="org.freesmartphone.odeviced"/>
++        <allow send_destination="org.freesmartphone.odeviced" send_path="/org/freesmartphone/Device"/>
+     </policy>
+     <policy context="default">
+         <allow send_interface="org.freedesktop.DBus.Introspectable"/>
diff -Nru fso-deviced-0.11.4/debian/patches/series fso-deviced-0.11.4/debian/patches/series
--- fso-deviced-0.11.4/debian/patches/series	2012-06-01 07:00:15.000000000 +0200
+++ fso-deviced-0.11.4/debian/patches/series	2015-01-28 00:40:13.000000000 +0100
@@ -1 +1,2 @@
 openmoko-wifi-2.6.39.patch
+fix-dbus-permissions.patch

=== debdiff fso-frameworkd_0.9.5.9+git20110512-4.dsc fso-frameworkd_0.9.5.9+git20110512-4+deb7u1.dsc ===

diff -Nru fso-frameworkd-0.9.5.9+git20110512/debian/changelog fso-frameworkd-0.9.5.9+git20110512/debian/changelog
--- fso-frameworkd-0.9.5.9+git20110512/debian/changelog	2012-03-28 05:04:21.000000000 +0200
+++ fso-frameworkd-0.9.5.9+git20110512/debian/changelog	2015-01-28 01:05:39.000000000 +0100
@@ -1,3 +1,9 @@
+fso-frameworkd (0.9.5.9+git20110512-4+deb7u1) wheezy-security; urgency=high
+
+  * Fix DBus permissions (Closes: CVE-2014-8156)
+
+ -- Sebastian Reichel <sre@debian.org>  Wed, 28 Jan 2015 00:59:39 +0100
+
 fso-frameworkd (0.9.5.9+git20110512-4) unstable; urgency=low
 
   * make fso-frameworkd-gta01 and fso-frameworkd-gta02 armel only,
diff -Nru fso-frameworkd-0.9.5.9+git20110512/debian/patches/fix-dbus-permissions.patch fso-frameworkd-0.9.5.9+git20110512/debian/patches/fix-dbus-permissions.patch
--- fso-frameworkd-0.9.5.9+git20110512/debian/patches/fix-dbus-permissions.patch1970-01-01 01:00:00.000000000 +0100
+++ fso-frameworkd-0.9.5.9+git20110512/debian/patches/fix-dbus-permissions.patch2015-01-28 00:57:48.000000000 +0100
@@ -0,0 +1,96 @@
+From: Sebastian Reichel <sre@debian.org>
+Reported-By: Simon McVittie <simon.mcvittie@collabora.co.uk>
+Last-Update: 2015-01-20
+Description: Fix Security Problem in DBus Configuration
+ Old configuration allows every local user to send arbitrary D-Bus
+ messages to the path /org/freesmartphone/Framework on *any* D-Bus
+ system service (rough HTTP analogy: send a POST to
+ http://server/org/freesmartphone/Framework on any server).
+Bug-CVE: https://security-tracker.debian.org/tracker/CVE-2014-8156
+
+Index: fso-frameworkd/etc/dbus-1/system.d/frameworkd.conf
+===================================================================
+--- fso-frameworkd.orig/etc/dbus-1/system.d/frameworkd.conf
++++ fso-frameworkd/etc/dbus-1/system.d/frameworkd.conf
+@@ -3,70 +3,57 @@
+ <busconfig>
+     <policy context="default">
+         <allow own="org.freesmartphone.testing"/>
+-        <allow send_path="/org/freesmartphone/testing"/>
+-        <allow send_destination="org.freesmartphone.testing"/>
++        <allow send_destination="org.freesmartphone.testing" send_path="/org/freesmartphone/testing"/>
+     </policy>
+     <policy context="default">
+         <allow own="org.freesmartphone.onetworkd"/>
+-        <allow send_path="/org/freesmartphone.onetworkd"/>
+-        <allow send_destination="org.freesmartphone.onetwork"/>
++        <allow send_destination="org.freesmartphone.onetwork" send_path="/org/freesmartphone.onetworkd"/>
+     </policy>
+     <policy context="default">
+         <allow own="org.freesmartphone.frameworkd"/>
+-        <allow send_path="/org/freesmartphone/Framework"/>
+-        <allow send_destination="org.freesmartphone.frameworkd"/>
++        <allow send_destination="org.freesmartphone.frameworkd" send_path="/org/freesmartphone/Framework"/>
+     </policy>
+     <policy context="default">
+         <allow own="org.freesmartphone.odeviced"/>
+-        <allow send_path="/"/>
+         <allow send_destination="org.freesmartphone.odeviced"/>
+     </policy>
+     <policy context="default">
+         <allow own="org.freesmartphone.oeventsd"/>
+-        <allow send_path="/org/freesmartphone/Events"/>
+-        <allow send_destination="org.freesmartphone.oeventsd"/>
++        <allow send_destination="org.freesmartphone.oeventsd" send_path="/org/freesmartphone/Events"/>
+     </policy>
+     <policy context="default">
+         <allow own="org.freesmartphone.ousaged"/>
+-        <allow send_path="/org/freesmartphone/Usage"/>
+-        <allow send_destination="org.freesmartphone.ousaged"/>
++        <allow send_destination="org.freesmartphone.ousaged" send_path="/org/freesmartphone/Usage"/>
+     </policy>
+     <policy context="default">
+         <allow own="org.freesmartphone.ogsmd"/>
+-        <allow send_path="/org/freesmartphone/GSM"/>
+-        <allow send_destination="org.freesmartphone.ogsmd"/>
++        <allow send_destination="org.freesmartphone.ogsmd" send_path="/org/freesmartphone/GSM"/>
+     </policy>
+     <policy context="default">
+         <allow own="org.freesmartphone.ogpsd"/>
+         <allow own="org.freedesktop.Gypsy"/>
+-        <allow send_path="/org/freedesktop/Gypsy"/>
+         <allow send_destination="org.freesmartphone.ogpsd"/>
+         <allow send_destination="org.freedesktop.gypsy"/>
+     </policy>
+     <policy context="default">
+         <allow own="org.freesmartphone.opreferencesd"/>
+-        <allow send_path="/org/freesmartphone/Preferences"/>
+-        <allow send_destination="org.freesmartphone.opreferencesd"/>
++        <allow send_destination="org.freesmartphone.opreferencesd" send_path="/org/freesmartphone/Preferences"/>
+     </policy>
+     <policy context="default">
+         <allow own="org.freesmartphone.ophoned"/>
+-        <allow send_path="/org/freesmartphone/Phone"/>
+-        <allow send_destination="org.freesmartphone.ophoned"/>
++        <allow send_destination="org.freesmartphone.ophoned" send_path="/org/freesmartphone/Phone"/>
+     </policy>
+     <policy context="default">
+         <allow own="org.freesmartphone.opimd"/>
+-        <allow send_path="/org/freesmartphone/PIM"/>
+-        <allow send_destination="org.freesmartphone.opimd"/>
++        <allow send_destination="org.freesmartphone.opimd" send_path="/org/freesmartphone/PIM"/>
+     </policy>
+     <policy context="default">
+         <allow own="org.freesmartphone.otimed"/>
+-        <allow send_path="/org/freesmartphone/Time"/>
+-        <allow send_destination="org.freesmartphone.otimed"/>
++        <allow send_destination="org.freesmartphone.otimed" send_path="/org/freesmartphone/Time"/>
+     </policy>
+     <policy context="default">
+         <allow own="org.freesmartphone.omuxerd"/>
+-        <allow send_path="/org/freesmartphone/GSM/Muxer"/>
+-        <allow send_destination="org.freesmartphone.omuxerd"/>
++        <allow send_destination="org.freesmartphone.omuxerd" send_path="/org/freesmartphone/GSM/Muxer"/>
+         <allow send_interface="org.freesmartphone.GSM.MUX"/>
+     </policy>
+     <policy context="default">
diff -Nru fso-frameworkd-0.9.5.9+git20110512/debian/patches/series fso-frameworkd-0.9.5.9+git20110512/debian/patches/series
--- fso-frameworkd-0.9.5.9+git20110512/debian/patches/series	2012-03-28 05:04:21.000000000 +0200
+++ fso-frameworkd-0.9.5.9+git20110512/debian/patches/series	2015-01-28 00:58:07.000000000 +0100
@@ -1,3 +1,4 @@
 fix-setup.py
 fix-ogpsd.patch
 fix-message-notfication.patch
+fix-dbus-permissions.patch

=== debdiff fso-gsmd_0.11.3-2.dsc fso-gsmd_0.11.3-2+deb7u1.dsc ===

diff -Nru fso-gsmd-0.11.3/debian/changelog fso-gsmd-0.11.3/debian/changelog
--- fso-gsmd-0.11.3/debian/changelog	2012-06-27 02:41:45.000000000 +0200
+++ fso-gsmd-0.11.3/debian/changelog	2015-01-28 01:11:10.000000000 +0100
@@ -1,3 +1,9 @@
+fso-gsmd (0.11.3-2+deb7u1) wheezy-security; urgency=high
+
+  * Fix DBus permissions (Closes: CVE-2014-8156)
+
+ -- Sebastian Reichel <sre@debian.org>  Wed, 28 Jan 2015 01:04:52 +0100
+
 fso-gsmd (0.11.3-2) unstable; urgency=low
 
   * fso-gsmd 0.11.3 requires libgsm0710mux 0.11.2
diff -Nru fso-gsmd-0.11.3/debian/patches/fix-dbus-permissions.patch fso-gsmd-0.11.3/debian/patches/fix-dbus-permissions.patch
--- fso-gsmd-0.11.3/debian/patches/fix-dbus-permissions.patch	1970-01-01 01:00:00.000000000 +0100
+++ fso-gsmd-0.11.3/debian/patches/fix-dbus-permissions.patch	2015-01-28 01:06:55.000000000 +0100
@@ -0,0 +1,24 @@
+From: Sebastian Reichel <sre@debian.org>
+Reported-By: Simon McVittie <simon.mcvittie@collabora.co.uk>
+Last-Update: 2015-01-20
+Description: Fix Security Problem in DBus Configuration
+ Old configuration allows every local user to send arbitrary D-Bus
+ messages to the path /org/freesmartphone/Framework on *any* D-Bus
+ system service (rough HTTP analogy: send a POST to
+ http://server/org/freesmartphone/Framework on any server).
+Bug-CVE: https://security-tracker.debian.org/tracker/CVE-2014-8156
+
+Index: fso-gsmd/data/fsogsmd.conf
+===================================================================
+--- fso-gsmd.orig/data/fsogsmd.conf
++++ fso-gsmd/data/fsogsmd.conf
+@@ -3,8 +3,7 @@
+ <busconfig>
+     <policy context="default">
+         <allow own="org.freesmartphone.ogsmd"/>
+-        <allow send_path="/org/freesmartphone/GSM"/>
+-        <allow send_destination="org.freesmartphone.ogsmd"/>
++        <allow send_destination="org.freesmartphone.ogsmd" send_path="/org/freesmartphone/GSM"/>
+     </policy>
+     <policy context="default">
+         <allow send_interface="org.freedesktop.DBus.Introspectable"/>
diff -Nru fso-gsmd-0.11.3/debian/patches/series fso-gsmd-0.11.3/debian/patches/series
--- fso-gsmd-0.11.3/debian/patches/series	2012-06-27 02:41:45.000000000 +0200
+++ fso-gsmd-0.11.3/debian/patches/series	2015-01-28 01:07:02.000000000 +0100
@@ -2,3 +2,4 @@
 phonebook-storage-dir.patch
 sms-storage-dir.patch
 fix-pkglibdir.patch
+fix-dbus-permissions.patch

=== debdiff fso-usaged_0.11.0-1.dsc fso-usaged_0.11.0-1+deb7u1.dsc ===

diff -Nru fso-usaged-0.11.0/debian/changelog fso-usaged-0.11.0/debian/changelog
--- fso-usaged-0.11.0/debian/changelog	2012-05-26 11:44:02.000000000 +0200
+++ fso-usaged-0.11.0/debian/changelog	2015-01-28 01:09:39.000000000 +0100
@@ -1,3 +1,9 @@
+fso-usaged (0.11.0-1+deb7u1) wheezy-security; urgency=high
+
+  * Fix DBus permissions (Closes: CVE-2014-8156)
+
+ -- Sebastian Reichel <sre@debian.org>  Wed, 28 Jan 2015 01:08:45 +0100
+
 fso-usaged (0.11.0-1) unstable; urgency=low
 
   * New upstream release
diff -Nru fso-usaged-0.11.0/debian/patches/fix-dbus-permissions.patch fso-usaged-0.11.0/debian/patches/fix-dbus-permissions.patch
--- fso-usaged-0.11.0/debian/patches/fix-dbus-permissions.patch	1970-01-01 01:00:00.000000000 +0100
+++ fso-usaged-0.11.0/debian/patches/fix-dbus-permissions.patch	2015-01-28 01:10:04.000000000 +0100
@@ -0,0 +1,24 @@
+From: Sebastian Reichel <sre@debian.org>
+Reported-By: Simon McVittie <simon.mcvittie@collabora.co.uk>
+Last-Update: 2015-01-20
+Description: Fix Security Problem in DBus Configuration
+ Old configuration allows every local user to send arbitrary D-Bus
+ messages to the path /org/freesmartphone/Framework on *any* D-Bus
+ system service (rough HTTP analogy: send a POST to
+ http://server/org/freesmartphone/Framework on any server).
+Bug-CVE: https://security-tracker.debian.org/tracker/CVE-2014-8156
+
+Index: fso-usaged/data/fsousaged.conf
+===================================================================
+--- fso-usaged.orig/data/fsousaged.conf
++++ fso-usaged/data/fsousaged.conf
+@@ -3,8 +3,7 @@
+ <busconfig>
+     <policy context="default">
+         <allow own="org.freesmartphone.ousaged"/>
+-        <allow send_path="/org/freesmartphone/Usage"/>
+-        <allow send_destination="org.freesmartphone.ousaged"/>
++        <allow send_destination="org.freesmartphone.ousaged" send_path="/org/freesmartphone/Usage"/>
+     </policy>
+     <policy context="default">
+         <allow send_interface="org.freedesktop.DBus.Introspectable"/>
diff -Nru fso-usaged-0.11.0/debian/patches/series fso-usaged-0.11.0/debian/patches/series
--- fso-usaged-0.11.0/debian/patches/series	1970-01-01 01:00:00.000000000 +0100
+++ fso-usaged-0.11.0/debian/patches/series	2015-01-28 01:10:11.000000000 +0100
@@ -0,0 +1 @@
+fix-dbus-permissions.patch

=== debdiff phonefsod_0.1+git20110827-3.dsc phonefsod_0.1+git20110827-3+deb7u1.dsc ===

diff -Nru phonefsod-0.1+git20110827/debian/changelog phonefsod-0.1+git20110827/debian/changelog
--- phonefsod-0.1+git20110827/debian/changelog	2012-03-30 01:53:42.000000000 +0200
+++ phonefsod-0.1+git20110827/debian/changelog	2015-01-28 01:12:26.000000000 +0100
@@ -1,3 +1,9 @@
+phonefsod (0.1+git20110827-3+deb7u1) wheezy-security; urgency=high
+
+  * Fix DBus permissions (Closes: CVE-2014-8156) 
+
+ -- Sebastian Reichel <sre@debian.org>  Wed, 28 Jan 2015 01:12:08 +0100
+
 phonefsod (0.1+git20110827-3) unstable; urgency=low
 
   * Fix #665595
diff -Nru phonefsod-0.1+git20110827/debian/patches/fix-dbus-permissions.patch phonefsod-0.1+git20110827/debian/patches/fix-dbus-permissions.patch
--- phonefsod-0.1+git20110827/debian/patches/fix-dbus-permissions.patch	1970-01-01 01:00:00.000000000 +0100
+++ phonefsod-0.1+git20110827/debian/patches/fix-dbus-permissions.patch	2015-01-28 01:12:43.000000000 +0100
@@ -0,0 +1,24 @@
+From: Sebastian Reichel <sre@debian.org>
+Reported-By: Simon McVittie <simon.mcvittie@collabora.co.uk>
+Last-Update: 2015-01-20
+Description: Fix Security Problem in DBus Configuration
+ Old configuration allows every local user to send arbitrary D-Bus
+ messages to the path /org/freesmartphone/Framework on *any* D-Bus
+ system service (rough HTTP analogy: send a POST to
+ http://server/org/freesmartphone/Framework on any server).
+Bug-CVE: https://security-tracker.debian.org/tracker/CVE-2014-8156
+
+Index: phonefsod/data/dbus-1/phonefsod.conf
+===================================================================
+--- phonefsod.orig/data/dbus-1/phonefsod.conf
++++ phonefsod/data/dbus-1/phonefsod.conf
+@@ -1,8 +1,7 @@
+ <busconfig>
+     <policy user="root">
+         <allow own="org.shr.phonefso"/>
+-        <allow send_path="/org/shr/phonefso/Usage"/>
+-        <allow send_destination="org.shr.phonefso"/>
++        <allow send_destination="org.shr.phonefso" send_path="/org/shr/phonefso/Usage"/>
+         <allow receive_sender="org.shr.phonefso"/>
+     </policy>
+ </busconfig>
diff -Nru phonefsod-0.1+git20110827/debian/patches/series phonefsod-0.1+git20110827/debian/patches/series
--- phonefsod-0.1+git20110827/debian/patches/series	2012-03-30 01:53:42.000000000 +0200
+++ phonefsod-0.1+git20110827/debian/patches/series	2015-01-28 01:12:52.000000000 +0100
@@ -1,3 +1,4 @@
 no-output-before-daemonization.patch
 fix-ld-as-needed.patch
 remove-invidiual-glib-header-includes.patch
+fix-dbus-permissions.patch
diff -Nru phonefsod-0.1+git20110827/debian/phonefsod.conf phonefsod-0.1+git20110827/debian/phonefsod.conf
--- phonefsod-0.1+git20110827/debian/phonefsod.conf	2012-03-30 01:53:42.000000000 +0200
+++ phonefsod-0.1+git20110827/debian/phonefsod.conf	2015-01-28 01:13:16.000000000 +0100
@@ -4,8 +4,7 @@
 	</policy>
 
     <policy context="default">
-        <allow send_path="/org/shr/phonefso/Usage"/>
-        <allow send_destination="org.shr.phonefso"/>
+        <allow send_destination="org.shr.phonefso" send_path="/org/shr/phonefso/Usage"/>
         <allow receive_sender="org.shr.phonefso"/>
     </policy>
 </busconfig>
Reply to:
Prev by Date: Bug#776009: Gentle ping wrt. Bug#776009: unblock: xymon/4.3.17-5
Next by Date: Bug#725661: pu: opencv/2.3.1+dfsg-1
Previous by thread: Bug#776616: unblock: fso stack
Next by thread: Processed: tagging 775770
Index(es):
- Date
- Thread