Hi,
On Sat, May 17, 2025 at 03:17:20PM +0200, Salvatore Bonaccorso wrote:
Hi,
On Fri, May 09, 2025 at 12:25:11PM -0400, Jeremy Bícha wrote:
On Fri, May 9, 2025 at 11:27 AM Antonio Russo <aerusso@aerusso.net> wrote:
I'm tagging this bug as a security bug because it needlessly
starts a process that should not be running as root.
Have you sent your patch to the security contact at https://www.bluez.org/development/security-bugs/ yet?
I noticed that there is a upstream report here: https://lore.kernel.org/linux-bluetooth/a15e6919-9000-4628-baec-a2d2cc327903@aerusso.net/
I've followed up there. Thanks for pulling me into the loop.
FWIW, while there are security concerns, I think it needs to be
handled upstream first, and Debian not diverge. So once this is
applied upstream it might or might not flow in time into trixie before release.
What situations would the user service for root be spawned? It's not
used for su, sudo or ssh as far as I can tell. This leaves tty and
graphical logins (which we can ignore as they're unsafe anyway). Are
there other cases? If not I'd say lowering severity and waiting a bit
longer to see what upstream says should be o.k.
That said, the patch isn't huge so cherry-picking it into the next
upload wouldn't hurt either.
Cheers,
-- Guido
--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)