On Sun, Jul 22, 2018 at 01:54:47PM +0200, Salvatore Bonaccorso wrote: > Control: tags 904255 + patch > > > Dear maintainer, > > I've prepared an NMU for network-manager-vpnc (versioned as > 1.2.4-7.1). It is not yet uploaded (to any delayed queue, if you want > to do the upload yourself).
And actually, if cherry-picking the patch it might be advisable to revert in the patch the "Use Unicode in translatable strings" change. Regards, Salvatore
From: Lubomir Rintel <lkund...@v3.sk> Date: Fri, 13 Jul 2018 18:51:04 +0200 Subject: service: disallow newlinies in configuration values (CVE-2018-10900) Origin: https://gitlab.gnome.org/GNOME/NetworkManager-vpnc/commit/07ac18a32b4e361a27ef48ac757d36cbb46e8e12 Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-10900 Bug-Debian: https://bugs.debian.org/904255 Bug-SUSE: https://bugzilla.novell.com/show_bug.cgi?id=1101147 Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1605919 The vpnc configuration format doesn't allow those. vpnc(8): The values start exactly one space after the keywords, and run to the end of line. This lets you put any kind of weird character (except CR, LF and NUL) in your strings We have no choice but to reject them. If we didn't it would allow the user to inject arbitrary configuration directives with potential security implications. https://pulsesecurity.co.nz/advisories/NM-VPNC-Privesc Reported by: Denis Andzakovic [carnil: Backport to 1.2.4: Revert the " Use Unicode in translatable strings" change which is not yet in 1.2.4] --- src/nm-vpnc-service.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/src/nm-vpnc-service.c b/src/nm-vpnc-service.c index 364ff7c..802f5ac 100644 --- a/src/nm-vpnc-service.c +++ b/src/nm-vpnc-service.c @@ -209,7 +209,14 @@ validate_one_property (const char *key, const char *value, gpointer user_data) break; /* technically valid, but unused */ case ITEM_TYPE_STRING: case ITEM_TYPE_SECRET: - break; /* valid */ + if (strchr (value, '\n') || strchr (value, '\r')) { + g_set_error (info->error, + NM_VPN_PLUGIN_ERROR, + NM_VPN_PLUGIN_ERROR_BAD_ARGUMENTS, + _("property '%s' contains a newline character"), + key); + } + break; case ITEM_TYPE_PATH: if ( !value || !strlen (value) -- 2.18.0