Bug#776617: wheezy-pu: fso stack
Package: release.debian.org
Severity: normal
Tags: wheezy
User: release.debian.org@packages.debian.org
Usertags: pu
Hi,
I just requested unblocking of the fso stack for unstable -> testing
migration. I also prepared fixed packages for wheezy and the security
team send me here.
This is the debdiff for the proposed stable updates:
=== debdiff fso-datad_0.11.0-1.dsc fso-datad_0.11.0-1+deb7u1.dsc ===
diff -Nru fso-datad-0.11.0/debian/changelog fso-datad-0.11.0/debian/changelog
--- fso-datad-0.11.0/debian/changelog 2012-05-26 10:29:47.000000000 +0200
+++ fso-datad-0.11.0/debian/changelog 2015-01-28 00:18:22.000000000 +0100
@@ -1,3 +1,9 @@
+fso-datad (0.11.0-1+deb7u1) wheezy-security; urgency=high
+
+ * Fix DBus permissions (Closes: CVE-2014-8156)
+
+ -- Sebastian Reichel <sre@debian.org> Wed, 28 Jan 2015 00:04:16 +0100
+
fso-datad (0.11.0-1) unstable; urgency=low
* New upstream release
diff -Nru fso-datad-0.11.0/debian/patches/fix-dbus-permissions.patch fso-datad-0.11.0/debian/patches/fix-dbus-permissions.patch
--- fso-datad-0.11.0/debian/patches/fix-dbus-permissions.patch 1970-01-01 01:00:00.000000000 +0100
+++ fso-datad-0.11.0/debian/patches/fix-dbus-permissions.patch 2015-01-28 00:15:03.000000000 +0100
@@ -0,0 +1,24 @@
+From: Sebastian Reichel <sre@debian.org>
+Reported-By: Simon McVittie <simon.mcvittie@collabora.co.uk>
+Last-Update: 2015-01-20
+Description: Fix Security Problem in DBus Configuration
+ Old configuration allows every local user to send arbitrary D-Bus
+ messages to the path /org/freesmartphone/Framework on *any* D-Bus
+ system service (rough HTTP analogy: send a POST to
+ http://server/org/freesmartphone/Framework on any server).
+Bug-CVE: https://security-tracker.debian.org/tracker/CVE-2014-8156
+
+Index: fso-datad/data/fsodatad.conf
+===================================================================
+--- fso-datad.orig/data/fsodatad.conf
++++ fso-datad/data/fsodatad.conf
+@@ -3,8 +3,7 @@
+ <busconfig>
+ <policy context="default">
+ <allow own="org.freesmartphone.odatad"/>
+- <allow send_path="/org/freesmartphone/Time"/>
+- <allow send_destination="org.freesmartphone.odatad"/>
++ <allow send_destination="org.freesmartphone.odatad" send_path="/org/freesmartphone/Time"/>
+ </policy>
+ <policy context="default">
+ <allow send_interface="org.freedesktop.DBus.Introspectable"/>
diff -Nru fso-datad-0.11.0/debian/patches/series fso-datad-0.11.0/debian/patches/series
--- fso-datad-0.11.0/debian/patches/series 1970-01-01 01:00:00.000000000 +0100
+++ fso-datad-0.11.0/debian/patches/series 2015-01-28 00:15:24.000000000 +0100
@@ -0,0 +1 @@
+fix-dbus-permissions.patch
=== debdiff fso-deviced_0.11.4-1.dsc fso-deviced_0.11.4-1+deb7u1.dsc ===
diff -Nru fso-deviced-0.11.4/debian/changelog fso-deviced-0.11.4/debian/changelog
--- fso-deviced-0.11.4/debian/changelog 2012-06-01 07:00:15.000000000 +0200
+++ fso-deviced-0.11.4/debian/changelog 2015-01-28 01:17:12.000000000 +0100
@@ -1,3 +1,9 @@
+fso-deviced (0.11.4-1+deb7u1) wheezy-security; urgency=high
+
+ * Fix DBus permissions (Closes: CVE-2014-8156)
+
+ -- Sebastian Reichel <sre@debian.org> Wed, 28 Jan 2015 00:40:54 +0100
+
fso-deviced (0.11.4-1) unstable; urgency=low
* New upstream release
diff -Nru fso-deviced-0.11.4/debian/patches/fix-dbus-permissions.patch fso-deviced-0.11.4/debian/patches/fix-dbus-permissions.patch
--- fso-deviced-0.11.4/debian/patches/fix-dbus-permissions.patch 1970-01-01 01:00:00.000000000 +0100
+++ fso-deviced-0.11.4/debian/patches/fix-dbus-permissions.patch 2015-01-28 00:40:03.000000000 +0100
@@ -0,0 +1,24 @@
+From: Sebastian Reichel <sre@debian.org>
+Reported-By: Simon McVittie <simon.mcvittie@collabora.co.uk>
+Last-Update: 2015-01-20
+Description: Fix Security Problem in DBus Configuration
+ Old configuration allows every local user to send arbitrary D-Bus
+ messages to the path /org/freesmartphone/Framework on *any* D-Bus
+ system service (rough HTTP analogy: send a POST to
+ http://server/org/freesmartphone/Framework on any server).
+Bug-CVE: https://security-tracker.debian.org/tracker/CVE-2014-8156
+
+Index: fso-deviced/data/fsodeviced.conf
+===================================================================
+--- fso-deviced.orig/data/fsodeviced.conf
++++ fso-deviced/data/fsodeviced.conf
+@@ -3,8 +3,7 @@
+ <busconfig>
+ <policy context="default">
+ <allow own="org.freesmartphone.odeviced"/>
+- <allow send_path="/org/freesmartphone/Device"/>
+- <allow send_destination="org.freesmartphone.odeviced"/>
++ <allow send_destination="org.freesmartphone.odeviced" send_path="/org/freesmartphone/Device"/>
+ </policy>
+ <policy context="default">
+ <allow send_interface="org.freedesktop.DBus.Introspectable"/>
diff -Nru fso-deviced-0.11.4/debian/patches/series fso-deviced-0.11.4/debian/patches/series
--- fso-deviced-0.11.4/debian/patches/series 2012-06-01 07:00:15.000000000 +0200
+++ fso-deviced-0.11.4/debian/patches/series 2015-01-28 00:40:13.000000000 +0100
@@ -1 +1,2 @@
openmoko-wifi-2.6.39.patch
+fix-dbus-permissions.patch
=== debdiff fso-frameworkd_0.9.5.9+git20110512-4.dsc fso-frameworkd_0.9.5.9+git20110512-4+deb7u1.dsc ===
diff -Nru fso-frameworkd-0.9.5.9+git20110512/debian/changelog fso-frameworkd-0.9.5.9+git20110512/debian/changelog
--- fso-frameworkd-0.9.5.9+git20110512/debian/changelog 2012-03-28 05:04:21.000000000 +0200
+++ fso-frameworkd-0.9.5.9+git20110512/debian/changelog 2015-01-28 01:05:39.000000000 +0100
@@ -1,3 +1,9 @@
+fso-frameworkd (0.9.5.9+git20110512-4+deb7u1) wheezy-security; urgency=high
+
+ * Fix DBus permissions (Closes: CVE-2014-8156)
+
+ -- Sebastian Reichel <sre@debian.org> Wed, 28 Jan 2015 00:59:39 +0100
+
fso-frameworkd (0.9.5.9+git20110512-4) unstable; urgency=low
* make fso-frameworkd-gta01 and fso-frameworkd-gta02 armel only,
diff -Nru fso-frameworkd-0.9.5.9+git20110512/debian/patches/fix-dbus-permissions.patch fso-frameworkd-0.9.5.9+git20110512/debian/patches/fix-dbus-permissions.patch
--- fso-frameworkd-0.9.5.9+git20110512/debian/patches/fix-dbus-permissions.patch1970-01-01 01:00:00.000000000 +0100
+++ fso-frameworkd-0.9.5.9+git20110512/debian/patches/fix-dbus-permissions.patch2015-01-28 00:57:48.000000000 +0100
@@ -0,0 +1,96 @@
+From: Sebastian Reichel <sre@debian.org>
+Reported-By: Simon McVittie <simon.mcvittie@collabora.co.uk>
+Last-Update: 2015-01-20
+Description: Fix Security Problem in DBus Configuration
+ Old configuration allows every local user to send arbitrary D-Bus
+ messages to the path /org/freesmartphone/Framework on *any* D-Bus
+ system service (rough HTTP analogy: send a POST to
+ http://server/org/freesmartphone/Framework on any server).
+Bug-CVE: https://security-tracker.debian.org/tracker/CVE-2014-8156
+
+Index: fso-frameworkd/etc/dbus-1/system.d/frameworkd.conf
+===================================================================
+--- fso-frameworkd.orig/etc/dbus-1/system.d/frameworkd.conf
++++ fso-frameworkd/etc/dbus-1/system.d/frameworkd.conf
+@@ -3,70 +3,57 @@
+ <busconfig>
+ <policy context="default">
+ <allow own="org.freesmartphone.testing"/>
+- <allow send_path="/org/freesmartphone/testing"/>
+- <allow send_destination="org.freesmartphone.testing"/>
++ <allow send_destination="org.freesmartphone.testing" send_path="/org/freesmartphone/testing"/>
+ </policy>
+ <policy context="default">
+ <allow own="org.freesmartphone.onetworkd"/>
+- <allow send_path="/org/freesmartphone.onetworkd"/>
+- <allow send_destination="org.freesmartphone.onetwork"/>
++ <allow send_destination="org.freesmartphone.onetwork" send_path="/org/freesmartphone.onetworkd"/>
+ </policy>
+ <policy context="default">
+ <allow own="org.freesmartphone.frameworkd"/>
+- <allow send_path="/org/freesmartphone/Framework"/>
+- <allow send_destination="org.freesmartphone.frameworkd"/>
++ <allow send_destination="org.freesmartphone.frameworkd" send_path="/org/freesmartphone/Framework"/>
+ </policy>
+ <policy context="default">
+ <allow own="org.freesmartphone.odeviced"/>
+- <allow send_path="/"/>
+ <allow send_destination="org.freesmartphone.odeviced"/>
+ </policy>
+ <policy context="default">
+ <allow own="org.freesmartphone.oeventsd"/>
+- <allow send_path="/org/freesmartphone/Events"/>
+- <allow send_destination="org.freesmartphone.oeventsd"/>
++ <allow send_destination="org.freesmartphone.oeventsd" send_path="/org/freesmartphone/Events"/>
+ </policy>
+ <policy context="default">
+ <allow own="org.freesmartphone.ousaged"/>
+- <allow send_path="/org/freesmartphone/Usage"/>
+- <allow send_destination="org.freesmartphone.ousaged"/>
++ <allow send_destination="org.freesmartphone.ousaged" send_path="/org/freesmartphone/Usage"/>
+ </policy>
+ <policy context="default">
+ <allow own="org.freesmartphone.ogsmd"/>
+- <allow send_path="/org/freesmartphone/GSM"/>
+- <allow send_destination="org.freesmartphone.ogsmd"/>
++ <allow send_destination="org.freesmartphone.ogsmd" send_path="/org/freesmartphone/GSM"/>
+ </policy>
+ <policy context="default">
+ <allow own="org.freesmartphone.ogpsd"/>
+ <allow own="org.freedesktop.Gypsy"/>
+- <allow send_path="/org/freedesktop/Gypsy"/>
+ <allow send_destination="org.freesmartphone.ogpsd"/>
+ <allow send_destination="org.freedesktop.gypsy"/>
+ </policy>
+ <policy context="default">
+ <allow own="org.freesmartphone.opreferencesd"/>
+- <allow send_path="/org/freesmartphone/Preferences"/>
+- <allow send_destination="org.freesmartphone.opreferencesd"/>
++ <allow send_destination="org.freesmartphone.opreferencesd" send_path="/org/freesmartphone/Preferences"/>
+ </policy>
+ <policy context="default">
+ <allow own="org.freesmartphone.ophoned"/>
+- <allow send_path="/org/freesmartphone/Phone"/>
+- <allow send_destination="org.freesmartphone.ophoned"/>
++ <allow send_destination="org.freesmartphone.ophoned" send_path="/org/freesmartphone/Phone"/>
+ </policy>
+ <policy context="default">
+ <allow own="org.freesmartphone.opimd"/>
+- <allow send_path="/org/freesmartphone/PIM"/>
+- <allow send_destination="org.freesmartphone.opimd"/>
++ <allow send_destination="org.freesmartphone.opimd" send_path="/org/freesmartphone/PIM"/>
+ </policy>
+ <policy context="default">
+ <allow own="org.freesmartphone.otimed"/>
+- <allow send_path="/org/freesmartphone/Time"/>
+- <allow send_destination="org.freesmartphone.otimed"/>
++ <allow send_destination="org.freesmartphone.otimed" send_path="/org/freesmartphone/Time"/>
+ </policy>
+ <policy context="default">
+ <allow own="org.freesmartphone.omuxerd"/>
+- <allow send_path="/org/freesmartphone/GSM/Muxer"/>
+- <allow send_destination="org.freesmartphone.omuxerd"/>
++ <allow send_destination="org.freesmartphone.omuxerd" send_path="/org/freesmartphone/GSM/Muxer"/>
+ <allow send_interface="org.freesmartphone.GSM.MUX"/>
+ </policy>
+ <policy context="default">
diff -Nru fso-frameworkd-0.9.5.9+git20110512/debian/patches/series fso-frameworkd-0.9.5.9+git20110512/debian/patches/series
--- fso-frameworkd-0.9.5.9+git20110512/debian/patches/series 2012-03-28 05:04:21.000000000 +0200
+++ fso-frameworkd-0.9.5.9+git20110512/debian/patches/series 2015-01-28 00:58:07.000000000 +0100
@@ -1,3 +1,4 @@
fix-setup.py
fix-ogpsd.patch
fix-message-notfication.patch
+fix-dbus-permissions.patch
=== debdiff fso-gsmd_0.11.3-2.dsc fso-gsmd_0.11.3-2+deb7u1.dsc ===
diff -Nru fso-gsmd-0.11.3/debian/changelog fso-gsmd-0.11.3/debian/changelog
--- fso-gsmd-0.11.3/debian/changelog 2012-06-27 02:41:45.000000000 +0200
+++ fso-gsmd-0.11.3/debian/changelog 2015-01-28 01:11:10.000000000 +0100
@@ -1,3 +1,9 @@
+fso-gsmd (0.11.3-2+deb7u1) wheezy-security; urgency=high
+
+ * Fix DBus permissions (Closes: CVE-2014-8156)
+
+ -- Sebastian Reichel <sre@debian.org> Wed, 28 Jan 2015 01:04:52 +0100
+
fso-gsmd (0.11.3-2) unstable; urgency=low
* fso-gsmd 0.11.3 requires libgsm0710mux 0.11.2
diff -Nru fso-gsmd-0.11.3/debian/patches/fix-dbus-permissions.patch fso-gsmd-0.11.3/debian/patches/fix-dbus-permissions.patch
--- fso-gsmd-0.11.3/debian/patches/fix-dbus-permissions.patch 1970-01-01 01:00:00.000000000 +0100
+++ fso-gsmd-0.11.3/debian/patches/fix-dbus-permissions.patch 2015-01-28 01:06:55.000000000 +0100
@@ -0,0 +1,24 @@
+From: Sebastian Reichel <sre@debian.org>
+Reported-By: Simon McVittie <simon.mcvittie@collabora.co.uk>
+Last-Update: 2015-01-20
+Description: Fix Security Problem in DBus Configuration
+ Old configuration allows every local user to send arbitrary D-Bus
+ messages to the path /org/freesmartphone/Framework on *any* D-Bus
+ system service (rough HTTP analogy: send a POST to
+ http://server/org/freesmartphone/Framework on any server).
+Bug-CVE: https://security-tracker.debian.org/tracker/CVE-2014-8156
+
+Index: fso-gsmd/data/fsogsmd.conf
+===================================================================
+--- fso-gsmd.orig/data/fsogsmd.conf
++++ fso-gsmd/data/fsogsmd.conf
+@@ -3,8 +3,7 @@
+ <busconfig>
+ <policy context="default">
+ <allow own="org.freesmartphone.ogsmd"/>
+- <allow send_path="/org/freesmartphone/GSM"/>
+- <allow send_destination="org.freesmartphone.ogsmd"/>
++ <allow send_destination="org.freesmartphone.ogsmd" send_path="/org/freesmartphone/GSM"/>
+ </policy>
+ <policy context="default">
+ <allow send_interface="org.freedesktop.DBus.Introspectable"/>
diff -Nru fso-gsmd-0.11.3/debian/patches/series fso-gsmd-0.11.3/debian/patches/series
--- fso-gsmd-0.11.3/debian/patches/series 2012-06-27 02:41:45.000000000 +0200
+++ fso-gsmd-0.11.3/debian/patches/series 2015-01-28 01:07:02.000000000 +0100
@@ -2,3 +2,4 @@
phonebook-storage-dir.patch
sms-storage-dir.patch
fix-pkglibdir.patch
+fix-dbus-permissions.patch
=== debdiff fso-usaged_0.11.0-1.dsc fso-usaged_0.11.0-1+deb7u1.dsc ===
diff -Nru fso-usaged-0.11.0/debian/changelog fso-usaged-0.11.0/debian/changelog
--- fso-usaged-0.11.0/debian/changelog 2012-05-26 11:44:02.000000000 +0200
+++ fso-usaged-0.11.0/debian/changelog 2015-01-28 01:09:39.000000000 +0100
@@ -1,3 +1,9 @@
+fso-usaged (0.11.0-1+deb7u1) wheezy-security; urgency=high
+
+ * Fix DBus permissions (Closes: CVE-2014-8156)
+
+ -- Sebastian Reichel <sre@debian.org> Wed, 28 Jan 2015 01:08:45 +0100
+
fso-usaged (0.11.0-1) unstable; urgency=low
* New upstream release
diff -Nru fso-usaged-0.11.0/debian/patches/fix-dbus-permissions.patch fso-usaged-0.11.0/debian/patches/fix-dbus-permissions.patch
--- fso-usaged-0.11.0/debian/patches/fix-dbus-permissions.patch 1970-01-01 01:00:00.000000000 +0100
+++ fso-usaged-0.11.0/debian/patches/fix-dbus-permissions.patch 2015-01-28 01:10:04.000000000 +0100
@@ -0,0 +1,24 @@
+From: Sebastian Reichel <sre@debian.org>
+Reported-By: Simon McVittie <simon.mcvittie@collabora.co.uk>
+Last-Update: 2015-01-20
+Description: Fix Security Problem in DBus Configuration
+ Old configuration allows every local user to send arbitrary D-Bus
+ messages to the path /org/freesmartphone/Framework on *any* D-Bus
+ system service (rough HTTP analogy: send a POST to
+ http://server/org/freesmartphone/Framework on any server).
+Bug-CVE: https://security-tracker.debian.org/tracker/CVE-2014-8156
+
+Index: fso-usaged/data/fsousaged.conf
+===================================================================
+--- fso-usaged.orig/data/fsousaged.conf
++++ fso-usaged/data/fsousaged.conf
+@@ -3,8 +3,7 @@
+ <busconfig>
+ <policy context="default">
+ <allow own="org.freesmartphone.ousaged"/>
+- <allow send_path="/org/freesmartphone/Usage"/>
+- <allow send_destination="org.freesmartphone.ousaged"/>
++ <allow send_destination="org.freesmartphone.ousaged" send_path="/org/freesmartphone/Usage"/>
+ </policy>
+ <policy context="default">
+ <allow send_interface="org.freedesktop.DBus.Introspectable"/>
diff -Nru fso-usaged-0.11.0/debian/patches/series fso-usaged-0.11.0/debian/patches/series
--- fso-usaged-0.11.0/debian/patches/series 1970-01-01 01:00:00.000000000 +0100
+++ fso-usaged-0.11.0/debian/patches/series 2015-01-28 01:10:11.000000000 +0100
@@ -0,0 +1 @@
+fix-dbus-permissions.patch
=== debdiff phonefsod_0.1+git20110827-3.dsc phonefsod_0.1+git20110827-3+deb7u1.dsc ===
diff -Nru phonefsod-0.1+git20110827/debian/changelog phonefsod-0.1+git20110827/debian/changelog
--- phonefsod-0.1+git20110827/debian/changelog 2012-03-30 01:53:42.000000000 +0200
+++ phonefsod-0.1+git20110827/debian/changelog 2015-01-28 01:12:26.000000000 +0100
@@ -1,3 +1,9 @@
+phonefsod (0.1+git20110827-3+deb7u1) wheezy-security; urgency=high
+
+ * Fix DBus permissions (Closes: CVE-2014-8156)
+
+ -- Sebastian Reichel <sre@debian.org> Wed, 28 Jan 2015 01:12:08 +0100
+
phonefsod (0.1+git20110827-3) unstable; urgency=low
* Fix #665595
diff -Nru phonefsod-0.1+git20110827/debian/patches/fix-dbus-permissions.patch phonefsod-0.1+git20110827/debian/patches/fix-dbus-permissions.patch
--- phonefsod-0.1+git20110827/debian/patches/fix-dbus-permissions.patch 1970-01-01 01:00:00.000000000 +0100
+++ phonefsod-0.1+git20110827/debian/patches/fix-dbus-permissions.patch 2015-01-28 01:12:43.000000000 +0100
@@ -0,0 +1,24 @@
+From: Sebastian Reichel <sre@debian.org>
+Reported-By: Simon McVittie <simon.mcvittie@collabora.co.uk>
+Last-Update: 2015-01-20
+Description: Fix Security Problem in DBus Configuration
+ Old configuration allows every local user to send arbitrary D-Bus
+ messages to the path /org/freesmartphone/Framework on *any* D-Bus
+ system service (rough HTTP analogy: send a POST to
+ http://server/org/freesmartphone/Framework on any server).
+Bug-CVE: https://security-tracker.debian.org/tracker/CVE-2014-8156
+
+Index: phonefsod/data/dbus-1/phonefsod.conf
+===================================================================
+--- phonefsod.orig/data/dbus-1/phonefsod.conf
++++ phonefsod/data/dbus-1/phonefsod.conf
+@@ -1,8 +1,7 @@
+ <busconfig>
+ <policy user="root">
+ <allow own="org.shr.phonefso"/>
+- <allow send_path="/org/shr/phonefso/Usage"/>
+- <allow send_destination="org.shr.phonefso"/>
++ <allow send_destination="org.shr.phonefso" send_path="/org/shr/phonefso/Usage"/>
+ <allow receive_sender="org.shr.phonefso"/>
+ </policy>
+ </busconfig>
diff -Nru phonefsod-0.1+git20110827/debian/patches/series phonefsod-0.1+git20110827/debian/patches/series
--- phonefsod-0.1+git20110827/debian/patches/series 2012-03-30 01:53:42.000000000 +0200
+++ phonefsod-0.1+git20110827/debian/patches/series 2015-01-28 01:12:52.000000000 +0100
@@ -1,3 +1,4 @@
no-output-before-daemonization.patch
fix-ld-as-needed.patch
remove-invidiual-glib-header-includes.patch
+fix-dbus-permissions.patch
diff -Nru phonefsod-0.1+git20110827/debian/phonefsod.conf phonefsod-0.1+git20110827/debian/phonefsod.conf
--- phonefsod-0.1+git20110827/debian/phonefsod.conf 2012-03-30 01:53:42.000000000 +0200
+++ phonefsod-0.1+git20110827/debian/phonefsod.conf 2015-01-28 01:13:16.000000000 +0100
@@ -4,8 +4,7 @@
</policy>
<policy context="default">
- <allow send_path="/org/shr/phonefso/Usage"/>
- <allow send_destination="org.shr.phonefso"/>
+ <allow send_destination="org.shr.phonefso" send_path="/org/shr/phonefso/Usage"/>
<allow receive_sender="org.shr.phonefso"/>
</policy>
</busconfig>
Reply to: