Version in base suite: 2.3.1-1

Base version: firewalld_2.3.1-1
Target version: firewalld_2.3.1-1+deb13u1
Base file: /srv/ftp-master.debian.org/ftp/pool/main/f/firewalld/firewalld_2.3.1-1.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/f/firewalld/firewalld_2.3.1-1+deb13u1.dsc

 changelog                                                               |    9 ++
 gbp.conf                                                                |    2 
 patches/fix-policy-use-PK_ACTION_CONFIG-for-set-ZoneSettings2-Pol.patch |   34 ++++++++++
 patches/series                                                          |    1 
 4 files changed, 45 insertions(+), 1 deletion(-)

dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmp9yu7niot/firewalld_2.3.1-1.dsc: no acceptable signature found
dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmp9yu7niot/firewalld_2.3.1-1+deb13u1.dsc: no acceptable signature found
diff -Nru firewalld-2.3.1/debian/changelog firewalld-2.3.1/debian/changelog
--- firewalld-2.3.1/debian/changelog	2025-07-26 16:52:44.000000000 +0000
+++ firewalld-2.3.1/debian/changelog	2026-05-03 23:08:28.000000000 +0000
@@ -1,3 +1,12 @@
+firewalld (2.3.1-1+deb13u1) trixie; urgency=medium
+
+  * fix(policy): use PK_ACTION_CONFIG for set{ZoneSettings2,PolicySettings}
+    This prevents local users from being able to modify runtime firewall state
+    without prior authentication if the desktop policy is active.
+    (CVE-2026-4948)
+
+ -- Michael Biebl <biebl@debian.org>  Mon, 04 May 2026 01:08:28 +0200
+
 firewalld (2.3.1-1) unstable; urgency=medium
 
   * New upstream version 2.3.1
diff -Nru firewalld-2.3.1/debian/gbp.conf firewalld-2.3.1/debian/gbp.conf
--- firewalld-2.3.1/debian/gbp.conf	2025-07-26 16:52:44.000000000 +0000
+++ firewalld-2.3.1/debian/gbp.conf	2026-05-03 23:08:28.000000000 +0000
@@ -1,5 +1,5 @@
 [DEFAULT]
 pristine-tar = True
 patch-numbers = False
-debian-branch = debian/master
+debian-branch = debian/trixie
 upstream-branch = upstream/latest
diff -Nru firewalld-2.3.1/debian/patches/fix-policy-use-PK_ACTION_CONFIG-for-set-ZoneSettings2-Pol.patch firewalld-2.3.1/debian/patches/fix-policy-use-PK_ACTION_CONFIG-for-set-ZoneSettings2-Pol.patch
--- firewalld-2.3.1/debian/patches/fix-policy-use-PK_ACTION_CONFIG-for-set-ZoneSettings2-Pol.patch	1970-01-01 00:00:00.000000000 +0000
+++ firewalld-2.3.1/debian/patches/fix-policy-use-PK_ACTION_CONFIG-for-set-ZoneSettings2-Pol.patch	2026-05-03 23:08:28.000000000 +0000
@@ -0,0 +1,34 @@
+From: Sizhe Zhao <prc.zhao@outlook.com>
+Date: Tue, 31 Mar 2026 20:46:50 +0800
+Subject: fix(policy): use PK_ACTION_CONFIG for
+ set{ZoneSettings2,PolicySettings}
+
+Reference: https://access.redhat.com/security/cve/cve-2026-4948
+(cherry picked from commit 5fb3914ad830feff6cb2b0670457c60a323c6c6c)
+(cherry picked from commit 8cb2dedc0ec7e177c36d331c449f189c11a1d23d)
+---
+ src/firewall/server/firewalld.py | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/firewall/server/firewalld.py b/src/firewall/server/firewalld.py
+index 6280252..9f969d8 100644
+--- a/src/firewall/server/firewalld.py
++++ b/src/firewall/server/firewalld.py
+@@ -938,7 +938,7 @@ class FirewallD(DbusServiceObject):
+         log.debug1("getZoneSettings2(%s)", zone)
+         return self.fw.zone.get_config_with_settings_dict(zone)
+ 
+-    @dbus_polkit_require_auth(config.dbus.PK_ACTION_CONFIG_INFO)
++    @dbus_polkit_require_auth(config.dbus.PK_ACTION_CONFIG)
+     @dbus_service_method(config.dbus.DBUS_INTERFACE_ZONE, in_signature="sa{sv}")
+     @dbus_handle_exceptions
+     def setZoneSettings2(self, zone, settings, sender=None):
+@@ -965,7 +965,7 @@ class FirewallD(DbusServiceObject):
+         log.debug1("policy.getPolicySettings(%s)", policy)
+         return self.fw.policy.get_config_with_settings_dict(policy)
+ 
+-    @dbus_polkit_require_auth(config.dbus.PK_ACTION_CONFIG_INFO)
++    @dbus_polkit_require_auth(config.dbus.PK_ACTION_CONFIG)
+     @dbus_service_method(config.dbus.DBUS_INTERFACE_POLICY, in_signature="sa{sv}")
+     @dbus_handle_exceptions
+     def setPolicySettings(self, policy, settings, sender=None):
diff -Nru firewalld-2.3.1/debian/patches/series firewalld-2.3.1/debian/patches/series
--- firewalld-2.3.1/debian/patches/series	2025-07-26 16:52:44.000000000 +0000
+++ firewalld-2.3.1/debian/patches/series	2026-05-03 23:08:28.000000000 +0000
@@ -1,2 +1,3 @@
 Remove-etc-sysconfig-firewalld-support.patch
 Switch-to-python3.patch
+fix-policy-use-PK_ACTION_CONFIG-for-set-ZoneSettings2-Pol.patch