Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
Please unblock package network-manager It cherry-picks an upstream commit to fix #986809 / CVE-2021-20297 Full debdiff attached. Regards, Michael unblock network-manager/1.30.0-2
diff --git a/debian/changelog b/debian/changelog index 44ae3264f7..3431459d47 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +network-manager (1.30.0-2) unstable; urgency=medium + + * core: fix crash in nm_wildcard_match_check() + (CVE-2021-20297, Closes: #986809) + + -- Michael Biebl <bi...@debian.org> Mon, 12 Apr 2021 21:15:36 +0200 + network-manager (1.30.0-1) unstable; urgency=medium * New upstream version 1.30.0 diff --git a/debian/control b/debian/control index 06146cd204..d95f09bd03 100644 --- a/debian/control +++ b/debian/control @@ -65,7 +65,7 @@ Breaks: ${misc:Breaks} Description: network management framework (daemon and userspace tools) NetworkManager is a system network service that manages your network devices and connections, attempting to keep active network connectivity when - available. It manages ethernet, WiFi, mobile broadband (WWAN), and PPPoE + available. It manages ethernet, Wi-Fi, mobile broadband (WWAN), and PPPoE devices, and provides VPN integration with a variety of different VPN services. . @@ -100,7 +100,7 @@ Depends: ${shlibs:Depends}, Description: GObject-based client library for NetworkManager NetworkManager is a system network service that manages your network devices and connections, attempting to keep active network connectivity when - available. It manages ethernet, WiFi, mobile broadband (WWAN), and PPPoE + available. It manages ethernet, Wi-Fi, mobile broadband (WWAN), and PPPoE devices, and provides VPN integration with a variety of different VPN services. . @@ -118,7 +118,7 @@ Depends: ${misc:Depends}, Description: GObject-based client library for NetworkManager (development files) NetworkManager is a system network service that manages your network devices and connections, attempting to keep active network connectivity when - available. It manages ethernet, WiFi, mobile broadband (WWAN), and PPPoE + available. It manages ethernet, Wi-Fi, mobile broadband (WWAN), and PPPoE devices, and provides VPN integration with a variety of different VPN services. . @@ -136,7 +136,7 @@ Replaces: gir1.2-networkmanager-1.0 (<< 1.8.0-2) Description: GObject introspection data for the libnm library NetworkManager is a system network service that manages your network devices and connections, attempting to keep active network connectivity when - available. It manages ethernet, WiFi, mobile broadband (WWAN), and PPPoE + available. It manages ethernet, Wi-Fi, mobile broadband (WWAN), and PPPoE devices, and provides VPN integration with a variety of different VPN services. . diff --git a/debian/patches/core-fix-crash-in-nm_wildcard_match_check.patch b/debian/patches/core-fix-crash-in-nm_wildcard_match_check.patch new file mode 100644 index 0000000000..02d4484dd0 --- /dev/null +++ b/debian/patches/core-fix-crash-in-nm_wildcard_match_check.patch @@ -0,0 +1,74 @@ +From: Thomas Haller <thal...@redhat.com> +Date: Wed, 24 Mar 2021 21:05:19 +0100 +Subject: core: fix crash in nm_wildcard_match_check() + +It's not entirely clear how to treat %NULL. +Clearly "match.interface-name=eth0" should not +match with an interface %NULL. But what about +"match.interface-name=!eth0"? It's now implemented +that negative matches still succeed against %NULL. +What about "match.interface-name=*"? That probably +should also match with %NULL. So we treat %NULL really +like "". + +Against commit 11cd443448bc ('iwd: Don't call IWD methods when device +unmanaged'), we got this backtrace: + + #0 0x00007f1c164069f1 in __strnlen_avx2 () at ../sysdeps/x86_64/multiarch/strlen-avx2.S:62 + #1 0x00007f1c1637ac9e in __fnmatch (pattern=<optimized out>, string=<optimized out>, string@entry=0x0, flags=flags@entry=0) at fnmatch.c:379 + p = 0x0 + res = <optimized out> + orig_pattern = <optimized out> + n = <optimized out> + wpattern = 0x7fff8d860730 L"pci-0000:03:00.0" + ps = {__count = 0, __value = {__wch = 0, __wchb = "\000\000\000"}} + wpattern_malloc = 0x0 + wstring_malloc = 0x0 + wstring = <optimized out> + alloca_used = 80 + __PRETTY_FUNCTION__ = "__fnmatch" + #2 0x0000564484a978bf in nm_wildcard_match_check (str=0x0, patterns=<optimized out>, num_patterns=<optimized out>) at src/core/nm-core-utils.c:1959 + is_inverted = 0 + is_mandatory = 0 + match = <optimized out> + p = 0x564486c43fa0 "pci-0000:03:00.0" + has_optional = 0 + has_any_optional = 0 + i = <optimized out> + #3 0x0000564484bf4797 in check_connection_compatible (self=<optimized out>, connection=<optimized out>, error=0x0) at src/core/devices/nm-device.c:7499 + patterns = <optimized out> + device_driver = 0x564486c76bd0 "veth" + num_patterns = 1 + priv = 0x564486cbe0b0 + __func__ = "check_connection_compatible" + device_iface = <optimized out> + local = 0x564486c99a60 + conn_iface = 0x0 + klass = <optimized out> + s_match = 0x564486c63df0 [NMSettingMatch] + #4 0x0000564484c38491 in check_connection_compatible (device=0x564486cbe590 [NMDeviceVeth], connection=0x564486c6b160, error=0x0) at src/core/devices/nm-device-ethernet.c:348 + self = 0x564486cbe590 [NMDeviceVeth] + s_wired = <optimized out> + +Fixes: 3ced486f4162 ('libnm/match: extend syntax for match patterns with '|', '&', '!' and '\\'') + +https://bugzilla.redhat.com/show_bug.cgi?id=1942741 +(cherry picked from commit 420784e342da4883f6debdfe10cde68507b10d27) +--- + src/core/nm-core-utils.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/src/core/nm-core-utils.c b/src/core/nm-core-utils.c +index 9075c30..eed8cd7 100644 +--- a/src/core/nm-core-utils.c ++++ b/src/core/nm-core-utils.c +@@ -1956,7 +1956,8 @@ nm_wildcard_match_check(const char *str, const char *const *patterns, guint num_ + + _pattern_parse(patterns[i], &p, &is_inverted, &is_mandatory); + +- match = (fnmatch(p, str, 0) == 0); ++ match = (fnmatch(p, str ?: "", 0) == 0); ++ + if (is_inverted) + match = !match; + diff --git a/debian/patches/series b/debian/patches/series index a2d7e06dbd..b31950d2cb 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1 +1,2 @@ Force-online-state-with-unmanaged-devices.patch +core-fix-crash-in-nm_wildcard_match_check.patch