http://bugzilla.opensuse.org/show_bug.cgi?id=1209376 Bug ID: 1209376 Summary: libproxy 0.5.0 - dbus security review Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: security-team@suse.de Reporter: dimstar@opensuse.org QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- libproxy 0.5.0 is quite a massive rewrite over 0.4.x The main architecture is: * Client library (libproxy.so.1) - full API/ABI compatible to version 0.4 * Logic is extracted to a proxyd, running on dbus (caching and javascript processing outside of the calling application) By default, it runs on the session bus (accessing gnome/kde settings) If the session bus version cannot be started (i.e sudo, su, non-x systems), it falls back to system bus which essentially limits the daemon to read /etc/sysconfig/proxy (no gnome/kde info available) The new daemon needs a sec review: [ 75s] libproxy-daemon.x86_64: E: dbus-file-unauthorized (Badness: 10000) /usr/share/dbus-1/system.d/org.libproxy.proxy.conf (sha256 file digest default filter:79eacc14b56307b53f422d590a466f1fdbb8334bd6ce2bd7f3e9e1006c3572d0 shell filter:294367cafc0d1cd968447c30bcde4cb54294dcfbd73167762ce2a9252dacc72b xml filter:dbf31ac3aa2696580e6c1f44d1d4b20bc9cc6d2986f61a5f497560679910d04f) [ 75s] libproxy-daemon.x86_64: E: dbus-file-unauthorized (Badness: 10000) /usr/share/dbus-1/system-services/org.libproxy.proxy.service (sha256 file digest default filter:70c03f2f079ec0396522b0e79a9b60db8f1cc84a6febf032fa0d49e4575a197b shell filter:9dce0096a3e2bd1c614c2c31f1c7e9cd3bc9d3ce0ea61e1fa661ca5fe28a04f3 xml filter:<failed-to-calculate>) [ 75s] Packaging D-Bus services requires a review and whitelisting by the SUSE [ 75s] security team. If the package is intended for inclusion in any SUSE product [ 75s] please open a bug report to request review of the package by the security [ 75s] team. Please refer to [ 75s] https://en.opensuse.org/openSUSE:Package_security_guidelines#audit_bugs for [ 75s] more information. package is currently available in home:dimstar:Factory - upstream works on https://github.com/janbrummer/libproxy2 for the time being (until ready to merge in libproxy/libproxy) -- You are receiving this mail because: You are on the CC list for the bug.