=== modified file 'debian/changelog' --- debian/changelog 2016-08-27 19:49:23 +0000 +++ debian/changelog 2016-08-27 20:20:16 +0000 @@ -1,3 +1,13 @@ +firewalld (0.4.0-1ubuntu1) xenial-security; urgency=medium + + * SECURITY UPDATE: Any logged in user could modify passthrough rules + and set ipset entries (LP: #1617617) + - debian/patches/CVE-2016-5410.patch: Enforce appropriate PolicyKit + authentication requirements, based on upstream 0.4.3.3 commit + - CVE-2016-5410 + + -- Jeremy Bicha Sat, 27 Aug 2016 16:09:27 -0400 + firewalld (0.4.0-1) unstable; urgency=medium * Team upload. === modified file 'debian/control' --- debian/control 2016-08-27 19:49:23 +0000 +++ debian/control 2016-08-27 20:24:41 +0000 @@ -1,7 +1,8 @@ Source: firewalld Section: net Priority: optional -Maintainer: Utopia Maintenance Team +Maintainer: Ubuntu Developers +XSBC-Original-Maintainer: Utopia Maintenance Team Uploaders: Michael Biebl Build-Depends: debhelper (>= 9), dh-python, === added file 'debian/patches/CVE-2016-5410.patch' --- debian/patches/CVE-2016-5410.patch 1970-01-01 00:00:00 +0000 +++ debian/patches/CVE-2016-5410.patch 2016-08-27 20:08:34 +0000 @@ -0,0 +1,54 @@ +From 0371995a58ec4c777960007b7dbee93933f760cb Mon Sep 17 00:00:00 2001 +From: Thomas Woerner +Date: Tue, 16 Aug 2016 16:18:10 +0200 +Subject: [PATCH] Fix CVE-2016-5410: Firewall configuration can be modified by + any logged in user + +Any locally logged in user, could add and remove tracked passthrough rules +and could set ipset entries. + +Bug-Ubuntu: https://launchpad.net/bugs/1617617 +Refreshed for Ubuntu 16.04 by Jeremy Bicha +--- + src/firewall/server/firewalld.py | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +Index: firewalld-0.4.0/src/firewall/server/firewalld.py +=================================================================== +--- firewalld-0.4.0.orig/src/firewall/server/firewalld.py ++++ firewalld-0.4.0/src/firewall/server/firewalld.py +@@ -55,8 +55,8 @@ class FirewallD(slip.dbus.service.Object + + persistent = True + """ Make FirewallD persistent. """ +- default_polkit_auth_required = PK_ACTION_INFO +- """ Use PK_ACTION_INFO as a default """ ++ default_polkit_auth_required = PK_ACTION_CONFIG ++ """ Use PK_ACTION_CONFIG as a default """ + + @handle_exceptions + def __init__(self, *args, **kwargs): +@@ -1908,6 +1908,7 @@ class FirewallD(slip.dbus.service.Object + + # DIRECT PASSTHROUGH (tracked) + ++ @slip.dbus.polkit.require_auth(config.dbus.PK_ACTION_DIRECT) + @dbus_service_method(DBUS_INTERFACE_DIRECT, in_signature='sas', + out_signature='') + @dbus_handle_exceptions +@@ -2035,6 +2036,7 @@ class FirewallD(slip.dbus.service.Object + + # set entries # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # + ++ @slip.dbus.polkit.require_auth(config.dbus.PK_ACTION_CONFIG) + @dbus_service_method(DBUS_INTERFACE_IPSET, in_signature='ss', + out_signature='') + @dbus_handle_exceptions +@@ -2047,6 +2049,7 @@ class FirewallD(slip.dbus.service.Object + self.fw.ipset.add_entry(ipset, entry) + self.EntryAdded(ipset, entry) + ++ @slip.dbus.polkit.require_auth(config.dbus.PK_ACTION_CONFIG) + @dbus_service_method(DBUS_INTERFACE_IPSET, in_signature='ss', + out_signature='') + @dbus_handle_exceptions === modified file 'debian/patches/series' --- debian/patches/series 2016-08-27 19:49:23 +0000 +++ debian/patches/series 2016-08-27 20:08:34 +0000 @@ -1,2 +1,3 @@ 01-no-sysconfig.patch 04-python3.patch +CVE-2016-5410.patch