[Bug 1033296] New: AUDIT-0: kwalletmanager5: new DBus service org.kde.kcontrol.kcmkwallet5
http://bugzilla.suse.com/show_bug.cgi?id=1033296 Bug ID: 1033296 Summary: AUDIT-0: kwalletmanager5: new DBus service org.kde.kcontrol.kcmkwallet5 Classification: openSUSE Product: openSUSE Distribution Version: Leap 42.2 Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: security-team@suse.de Reporter: matthias.gerstner@suse.com QA Contact: qa-bugs@suse.de CC: lbeltrame@kde.org Found By: --- Blocker: --- It's come to the attention of the security team that the package KDE:Applications/kwalletmanager5 slipped into openSUSE:Factory and openSUSE:Leap 42.{1,2} without going through a proper DBus/polkit review. It is against policy to override the rpmlint messages for DBus/polkit via rpmlintrc. It seems this was already reviewed in bug 849739. The service obviously got renamed from kcmwallet to kcmwallet5. But maybe there's more to it. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1033296 http://bugzilla.suse.com/show_bug.cgi?id=1033296#c1 --- Comment #1 from Luca Beltrame <lbeltrame@kde.org> --- As far as I can remember, it was a pure rename to allow co-existence of kcmwallet (kdelibs version) and kcmwallet5 (KF5) services on the same machine. There should be no functional changes (upstream is even considering providing a single service for both). -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1033296 http://bugzilla.suse.com/show_bug.cgi?id=1033296#c2 Luca Beltrame <lbeltrame@kde.org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |fabian@ritter-vogt.de, | |tittiatcoke@gmail.com --- Comment #2 from Luca Beltrame <lbeltrame@kde.org> --- I added two more team members in case you need further information. Raymond, do you remember if it was just a rename? -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1033296 Matthias Gerstner <matthias.gerstner@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |matthias.gerstner@suse.com -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1033296 http://bugzilla.suse.com/show_bug.cgi?id=1033296#c3 Fabian Vogt <fvogt@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |fvogt@suse.com --- Comment #3 from Fabian Vogt <fvogt@suse.com> --- (In reply to Matthias Gerstner from comment #0)
It's come to the attention of the security team that the package KDE:Applications/kwalletmanager5 slipped into openSUSE:Factory and openSUSE:Leap 42.{1,2} without going through a proper DBus/polkit review.
It is against policy to override the rpmlint messages for DBus/polkit via rpmlintrc.
I don't see an rpmlintrc in the package, so how did that happen?
It seems this was already reviewed in bug 849739. The service obviously got renamed from kcmwallet to kcmwallet5. But maybe there's more to it.
Yes it did. The services do coexist for now, an implementation of kcmwallet in kwalletmanager5 is being worked on. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1033296 http://bugzilla.suse.com/show_bug.cgi?id=1033296#c4 --- Comment #4 from Matthias Gerstner <matthias.gerstner@suse.com> --- (In reply to fvogt@suse.com from comment #3)
It is against policy to override the rpmlint messages for DBus/polkit via rpmlintrc.
I don't see an rpmlintrc in the package, so how did that happen?
The rpmlintrc is created on-the-fly via %install section of the spec file. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1033296 http://bugzilla.suse.com/show_bug.cgi?id=1033296#c5 --- Comment #5 from Luca Beltrame <lbeltrame@kde.org> --- Proof that the files are identical: https://git.reviewboard.kde.org/r/115218/ -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1033296 http://bugzilla.suse.com/show_bug.cgi?id=1033296#c6 --- Comment #6 from Fabian Vogt <fvogt@suse.com> --- (In reply to Matthias Gerstner from comment #4)
(In reply to fvogt@suse.com from comment #3)
It is against policy to override the rpmlint messages for DBus/polkit via rpmlintrc.
I don't see an rpmlintrc in the package, so how did that happen?
The rpmlintrc is created on-the-fly via %install section of the spec file.
Oh god, that's truly awful :-/ -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1033296 http://bugzilla.suse.com/show_bug.cgi?id=1033296#c7 --- Comment #7 from Matthias Gerstner <matthias.gerstner@suse.com> --- Thank you all for the additional input. We will check up on this. When we've whitelisted the renamed service please remove the rpmlintrc hack. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1033296 http://bugzilla.suse.com/show_bug.cgi?id=1033296#c8 --- Comment #8 from Bernhard Wiedemann <bwiedemann@suse.com> --- This is an autogenerated message for OBS integration: This bug (1033296) was mentioned in https://build.opensuse.org/request/show/487407 Factory / rpmlint -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1033296 http://bugzilla.suse.com/show_bug.cgi?id=1033296#c9 --- Comment #9 from Matthias Gerstner <matthias.gerstner@suse.com> --- I've reviewed the old and new implementation. It indeed is identical. Updates for the polkit / dbus whitelist for kwalletmanager5 have been submitted to factory. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1033296 http://bugzilla.suse.com/show_bug.cgi?id=1033296#c10 --- Comment #10 from Bernhard Wiedemann <bwiedemann@suse.com> --- This is an autogenerated message for OBS integration: This bug (1033296) was mentioned in https://build.opensuse.org/request/show/487559 Factory / polkit-default-privs -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1033296 http://bugzilla.suse.com/show_bug.cgi?id=1033296#c11 Sebastian Krahmer <krahmer@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |krahmer@suse.com --- Comment #11 from Sebastian Krahmer <krahmer@suse.com> --- Nice. Can be closed as resolved then? -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1033296 http://bugzilla.suse.com/show_bug.cgi?id=1033296#c12 --- Comment #12 from Matthias Gerstner <matthias.gerstner@suse.com> --- (In reply to krahmer@suse.com from comment #11)
Nice. Can be closed as resolved then?
I will close it when the whitelisting has been accepted to factory. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1033296 http://bugzilla.suse.com/show_bug.cgi?id=1033296#c13 Matthias Gerstner <matthias.gerstner@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution|--- |FIXED --- Comment #13 from Matthias Gerstner <matthias.gerstner@suse.com> --- The whitelisting of the renamed service is now present in openSUSE:Factory. You can now remove the rpmlint override from the spec file. Thank you. Closing this bug. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1033296 Swamp Workflow Management <swamp@suse.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Whiteboard| |ibs:running:5537:low -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1033296 http://bugzilla.suse.com/show_bug.cgi?id=1033296#c16 --- Comment #16 from Swamp Workflow Management <swamp@suse.de> --- SUSE-RU-2017:2341-1: An update that has 19 recommended fixes can now be installed. Category: recommended (low) Bug References: 1004346,1007053,1007723,1019748,1032649,1032717,1033296,1033554,1034309,1039290,1039709,1039848,1049694,846337,917781,984817,987141,996111,997880 CVE References: Sources used: SUSE Linux Enterprise Software Development Kit 12-SP3 (src): rpmlint-1.5-41.3.1, rpmlint-mini-1.8-2.2.3 -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1033296 Swamp Workflow Management <swamp@suse.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|ibs:running:5537:low | -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com