Debian has issued an advisory on October 27: https://www.debian.org/security/2020/dsa-4781 The issue is fixed upstream in 2.1.4. Attention needs to be paid to the mitigation instructions in the CVE description as well. I believe the correct changes were made in r1363060 by Jani, but these will need to be backported to Mageia 7.
CC: (none) => geiger.david68210, jani.valimaaWhiteboard: (none) => MGA7TOO
Ubuntu has issued an advisory for this on October 27: https://ubuntu.com/security/notices/USN-4605-1
blueman-2.1.4-1.mga8 uploaded for Cauldron by David Geiger.
Source RPM: blueman-2.1.3-2.mga8.src.rpm => blueman-2.1-0.beta1.1.mga7.src.rpmWhiteboard: MGA7TOO => (none)Version: Cauldron => 7
Updated package uploaded for Mageia 7 by David Geiger. Advisory: ======================== Updated blueman package fixes security vulnerability: Vaisha Bernard discovered that blueman did not properly sanitize input on the D-Bus interface to blueman-mechanism. A local attacker could possibly use this issue to escalate privileges and run arbitrary code or cause a denial of service (CVE-2020-15238). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15238 https://ubuntu.com/security/notices/USN-4605-1 ======================== Updated packages in core/updates_testing: ======================== blueman-2.1.4-1.mga7 from blueman-2.1.4-1.mga7.src.rpm
Assignee: bugsquad => qa-bugs
mga7, x64 Could not follow the description of the exploit after following the CVE link so skipped the PoC. Updated blueman and connected to a bluetooth audio device immediately and it showed up in pulseaudio volume control. Played a WAV file via sox. Looks fine.
CC: (none) => tarazed25Whiteboard: (none) => MGA7-64-OK
Good enough for me. Validating. Advisory in Comment 3.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
Advisory pushed to SVN.
CC: (none) => ouaurelienKeywords: (none) => advisory
(In reply to David Walser from comment #0) > Attention needs to be paid to the mitigation instructions in the CVE > description as well. I believe the correct changes were made in r1363060 by > Jani, but these will need to be backported to Mageia 7. This wasn't done. I think Ubuntu made this change in a subsequent update: https://ubuntu.com/security/notices/USN-4605-2
Whiteboard: MGA7-64-OK => (none)CC: (none) => qa-bugsAssignee: qa-bugs => geiger.david68210Keywords: advisory, validated_update => (none)
(In reply to David Walser from comment #7) > (In reply to David Walser from comment #0) > > Attention needs to be paid to the mitigation instructions in the CVE > > description as well. I believe the correct changes were made in r1363060 by > > Jani, but these will need to be backported to Mageia 7. > > This wasn't done. I really don't understand what is missing here?
See the commit I referenced.
The change for blueman-applet.service renamed to org.blueman.Applet.service is already done in release 2.1.4.
Ahh yes the commit is in Mageia 7 after all.
Assignee: geiger.david68210 => qa-bugsCC: qa-bugs => (none)Keywords: (none) => advisory, validated_update
Whiteboard: (none) => MGA7-64-OK
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0402.html
Status: NEW => RESOLVEDResolution: (none) => FIXED