Bug ID | 1209376 |
---|---|
Summary | libproxy 0.5.0 - dbus security review |
Classification | openSUSE |
Product | openSUSE Tumbleweed |
Version | Current |
Hardware | Other |
OS | Other |
Status | NEW |
Severity | Normal |
Priority | P5 - None |
Component | Security |
Assignee | security-team@suse.de |
Reporter | dimstar@opensuse.org |
QA Contact | qa-bugs@suse.de |
Found By | --- |
Blocker | --- |
libproxy 0.5.0 is quite a massive rewrite over 0.4.x The main architecture is: * Client library (libproxy.so.1) - full API/ABI compatible to version 0.4 * Logic is extracted to a proxyd, running on dbus (caching and javascript processing outside of the calling application) By default, it runs on the session bus (accessing gnome/kde settings) If the session bus version cannot be started (i.e sudo, su, non-x systems), it falls back to system bus which essentially limits the daemon to read /etc/sysconfig/proxy (no gnome/kde info available) The new daemon needs a sec review: [ 75s] libproxy-daemon.x86_64: E: dbus-file-unauthorized (Badness: 10000) /usr/share/dbus-1/system.d/org.libproxy.proxy.conf (sha256 file digest default filter:79eacc14b56307b53f422d590a466f1fdbb8334bd6ce2bd7f3e9e1006c3572d0 shell filter:294367cafc0d1cd968447c30bcde4cb54294dcfbd73167762ce2a9252dacc72b xml filter:dbf31ac3aa2696580e6c1f44d1d4b20bc9cc6d2986f61a5f497560679910d04f) [ 75s] libproxy-daemon.x86_64: E: dbus-file-unauthorized (Badness: 10000) /usr/share/dbus-1/system-services/org.libproxy.proxy.service (sha256 file digest default filter:70c03f2f079ec0396522b0e79a9b60db8f1cc84a6febf032fa0d49e4575a197b shell filter:9dce0096a3e2bd1c614c2c31f1c7e9cd3bc9d3ce0ea61e1fa661ca5fe28a04f3 xml filter:<failed-to-calculate>) [ 75s] Packaging D-Bus services requires a review and whitelisting by the SUSE [ 75s] security team. If the package is intended for inclusion in any SUSE product [ 75s] please open a bug report to request review of the package by the security [ 75s] team. Please refer to [ 75s] https://en.opensuse.org/openSUSE:Package_security_guidelines#audit_bugs for [ 75s] more information. package is currently available in home:dimstar:Factory - upstream works on https://github.com/janbrummer/libproxy2 for the time being (until ready to merge in libproxy/libproxy)