Control: tags 904255 + patch
Dear maintainer, I've prepared an NMU for network-manager-vpnc (versioned as 1.2.4-7.1). It is not yet uploaded (to any delayed queue, if you want to do the upload yourself). Regards, Salvatore
diff -Nru network-manager-vpnc-1.2.4/debian/changelog network-manager-vpnc-1.2.4/debian/changelog --- network-manager-vpnc-1.2.4/debian/changelog 2018-04-08 16:51:44.000000000 +0200 +++ network-manager-vpnc-1.2.4/debian/changelog 2018-07-22 13:17:19.000000000 +0200 @@ -1,3 +1,11 @@ +network-manager-vpnc (1.2.4-7.1) unstable; urgency=high + + * Non-maintainer upload. + * service: disallow newlinies in configuration values (CVE-2018-10900) + (Closes: #904255) + + -- Salvatore Bonaccorso <car...@debian.org> Sun, 22 Jul 2018 13:17:19 +0200 + network-manager-vpnc (1.2.4-7) unstable; urgency=medium * Set Rules-Requires-Root to no diff -Nru network-manager-vpnc-1.2.4/debian/patches/series network-manager-vpnc-1.2.4/debian/patches/series --- network-manager-vpnc-1.2.4/debian/patches/series 2018-04-08 16:51:44.000000000 +0200 +++ network-manager-vpnc-1.2.4/debian/patches/series 2018-07-22 13:17:19.000000000 +0200 @@ -1 +1,2 @@ # Debian patches for network-manager-vpnc +service-disallow-newlinies-in-configuration-values-C.patch diff -Nru network-manager-vpnc-1.2.4/debian/patches/service-disallow-newlinies-in-configuration-values-C.patch network-manager-vpnc-1.2.4/debian/patches/service-disallow-newlinies-in-configuration-values-C.patch --- network-manager-vpnc-1.2.4/debian/patches/service-disallow-newlinies-in-configuration-values-C.patch 1970-01-01 01:00:00.000000000 +0100 +++ network-manager-vpnc-1.2.4/debian/patches/service-disallow-newlinies-in-configuration-values-C.patch 2018-07-22 13:17:19.000000000 +0200 @@ -0,0 +1,49 @@ +From: Lubomir Rintel <lkund...@v3.sk> +Date: Fri, 13 Jul 2018 18:51:04 +0200 +Subject: service: disallow newlinies in configuration values (CVE-2018-10900) +Origin: https://gitlab.gnome.org/GNOME/NetworkManager-vpnc/commit/07ac18a32b4e361a27ef48ac757d36cbb46e8e12 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-10900 +Bug-Debian: https://bugs.debian.org/904255 +Bug-SUSE: https://bugzilla.novell.com/show_bug.cgi?id=1101147 +Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1605919 + +The vpnc configuration format doesn't allow those. vpnc(8): + + The values start exactly one space after the keywords, and run to the end + of line. This lets you put any kind of weird character (except CR, LF and + NUL) in your strings + +We have no choice but to reject them. If we didn't it would allow the +user to inject arbitrary configuration directives with potential +security implications. + +https://pulsesecurity.co.nz/advisories/NM-VPNC-Privesc + +Reported by: Denis Andzakovic +--- + src/nm-vpnc-service.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/src/nm-vpnc-service.c b/src/nm-vpnc-service.c +index 364ff7c..802f5ac 100644 +--- a/src/nm-vpnc-service.c ++++ b/src/nm-vpnc-service.c +@@ -209,7 +209,14 @@ validate_one_property (const char *key, const char *value, gpointer user_data) + break; /* technically valid, but unused */ + case ITEM_TYPE_STRING: + case ITEM_TYPE_SECRET: +- break; /* valid */ ++ if (strchr (value, '\n') || strchr (value, '\r')) { ++ g_set_error (info->error, ++ NM_VPN_PLUGIN_ERROR, ++ NM_VPN_PLUGIN_ERROR_BAD_ARGUMENTS, ++ _("property ???%s??? contains a newline character"), ++ key); ++ } ++ break; + case ITEM_TYPE_PATH: + if ( !value + || !strlen (value) +-- +2.18.0 +
