https://bugzilla.suse.com/show_bug.cgi?id=1222159 Bug ID: 1222159 Summary: gnome-remote-desktop 46.0 needs audit for dbus service and polkit privileges Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: security-team@suse.de Reporter: dimstar@opensuse.org QA Contact: qa-bugs@suse.de Target Milestone: --- Found By: --- Blocker: --- as part of GNOME 46.0, gnome-remote-desktop was also updated - but not submitted, as we lack freerdp3 in Factory so far. freerdp is currently int he queue, which allowed me to do a local build against the adi project and get the relevant errors from the build: [ 14s] gnome-remote-desktop.x86_64: E: polkit-untracked-privilege (Badness: 10000) org.gnome.remotedesktop.configure-system-daemon (auth_admin:auth_admin:auth_admin_keep) [ 14s] The polkit action is not listed in the polkit-default-privs profiles which [ 14s] makes it harder for admins to find. Furthermore improper polkit authorization [ 14s] checks can easily introduce security issues. If the package is intended for [ 14s] inclusion in any SUSE product please open a bug report to request review of [ 14s] the package by the security team. Please refer to [ 14s] https://en.opensuse.org/openSUSE:Package_security_guidelines#audit_bugs for [ 14s] more information. [ 14s] gnome-remote-desktop.x86_64: E: dbus-file-unauthorized (Badness: 10000) /usr/share/dbus-1/system.d/org.gnome.RemoteDesktop.conf (sha256 file digest default filter:1f030b4ab73fe66d7fb57bd4085535b51dd63bdcd557338bc00b0b758f17e8b8 shell filter:6dcb7d0c4e6650477212e08f5c223aa19695204af8adf5a13e772a0199bf7667 xml filter:313b3194f2acb97640267d67722a2a62327acf3c9723f5163e0d028745311fdb) [ 14s] gnome-remote-desktop.x86_64: E: dbus-file-unauthorized (Badness: 10000) /usr/share/dbus-1/system-services/org.gnome.RemoteDesktop.service (sha256 file digest default filter:478f680764e64a714223fa83d326add2720e8ff02a3fc159687c0132992d4f6f shell filter:1053fce12e03e219ff4518c8498b3ce1983597961afcefa93be25005414a50d8 xml filter:<failed-to-calculate>) [ 14s] Packaging D-Bus services requires a review and whitelisting by the SUSE [ 14s] security team. If the package is intended for inclusion in any SUSE product [ 14s] please open a bug report to request review of the package by the security [ 14s] team. Please refer to [ 14s] https://en.opensuse.org/openSUSE:Package_security_guidelines#audit_bugs for [ 14s] more information. The source package can be found in GNOME:Factory/gnome-remote-desktop -- You are receiving this mail because: You are on the CC list for the bug.