© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
a60fb26
(Get the code!)
Upstream and Debian maintainer here. It looks like my email to the Debian security team and this bug neither ended up here nor did anybody from Debian respond yet, so here's the part after explaining what's already documented here:
> In theory, the effect should be rather limited as blueman 2.0.6+ requires Polkit-1 authorization that should be bound to groups like wheel, sudo, or netdev, so possible attackers would more or less have the privileges already (still, users in netdev but not in sudo would gain some privileges, depending on the DHCP client software on the system).
>
> However, (apart from the fact that stretch, xenial, and bionic have older versions) this uncovered a grave packaging bug. The blueman package recommends policykit-1 but blueman does not have such "runtime-optional" Polkit-1 support and as libpolkit-
>
> We have a private fix for the interface available in https:/
>
> I propose:
>
> stretch 2.0.4, xenial 2.0.4, bionic 2.0.5, buster 2.0.8: Apply 2.0.patch
> focal 2.1.2: Apply 2.1.patch
> buster 2.0.8 focal 2.1.2: Add libpolkit-
>
> bullseye 2.1.3 groovy 2.1.3: I will prepare 2.1.4 with both fixes and would let my sponsor Nobuhiro (CC) upload it to unstable as usual but that will probably reach users only after the security advisory got disclosed or would you prefer a security release for bullseye as well instead?
>
> I think it makes sense to await coordinated security releases for Debian and Ubuntu before we'll apply the fixes upstream, release 2.1.4, and disclose the security advisory. Most other distributions should be good as nobody fucked up Polkit-1 support like I did for the Debian package. 🙈