Hi Michael, On Sa 21 Jul 2018 01:22:50 CEST, Michael Biebl wrote:
Am 21.07.2018 um 00:13 schrieb Mike Gabriel:Dear maintainer(s), The Debian LTS team would like to fix the security issues which are currently open in the Jessie version of network-manager-vpnc: https://security-tracker.debian.org/tracker/CVE-2018-10900 Would you like to take care of this yourself?Since I no longer have a jessie system to build and test the package, I would appreciate if you could take care of it. Regards, Michael
Attached is the .debdiff I just uploaded to jessie-security (aka LTS). If you spot anything that might need a regression fix upload or such, please let me know.
Mike -- mike gabriel aka sunweaver (Debian Developer) mobile: +49 (1520) 1976 148 landline: +49 (4354) 8390 139 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: sunweaver@debian.org, http://sunweavers.net
diff -Nru network-manager-vpnc-0.9.10.0/debian/changelog network-manager-vpnc-0.9.10.0/debian/changelog --- network-manager-vpnc-0.9.10.0/debian/changelog 2014-07-10 07:51:29.000000000 +0200 +++ network-manager-vpnc-0.9.10.0/debian/changelog 2018-07-31 12:44:09.000000000 +0200 @@ -1,3 +1,16 @@ +network-manager-vpnc (0.9.10.0-1+deb8u1) jessie-security; urgency=medium + + * Debian LTS Team Upload + + * debian/patches: + + Add service-don-t-print-passwords-to-logging-output.patch. Ease + application of the following patch, hide passwords in log output. + + Add service-disallow-newlinies-in-configuration-values-C.patch. + Disallow newlinies in configuration values. (Resolves CVE-2018-10900). + (Closes: #904255). + + -- Mike Gabriel <sunweaver@debian.org> Tue, 31 Jul 2018 12:44:09 +0200 + network-manager-vpnc (0.9.10.0-1) unstable; urgency=medium * New upstream release. diff -Nru network-manager-vpnc-0.9.10.0/debian/patches/series network-manager-vpnc-0.9.10.0/debian/patches/series --- network-manager-vpnc-0.9.10.0/debian/patches/series 2014-07-10 07:51:29.000000000 +0200 +++ network-manager-vpnc-0.9.10.0/debian/patches/series 2018-07-31 12:32:27.000000000 +0200 @@ -1 +1,3 @@ # Debian patches for network-manager-vpnc +service-don-t-print-passwords-to-logging-output.patch +service-disallow-newlinies-in-configuration-values-C.patch diff -Nru network-manager-vpnc-0.9.10.0/debian/patches/service-disallow-newlinies-in-configuration-values-C.patch network-manager-vpnc-0.9.10.0/debian/patches/service-disallow-newlinies-in-configuration-values-C.patch --- network-manager-vpnc-0.9.10.0/debian/patches/service-disallow-newlinies-in-configuration-values-C.patch 1970-01-01 01:00:00.000000000 +0100 +++ network-manager-vpnc-0.9.10.0/debian/patches/service-disallow-newlinies-in-configuration-values-C.patch 2018-07-31 12:36:09.000000000 +0200 @@ -0,0 +1,46 @@ +From: Lubomir Rintel <lkundrak@v3.sk> +Date: Fri, 13 Jul 2018 18:51:04 +0200 +Subject: service: disallow newlinies in configuration values (CVE-2018-10900) +Origin: https://gitlab.gnome.org/GNOME/NetworkManager-vpnc/commit/07ac18a32b4e361a27ef48ac757d36cbb46e8e12 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-10900 +Bug-Debian: https://bugs.debian.org/904255 +Bug-SUSE: https://bugzilla.novell.com/show_bug.cgi?id=1101147 +Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1605919 + +The vpnc configuration format doesn't allow those. vpnc(8): + + The values start exactly one space after the keywords, and run to the end + of line. This lets you put any kind of weird character (except CR, LF and + NUL) in your strings + +We have no choice but to reject them. If we didn't it would allow the +user to inject arbitrary configuration directives with potential +security implications. + +https://pulsesecurity.co.nz/advisories/NM-VPNC-Privesc + +Reported by: Denis Andzakovic +[carnil: Backport to 1.2.4: Revert the "Use Unicode in translatable strings" +change which is not yet in 1.2.4] +--- + src/nm-vpnc-service.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +--- a/src/nm-vpnc-service.c ++++ b/src/nm-vpnc-service.c +@@ -164,7 +164,14 @@ + break; /* technically valid, but unused */ + case ITEM_TYPE_STRING: + case ITEM_TYPE_SECRET: +- break; /* valid */ ++ if (strchr (value, '\n') || strchr (value, '\r')) { ++ g_set_error (info->error, ++ NM_VPN_PLUGIN_ERROR, ++ NM_VPN_PLUGIN_ERROR_BAD_ARGUMENTS, ++ _("property '%s' contains a newline character"), ++ key); ++ } ++ break; + case ITEM_TYPE_PATH: + if ( !value + || !strlen (value) diff -Nru network-manager-vpnc-0.9.10.0/debian/patches/service-don-t-print-passwords-to-logging-output.patch network-manager-vpnc-0.9.10.0/debian/patches/service-don-t-print-passwords-to-logging-output.patch --- network-manager-vpnc-0.9.10.0/debian/patches/service-don-t-print-passwords-to-logging-output.patch 1970-01-01 01:00:00.000000000 +0100 +++ network-manager-vpnc-0.9.10.0/debian/patches/service-don-t-print-passwords-to-logging-output.patch 2018-07-31 12:44:09.000000000 +0200 @@ -0,0 +1,72 @@ +From 796628f56ab616371156464f4973c8368b388337 Mon Sep 17 00:00:00 2001 +From: Thomas Haller <thaller@redhat.com> +Date: Wed, 25 May 2016 08:41:25 +0200 +Subject: [PATCH] service: don't print passwords to logging output + +--- + src/nm-vpnc-service.c | 23 +++++++++++++++++++++-- + 1 file changed, 21 insertions(+), 2 deletions(-) + + Rebased against 0.9.10.0 by Mike Gabriel <mike.gabriel@das-netzwerkteam.de>. + +--- a/src/nm-vpnc-service.c ++++ b/src/nm-vpnc-service.c +@@ -70,6 +70,7 @@ + ITEM_TYPE_UNKNOWN = 0, + ITEM_TYPE_IGNORED, + ITEM_TYPE_STRING, ++ ITEM_TYPE_SECRET, + ITEM_TYPE_BOOLEAN, + ITEM_TYPE_INT, + ITEM_TYPE_PATH +@@ -113,8 +114,8 @@ + }; + + static ValidProperty valid_secrets[] = { +- { NM_VPNC_KEY_SECRET, ITEM_TYPE_STRING, 0, 0 }, +- { NM_VPNC_KEY_XAUTH_PASSWORD, ITEM_TYPE_STRING, 0, 0 }, ++ { NM_VPNC_KEY_SECRET, ITEM_TYPE_SECRET, 0, 0 }, ++ { NM_VPNC_KEY_XAUTH_PASSWORD, ITEM_TYPE_SECRET, 0, 0 }, + { NULL, ITEM_TYPE_UNKNOWN, 0, 0 } + }; + +@@ -162,6 +163,7 @@ + case ITEM_TYPE_IGNORED: + break; /* technically valid, but unused */ + case ITEM_TYPE_STRING: ++ case ITEM_TYPE_SECRET: + break; /* valid */ + case ITEM_TYPE_PATH: + if ( !value +@@ -371,6 +373,22 @@ + va_end (args); + } + ++static void ++write_config_option_secret (int fd, const char *key, const char *value) ++{ ++ char *string = NULL; ++ int x; ++ ++ string = g_strdup_printf ("%s %s\n", key, value); ++ ++ x = write (fd, string, strlen (string)); ++ if (x < 0) ++ g_warning ("Unexpected error in write(): %d", errno); ++ ++ if (debug) ++ g_print ("Config: %s <hidden>", key); ++} ++ + typedef struct { + int fd; + GError *error; +@@ -427,6 +445,8 @@ + + if (type == ITEM_TYPE_STRING || type == ITEM_TYPE_PATH) + write_config_option (info->fd, "%s %s\n", (char *) key, (char *) value); ++ else if (type == ITEM_TYPE_SECRET) ++ write_config_option_secret (info->fd, key, value); + else if (type == ITEM_TYPE_BOOLEAN) { + if (!strcmp (value, "yes")) + write_config_option (info->fd, "%s\n", (char *) key);
Attachment:
pgpeF1PfsHP3a.pgp
Description: Digitale PGP-Signatur