...
 
Commits (2)
network-manager-vpnc (1.2.4-4+deb9u1) stretch-security; urgency=high
* Non-maintainer upload by the Security Team.
* service: disallow newlinies in configuration values (CVE-2018-10900)
(Closes: #904255)
-- Salvatore Bonaccorso <carnil@debian.org> Sun, 22 Jul 2018 14:23:44 +0200
network-manager-vpnc (1.2.4-4) unstable; urgency=medium
* Update Vcs-* according to the latest recommendation
......
[DEFAULT]
pristine-tar = True
patch-numbers = False
debian-branch = master
debian-branch = stretch
# Debian patches for network-manager-vpnc
service-disallow-newlinies-in-configuration-values-C.patch
From: Lubomir Rintel <lkundrak@v3.sk>
Date: Fri, 13 Jul 2018 18:51:04 +0200
Subject: service: disallow newlinies in configuration values (CVE-2018-10900)
Origin: https://gitlab.gnome.org/GNOME/NetworkManager-vpnc/commit/07ac18a32b4e361a27ef48ac757d36cbb46e8e12
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-10900
Bug-Debian: https://bugs.debian.org/904255
Bug-SUSE: https://bugzilla.novell.com/show_bug.cgi?id=1101147
Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1605919
The vpnc configuration format doesn't allow those. vpnc(8):
The values start exactly one space after the keywords, and run to the end
of line. This lets you put any kind of weird character (except CR, LF and
NUL) in your strings
We have no choice but to reject them. If we didn't it would allow the
user to inject arbitrary configuration directives with potential
security implications.
https://pulsesecurity.co.nz/advisories/NM-VPNC-Privesc
Reported by: Denis Andzakovic
[carnil: Backport to 1.2.4: Revert the "Use Unicode in translatable strings"
change which is not yet in 1.2.4]
---
src/nm-vpnc-service.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/src/nm-vpnc-service.c b/src/nm-vpnc-service.c
index 364ff7c..802f5ac 100644
--- a/src/nm-vpnc-service.c
+++ b/src/nm-vpnc-service.c
@@ -209,7 +209,14 @@ validate_one_property (const char *key, const char *value, gpointer user_data)
break; /* technically valid, but unused */
case ITEM_TYPE_STRING:
case ITEM_TYPE_SECRET:
- break; /* valid */
+ if (strchr (value, '\n') || strchr (value, '\r')) {
+ g_set_error (info->error,
+ NM_VPN_PLUGIN_ERROR,
+ NM_VPN_PLUGIN_ERROR_BAD_ARGUMENTS,
+ _("property '%s' contains a newline character"),
+ key);
+ }
+ break;
case ITEM_TYPE_PATH:
if ( !value
|| !strlen (value)
--
2.18.0