[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Jessie update of network-manager-vpnc?

Hi Michael,

On  Sa 21 Jul 2018 01:22:50 CEST, Michael Biebl wrote:


Am 21.07.2018 um 00:13 schrieb Mike Gabriel:

Dear maintainer(s),

The Debian LTS team would like to fix the security issues which are
currently open in the Jessie version of network-manager-vpnc:
https://security-tracker.debian.org/tracker/CVE-2018-10900

Would you like to take care of this yourself?


Since I no longer have a jessie system to build and test the package, I
would appreciate if you could take care of it.

Regards,
Michael
Attached is the .debdiff I just uploaded to jessie-security (aka LTS). If you spot anything that might need a regression fix upload or such, please let me know. 

Mike


--

mike gabriel aka sunweaver (Debian Developer)
mobile: +49 (1520) 1976 148
landline: +49 (4354) 8390 139

GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22  0782 9AF4 6B30 2577 1B31
mail: sunweaver@debian.org, http://sunweavers.net


diff -Nru network-manager-vpnc-0.9.10.0/debian/changelog network-manager-vpnc-0.9.10.0/debian/changelog
--- network-manager-vpnc-0.9.10.0/debian/changelog	2014-07-10 07:51:29.000000000 +0200
+++ network-manager-vpnc-0.9.10.0/debian/changelog	2018-07-31 12:44:09.000000000 +0200
@@ -1,3 +1,16 @@
+network-manager-vpnc (0.9.10.0-1+deb8u1) jessie-security; urgency=medium
+
+  * Debian LTS Team Upload
+
+  * debian/patches:
+    + Add service-don-t-print-passwords-to-logging-output.patch. Ease
+      application of the following patch, hide passwords in log output.
+    + Add service-disallow-newlinies-in-configuration-values-C.patch.
+      Disallow newlinies in configuration values. (Resolves CVE-2018-10900).
+      (Closes: #904255).
+
+ -- Mike Gabriel <sunweaver@debian.org>  Tue, 31 Jul 2018 12:44:09 +0200
+
 network-manager-vpnc (0.9.10.0-1) unstable; urgency=medium
 
   * New upstream release.
diff -Nru network-manager-vpnc-0.9.10.0/debian/patches/series network-manager-vpnc-0.9.10.0/debian/patches/series
--- network-manager-vpnc-0.9.10.0/debian/patches/series	2014-07-10 07:51:29.000000000 +0200
+++ network-manager-vpnc-0.9.10.0/debian/patches/series	2018-07-31 12:32:27.000000000 +0200
@@ -1 +1,3 @@
 # Debian patches for network-manager-vpnc
+service-don-t-print-passwords-to-logging-output.patch
+service-disallow-newlinies-in-configuration-values-C.patch
diff -Nru network-manager-vpnc-0.9.10.0/debian/patches/service-disallow-newlinies-in-configuration-values-C.patch network-manager-vpnc-0.9.10.0/debian/patches/service-disallow-newlinies-in-configuration-values-C.patch
--- network-manager-vpnc-0.9.10.0/debian/patches/service-disallow-newlinies-in-configuration-values-C.patch	1970-01-01 01:00:00.000000000 +0100
+++ network-manager-vpnc-0.9.10.0/debian/patches/service-disallow-newlinies-in-configuration-values-C.patch	2018-07-31 12:36:09.000000000 +0200
@@ -0,0 +1,46 @@
+From: Lubomir Rintel <lkundrak@v3.sk>
+Date: Fri, 13 Jul 2018 18:51:04 +0200
+Subject: service: disallow newlinies in configuration values (CVE-2018-10900)
+Origin: https://gitlab.gnome.org/GNOME/NetworkManager-vpnc/commit/07ac18a32b4e361a27ef48ac757d36cbb46e8e12
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-10900
+Bug-Debian: https://bugs.debian.org/904255
+Bug-SUSE: https://bugzilla.novell.com/show_bug.cgi?id=1101147
+Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1605919
+
+The vpnc configuration format doesn't allow those. vpnc(8):
+
+  The values start exactly one space after the keywords, and run to the end
+  of line. This lets you put any kind of weird character (except CR, LF and
+  NUL) in your strings
+
+We have no choice but to reject them. If we didn't it would allow the
+user to inject arbitrary configuration directives with potential
+security implications.
+
+https://pulsesecurity.co.nz/advisories/NM-VPNC-Privesc
+
+Reported by: Denis Andzakovic
+[carnil: Backport to 1.2.4: Revert the "Use Unicode in translatable strings"
+change which is not yet in 1.2.4]
+---
+ src/nm-vpnc-service.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+--- a/src/nm-vpnc-service.c
++++ b/src/nm-vpnc-service.c
+@@ -164,7 +164,14 @@
+ 		break; /* technically valid, but unused */
+ 	case ITEM_TYPE_STRING:
+ 	case ITEM_TYPE_SECRET:
+-		break; /* valid */
++		if (strchr (value, '\n') || strchr (value, '\r')) {
++			g_set_error (info->error,
++			             NM_VPN_PLUGIN_ERROR,
++			             NM_VPN_PLUGIN_ERROR_BAD_ARGUMENTS,
++			             _("property '%s' contains a newline character"),
++			             key);
++		}
++		break;
+ 	case ITEM_TYPE_PATH:
+ 		if (   !value
+ 		    || !strlen (value)
diff -Nru network-manager-vpnc-0.9.10.0/debian/patches/service-don-t-print-passwords-to-logging-output.patch network-manager-vpnc-0.9.10.0/debian/patches/service-don-t-print-passwords-to-logging-output.patch
--- network-manager-vpnc-0.9.10.0/debian/patches/service-don-t-print-passwords-to-logging-output.patch	1970-01-01 01:00:00.000000000 +0100
+++ network-manager-vpnc-0.9.10.0/debian/patches/service-don-t-print-passwords-to-logging-output.patch	2018-07-31 12:44:09.000000000 +0200
@@ -0,0 +1,72 @@
+From 796628f56ab616371156464f4973c8368b388337 Mon Sep 17 00:00:00 2001
+From: Thomas Haller <thaller@redhat.com>
+Date: Wed, 25 May 2016 08:41:25 +0200
+Subject: [PATCH] service: don't print passwords to logging output
+
+---
+ src/nm-vpnc-service.c | 23 +++++++++++++++++++++--
+ 1 file changed, 21 insertions(+), 2 deletions(-)
+
+ Rebased against 0.9.10.0 by Mike Gabriel <mike.gabriel@das-netzwerkteam.de>.
+
+--- a/src/nm-vpnc-service.c
++++ b/src/nm-vpnc-service.c
+@@ -70,6 +70,7 @@
+ 	ITEM_TYPE_UNKNOWN = 0,
+ 	ITEM_TYPE_IGNORED,
+ 	ITEM_TYPE_STRING,
++	ITEM_TYPE_SECRET,
+ 	ITEM_TYPE_BOOLEAN,
+ 	ITEM_TYPE_INT,
+ 	ITEM_TYPE_PATH
+@@ -113,8 +114,8 @@
+ };
+ 
+ static ValidProperty valid_secrets[] = {
+-	{ NM_VPNC_KEY_SECRET,                ITEM_TYPE_STRING, 0, 0 },
+-	{ NM_VPNC_KEY_XAUTH_PASSWORD,        ITEM_TYPE_STRING, 0, 0 },
++	{ NM_VPNC_KEY_SECRET,                ITEM_TYPE_SECRET, 0, 0 },
++	{ NM_VPNC_KEY_XAUTH_PASSWORD,        ITEM_TYPE_SECRET, 0, 0 },
+ 	{ NULL,                              ITEM_TYPE_UNKNOWN, 0, 0 }
+ };
+ 
+@@ -162,6 +163,7 @@
+ 	case ITEM_TYPE_IGNORED:
+ 		break; /* technically valid, but unused */
+ 	case ITEM_TYPE_STRING:
++	case ITEM_TYPE_SECRET:
+ 		break; /* valid */
+ 	case ITEM_TYPE_PATH:
+ 		if (   !value
+@@ -371,6 +373,22 @@
+ 	va_end (args);
+ }
+ 
++static void
++write_config_option_secret (int fd, const char *key, const char *value)
++{
++	char *string = NULL;
++	int x;
++
++	string = g_strdup_printf ("%s %s\n", key, value);
++
++	x = write (fd, string, strlen (string));
++	if (x < 0)
++		g_warning ("Unexpected error in write(): %d", errno);
++
++	if (debug)
++		g_print ("Config: %s <hidden>", key);
++}
++
+ typedef struct {
+ 	int fd;
+ 	GError *error;
+@@ -427,6 +445,8 @@
+ 
+ 	if (type == ITEM_TYPE_STRING || type == ITEM_TYPE_PATH)
+ 		write_config_option (info->fd, "%s %s\n", (char *) key, (char *) value);
++	else if (type == ITEM_TYPE_SECRET)
++		write_config_option_secret (info->fd, key, value);
+ 	else if (type == ITEM_TYPE_BOOLEAN) {
+ 		if (!strcmp (value, "yes"))
+ 			write_config_option (info->fd, "%s\n", (char *) key);

Attachment: pgpeF1PfsHP3a.pgp
Description: Digitale PGP-Signatur

Reply to: