iio-sensor-proxy: Insecure configuration of dbus service
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
IIO Sensor Proxy |
Fix Released
|
Unknown
|
|||
iio-sensor-proxy (Debian) |
Fix Released
|
Unknown
|
|||
iio-sensor-proxy (Ubuntu) |
Fix Released
|
High
|
Unassigned | ||
Xenial |
Fix Released
|
High
|
Unassigned | ||
Yakkety |
Fix Released
|
High
|
Unassigned |
Bug Description
The dbus configuration for iio-sensor-proxy allowed any process on the system bus to send an org.freedesktop
https:/
This was fixed in the upstream version 2.1
and in Debian's 2.0-4 (which was autosynced to zesty).
Test Case
=========
dbus-send --system --dest=
--print-reply / org.freedesktop
Bad response:
Error org.freedesktop
'org.freedeskt
Good response:
Error org.freedesktop
comm="dbus-send --system --dest=
interface=
name="(unset)" requested_reply="0"
destination=
comm="
Testing Done
============
I built the packages in my PPA and installed to Ubuntu GNOME 16.04.2 and 16.10. The test cases completed successfully after install; no log out required.
description: | updated |
Changed in iio-sensor-proxy: | |
status: | Unknown → Fix Released |
description: | updated |
Changed in iio-sensor-proxy (Ubuntu): | |
status: | New → Confirmed |
Changed in iio-sensor-proxy (Ubuntu Xenial): | |
status: | New → Confirmed |
Changed in iio-sensor-proxy (Ubuntu Yakkety): | |
status: | New → Confirmed |
Changed in iio-sensor-proxy (Debian): | |
status: | Unknown → Fix Released |
Changed in iio-sensor-proxy (Ubuntu): | |
importance: | Undecided → High |
Changed in iio-sensor-proxy (Ubuntu Xenial): | |
importance: | Undecided → High |
Changed in iio-sensor-proxy (Ubuntu Yakkety): | |
importance: | Undecided → High |
Changed in iio-sensor-proxy (Ubuntu): | |
status: | Confirmed → Fix Released |
ACK on the debdiffs in comments 1 and 2. Packages are building now and will be released as security updates. Thanks!