group.of.nepali.translators team mailing list archive

[Jeremy Bicha <jeremy@xxxxxxxxx>]

*** This bug is a security vulnerability ***

Public security bug reported:

The dbus configuration for iio-sensor-proxy allowed any process on the
system bus to send an org.freedesktop.DBus.Properties.Set() call to any
other process on the system bus, even if the destination process
expected to be only accessible by root.

https://github.com/hadess/iio-sensor-proxy/commit/e2d81f2

This was fixed in the upstream version 2.1
and in Debian's 2.0-4 (which was autosynced to zesty).

I'll prepare debdiff's containing the Debian fix for xenial and yakkety.

Test Case
=========
dbus-send --system --dest=org.freedesktop.nm_dispatcher --type=method_call \
    --print-reply / org.freedesktop.DBus.Properties.Set string:Foo variant:string:bar

Bad response:
Error org.freedesktop.DBus.Error.UnknownMethod: No such interface
 'org.freedesktop.DBus.Properties' on object at path /

Good response:

Error org.freedesktop.DBus.Error.AccessDenied: Rejected send message, 2 matched  rules; type="method_call", sender=":1.5523" (uid=1000 pid=13527
 comm="dbus-send --system --dest=org.freedesktop.nm_dispa")
 interface="org.freedesktop.DBus.Properties" member="Set" error
 name="(unset)" requested_reply="0"
 destination="org.freedesktop.nm_dispatcher" (uid=0 pid=13528
 comm="/usr/lib/NetworkManager/nm-dispatcher ")

** Affects: iio-sensor-proxy (Ubuntu)
     Importance: Undecided
         Status: New

** Affects: iio-sensor-proxy (Ubuntu Xenial)
     Importance: Undecided
         Status: New

** Affects: iio-sensor-proxy (Ubuntu Yakkety)
     Importance: Undecided
         Status: New


** Tags: xenial yakkety

** Description changed:

- The dbus configuration for iio-sensor-proxy allowed any process on the system bus to send an
- org.freedesktop.DBus.Properties.Set() call to any other process on the
- system bus, even if the destination process expected to be only
- accessible by root.
+ The dbus configuration for iio-sensor-proxy allowed any process on the
+ system bus to send an org.freedesktop.DBus.Properties.Set() call to any
+ other process on the system bus, even if the destination process
+ expected to be only accessible by root.
  
  https://github.com/hadess/iio-sensor-proxy/commit/e2d81f2
  
  This was fixed in the upstream version 2.1
  and in Debian's 2.0-4 (which was autosynced to zesty).
  
  I'll prepare debdiff's containing the Debian fix for xenial and yakkety.
  
  Test Case
  =========
  dbus-send --system --dest=org.freedesktop.nm_dispatcher --type=method_call \
-     --print-reply / org.freedesktop.DBus.Properties.Set string:Foo variant:string:bar
+     --print-reply / org.freedesktop.DBus.Properties.Set string:Foo variant:string:bar
  
  Bad response:
  Error org.freedesktop.DBus.Error.UnknownMethod: No such interface
-  'org.freedesktop.DBus.Properties' on object at path /
+  'org.freedesktop.DBus.Properties' on object at path /
  
  Good response:
  
- Error org.freedesktop.DBus.Error.AccessDenied: Rejected send message, 2 matched
-  rules; type="method_call", sender=":1.5523" (uid=1000 pid=13527
-  comm="dbus-send --system --dest=org.freedesktop.nm_dispa")
-  interface="org.freedesktop.DBus.Properties" member="Set" error
-  name="(unset)" requested_reply="0"
-  destination="org.freedesktop.nm_dispatcher" (uid=0 pid=13528
-  comm="/usr/lib/NetworkManager/nm-dispatcher ")
+ Error org.freedesktop.DBus.Error.AccessDenied: Rejected send message, 2 matched  rules; type="method_call", sender=":1.5523" (uid=1000 pid=13527
+  comm="dbus-send --system --dest=org.freedesktop.nm_dispa")
+  interface="org.freedesktop.DBus.Properties" member="Set" error
+  name="(unset)" requested_reply="0"
+  destination="org.freedesktop.nm_dispatcher" (uid=0 pid=13528
+  comm="/usr/lib/NetworkManager/nm-dispatcher ")

** Also affects: iio-sensor-proxy (Ubuntu Xenial)
   Importance: Undecided
       Status: New

** Also affects: iio-sensor-proxy (Ubuntu Yakkety)
   Importance: Undecided
       Status: New

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1666358

Title:
  iio-sensor-proxy: Insecure configuration of dbus service

Status in iio-sensor-proxy package in Ubuntu:
  New
Status in iio-sensor-proxy source package in Xenial:
  New
Status in iio-sensor-proxy source package in Yakkety:
  New

Bug description:
  The dbus configuration for iio-sensor-proxy allowed any process on the
  system bus to send an org.freedesktop.DBus.Properties.Set() call to
  any other process on the system bus, even if the destination process
  expected to be only accessible by root.

  https://github.com/hadess/iio-sensor-proxy/commit/e2d81f2

  This was fixed in the upstream version 2.1
  and in Debian's 2.0-4 (which was autosynced to zesty).

  I'll prepare debdiff's containing the Debian fix for xenial and
  yakkety.

  Test Case
  =========
  dbus-send --system --dest=org.freedesktop.nm_dispatcher --type=method_call \
      --print-reply / org.freedesktop.DBus.Properties.Set string:Foo variant:string:bar

  Bad response:
  Error org.freedesktop.DBus.Error.UnknownMethod: No such interface
   'org.freedesktop.DBus.Properties' on object at path /

  Good response:

  Error org.freedesktop.DBus.Error.AccessDenied: Rejected send message, 2 matched  rules; type="method_call", sender=":1.5523" (uid=1000 pid=13527
   comm="dbus-send --system --dest=org.freedesktop.nm_dispa")
   interface="org.freedesktop.DBus.Properties" member="Set" error
   name="(unset)" requested_reply="0"
   destination="org.freedesktop.nm_dispatcher" (uid=0 pid=13528
   comm="/usr/lib/NetworkManager/nm-dispatcher ")

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/iio-sensor-proxy/+bug/1666358/+subscriptions