[Pkg-utopia-maintainers] Bug#1135642: trixie-pu: package firewalld/2.3.1-1+deb13u1

Michael Biebl biebl at debian.org
Mon May 4 00:29:19 BST 2026 

Package: release.debian.org
Severity: normal
Tags: trixie
X-Debbugs-Cc: firewalld at packages.debian.org
Control: affects -1 + src:firewalld
User: release.debian.org at packages.debian.org
Usertags: pu


[ Reason ]
The security contacted me about
https://security-tracker.debian.org/tracker/CVE-2026-4948

A flaw was found in firewalld. A local unprivileged user can exploit
this vulnerability by mis-authorizing two runtime D-Bus (Desktop Bus)
setters, setZoneSettings2 and setPolicySettings. This mis-authorization
allows the user to modify the runtime firewall state without proper
authentication, leading to unauthorized changes in network security
configurations.

This only happens though, if the user uses the desktop policy shipped by
firewalld (the default is the more restrictive server policy).

We therefor concluded that a DSA is not necessary but fixing this via a
stable upload might be worthwile.

[ Impact ]
Users that have chosen to use the desktop policy via
update-alternatives --config org.fedoraproject.FirewallD1.policy will be
vulnerable to this flaw unless fixed by the stable upload.

[ Tests ]
The package ships an extensive autopkgtest suite.
The patch is a backport from an upstream commit and has been available
in sid/forky for a whiel

[ Risks ]
The patch is rather minimal, so I don't expect any regressions (aside
from the obvious change in behaviour, i.e. users will have

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable
-------------- next part --------------
diff --git a/debian/changelog b/debian/changelog
index c834a4b9..152cb3a0 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,12 @@
+firewalld (2.3.1-1+deb13u1) trixie; urgency=medium
+
+  * fix(policy): use PK_ACTION_CONFIG for set{ZoneSettings2,PolicySettings}
+    This prevents local users from being able to modify runtime firewall state
+    without prior authentication if the desktop policy is active.
+    (CVE-2026-4948)
+
+ -- Michael Biebl <biebl at debian.org>  Mon, 04 May 2026 01:08:28 +0200
+
 firewalld (2.3.1-1) unstable; urgency=medium
 
   * New upstream version 2.3.1
diff --git a/debian/gbp.conf b/debian/gbp.conf
index 05e704d0..3477505d 100644
--- a/debian/gbp.conf
+++ b/debian/gbp.conf
@@ -1,5 +1,5 @@
 [DEFAULT]
 pristine-tar = True
 patch-numbers = False
-debian-branch = debian/master
+debian-branch = debian/trixie
 upstream-branch = upstream/latest
diff --git a/debian/patches/fix-policy-use-PK_ACTION_CONFIG-for-set-ZoneSettings2-Pol.patch b/debian/patches/fix-policy-use-PK_ACTION_CONFIG-for-set-ZoneSettings2-Pol.patch
new file mode 100644
index 00000000..62367d2d
--- /dev/null
+++ b/debian/patches/fix-policy-use-PK_ACTION_CONFIG-for-set-ZoneSettings2-Pol.patch
@@ -0,0 +1,34 @@
+From: Sizhe Zhao <prc.zhao at outlook.com>
+Date: Tue, 31 Mar 2026 20:46:50 +0800
+Subject: fix(policy): use PK_ACTION_CONFIG for
+ set{ZoneSettings2,PolicySettings}
+
+Reference: https://access.redhat.com/security/cve/cve-2026-4948
+(cherry picked from commit 5fb3914ad830feff6cb2b0670457c60a323c6c6c)
+(cherry picked from commit 8cb2dedc0ec7e177c36d331c449f189c11a1d23d)
+---
+ src/firewall/server/firewalld.py | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/firewall/server/firewalld.py b/src/firewall/server/firewalld.py
+index 6280252..9f969d8 100644
+--- a/src/firewall/server/firewalld.py
++++ b/src/firewall/server/firewalld.py
+@@ -938,7 +938,7 @@ class FirewallD(DbusServiceObject):
+         log.debug1("getZoneSettings2(%s)", zone)
+         return self.fw.zone.get_config_with_settings_dict(zone)
+ 
+-    @dbus_polkit_require_auth(config.dbus.PK_ACTION_CONFIG_INFO)
++    @dbus_polkit_require_auth(config.dbus.PK_ACTION_CONFIG)
+     @dbus_service_method(config.dbus.DBUS_INTERFACE_ZONE, in_signature="sa{sv}")
+     @dbus_handle_exceptions
+     def setZoneSettings2(self, zone, settings, sender=None):
+@@ -965,7 +965,7 @@ class FirewallD(DbusServiceObject):
+         log.debug1("policy.getPolicySettings(%s)", policy)
+         return self.fw.policy.get_config_with_settings_dict(policy)
+ 
+-    @dbus_polkit_require_auth(config.dbus.PK_ACTION_CONFIG_INFO)
++    @dbus_polkit_require_auth(config.dbus.PK_ACTION_CONFIG)
+     @dbus_service_method(config.dbus.DBUS_INTERFACE_POLICY, in_signature="sa{sv}")
+     @dbus_handle_exceptions
+     def setPolicySettings(self, policy, settings, sender=None):
diff --git a/debian/patches/series b/debian/patches/series
index 8c262ab8..72d11dae 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,2 +1,3 @@
 Remove-etc-sysconfig-firewalld-support.patch
 Switch-to-python3.patch
+fix-policy-use-PK_ACTION_CONFIG-for-set-ZoneSettings2-Pol.patch

More information about the Pkg-utopia-maintainers mailing list