Blueman is vulnerable to remote code execution (RCE). On systems with ISC DHCP client (dhclient), attackers can pass arguments to ip link
with the interface name that can e.g. be used to bring down an interface or add an arbitrary XDP/BPF program. On systems with dhcpcd and without ISC DHCP client, attackers can even run arbitrary scripts by passing -c/path/to/script
as an interface name.
packetstormsecurity.com/files/159740/Blueman-Local-Root-Privilege-Escalation.html
bugs.launchpad.net/ubuntu/+source/blueman/+bug/1897287
github.com/blueman-project/blueman/releases/tag/2.1.4
github.com/blueman-project/blueman/security/advisories/GHSA-jpc9-mgw6-2xwx
lists.debian.org/debian-lts-announce/2020/11/msg00005.html
lists.fedoraproject.org/archives/list/[email protected]/message/3F4EQU6CAPBKAPJ42HTB473NJLXFKB32/
lists.fedoraproject.org/archives/list/[email protected]/message/6CFLMNHAHX5HPIKC5IG6F25HO5Z6RH2N/
lists.fedoraproject.org/archives/list/[email protected]/message/W52NP7HRFTNAVNZLGKY4GR3JIZG5KKGS/
security.gentoo.org/glsa/202011-11
www.debian.org/security/2020/dsa-4781