On Sun, Jul 22, 2018 at 01:54:47PM +0200, Salvatore Bonaccorso wrote:
> Control: tags 904255 + patch
> 
> 
> Dear maintainer,
> 
> I've prepared an NMU for network-manager-vpnc (versioned as
> 1.2.4-7.1). It is not yet uploaded (to any delayed queue, if you want
> to do the upload yourself).

And actually, if cherry-picking the patch it might be advisable to
revert in the patch the "Use Unicode in translatable strings" change.

Regards,
Salvatore
From: Lubomir Rintel <lkund...@v3.sk>
Date: Fri, 13 Jul 2018 18:51:04 +0200
Subject: service: disallow newlinies in configuration values (CVE-2018-10900)
Origin: https://gitlab.gnome.org/GNOME/NetworkManager-vpnc/commit/07ac18a32b4e361a27ef48ac757d36cbb46e8e12
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-10900
Bug-Debian: https://bugs.debian.org/904255
Bug-SUSE: https://bugzilla.novell.com/show_bug.cgi?id=1101147
Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1605919

The vpnc configuration format doesn't allow those. vpnc(8):

  The values start exactly one space after the keywords, and run to the end
  of line. This lets you put any kind of weird character (except CR, LF and
  NUL) in your strings

We have no choice but to reject them. If we didn't it would allow the
user to inject arbitrary configuration directives with potential
security implications.

https://pulsesecurity.co.nz/advisories/NM-VPNC-Privesc

Reported by: Denis Andzakovic
[carnil: Backport to 1.2.4: Revert the " Use Unicode in translatable strings"
change which is not yet in 1.2.4]
---
 src/nm-vpnc-service.c | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/src/nm-vpnc-service.c b/src/nm-vpnc-service.c
index 364ff7c..802f5ac 100644
--- a/src/nm-vpnc-service.c
+++ b/src/nm-vpnc-service.c
@@ -209,7 +209,14 @@ validate_one_property (const char *key, const char *value, gpointer user_data)
 		break; /* technically valid, but unused */
 	case ITEM_TYPE_STRING:
 	case ITEM_TYPE_SECRET:
-		break; /* valid */
+		if (strchr (value, '\n') || strchr (value, '\r')) {
+			g_set_error (info->error,
+			             NM_VPN_PLUGIN_ERROR,
+			             NM_VPN_PLUGIN_ERROR_BAD_ARGUMENTS,
+			             _("property '%s' contains a newline character"),
+			             key);
+		}
+		break;
 	case ITEM_TYPE_PATH:
 		if (   !value
 		    || !strlen (value)
-- 
2.18.0

Reply via email to