[Bug 767770] New: Wicd dbus authorization
https://bugzilla.novell.com/show_bug.cgi?id=767770 https://bugzilla.novell.com/show_bug.cgi?id=767770#c0 Summary: Wicd dbus authorization Classification: Internal Novell Products Product: openSUSE Build Service Version: 2.0 Platform: Other OS/Version: Other Status: NEW Severity: Normal Priority: P5 - None Component: General AssignedTo: adrian@suse.com ReportedBy: p.drouand@gmail.com QAContact: adrian@suse.com Found By: --- Blocker: --- User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:13.0) Gecko/20100101 Firefox/13.0 Please review dbus policy for allowing the used of wicd Reproducible: Always Steps to Reproduce: 1.run build process 2.rpm lint: suse-dbus-unauthorized-service /etc/dbus-1/system.d/wicd.conf 3. Actual Results: suse-dbus-unauthorized-service /etc/dbus-1/system.d/wicd.conf -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=767770
https://bugzilla.novell.com/show_bug.cgi?id=767770#c1
Marcus Meissner
https://bugzilla.novell.com/show_bug.cgi?id=767770
https://bugzilla.novell.com/show_bug.cgi?id=767770#c2
--- Comment #2 from Marcus Meissner
https://bugzilla.novell.com/show_bug.cgi?id=767770
https://bugzilla.novell.com/show_bug.cgi?id=767770#c3
--- Comment #3 from Marcus Meissner
https://bugzilla.novell.com/show_bug.cgi?id=767770
https://bugzilla.novell.com/show_bug.cgi?id=767770#c4
--- Comment #4 from Marcus Meissner
https://bugzilla.novell.com/show_bug.cgi?id=767770 https://bugzilla.novell.com/show_bug.cgi?id=767770#c5 --- Comment #5 from phil osophe
https://bugzilla.novell.com/show_bug.cgi?id=767770
https://bugzilla.novell.com/show_bug.cgi?id=767770#c6
--- Comment #6 from Sebastian Krahmer
https://bugzilla.novell.com/show_bug.cgi?id=767770
https://bugzilla.novell.com/show_bug.cgi?id=767770#c7
Andreas Stieger
But we have prooven in past that wicd contains root holes. Do we want that again?
Certainly not. I suggest the following steps going forward to get to an informed decision either way: Sebastian, can you please provide information/bug/ML references to the last review you are referring to? Phil, can you then please outline how development of wicd has since addressed these issues? Failing to do that would mean that wicd will not become part of openSUSE. Is that a reasonable way forward? Some recent highlights: 1.7.2.4 priv escalation exploit for wicd possible 1.7.2.2 Fix for CVE-2012-2095 invalidates most encryption templates https://launchpad.net/wicd/+announcement/9888 1.7.2: Major Changes: - Fix local privilege escalation when setting configuration properties through the daemon's DBus interface (CVE-2012-2095). - Support passing no driver to wpa_supplicant. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=767770
https://bugzilla.novell.com/show_bug.cgi?id=767770#c8
Sebastian Krahmer
https://bugzilla.novell.com/show_bug.cgi?id=767770
https://bugzilla.novell.com/show_bug.cgi?id=767770#c9
Andreas Stieger
Phil, can you then please outline how development of wicd has since addressed these issues? Failing to do that would mean that wicd will not become part of openSUSE.
Phil, please make a statement/case as to the security situation of wicd considering the above and other currently reported issues. +cc a packager who asked for a review. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=767770 https://bugzilla.novell.com/show_bug.cgi?id=767770#c10 --- Comment #10 from phil osophe
https://bugzilla.novell.com/show_bug.cgi?id=767770
https://bugzilla.novell.com/show_bug.cgi?id=767770#c11
--- Comment #11 from Andreas Stieger
As latest bugs report and in regards of security bugs report, I can say that security vulnerabilities seems to be fixed. They seem to be all claused and fixed.
When you are done supplying information, please tick the box below to remove the NEEDINFO and assign it back to the secutiry team. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=767770 https://bugzilla.novell.com/show_bug.cgi?id=767770#c12 phil osophe
https://bugzilla.novell.com/show_bug.cgi?id=767770 https://bugzilla.novell.com/show_bug.cgi?id=767770#c13 --- Comment #13 from phil osophe
https://bugzilla.novell.com/show_bug.cgi?id=767770
https://bugzilla.novell.com/show_bug.cgi?id=767770#c14
Hrvoje Senjan
https://bugzilla.novell.com/show_bug.cgi?id=767770
https://bugzilla.novell.com/show_bug.cgi?id=767770#c15
--- Comment #15 from Sebastian Krahmer
https://bugzilla.novell.com/show_bug.cgi?id=767770
https://bugzilla.novell.com/show_bug.cgi?id=767770#c16
Rahim Barbamas
https://bugzilla.novell.com/show_bug.cgi?id=767770
https://bugzilla.novell.com/show_bug.cgi?id=767770#c17
--- Comment #17 from Marcus Meissner
https://bugzilla.novell.com/show_bug.cgi?id=767770
https://bugzilla.novell.com/show_bug.cgi?id=767770#c18
Sebastian Krahmer
participants (1)
-
bugzilla_noreply@novell.com