Bug#986847: unblock: network-manager/1.30.0-2

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#986847: unblock: network-manager/1.30.0-2
From: Michael Biebl <biebl@debian.org>
Date: Mon, 12 Apr 2021 21:45:25 +0200
Message-id: <[🔎] 161825672516.79985.2582692899195738458.reportbug@pluto.milchstrasse.xx>
Reply-to: Michael Biebl <biebl@debian.org>, 986847@bugs.debian.org

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package network-manager

It cherry-picks an upstream commit to fix
#986809 / CVE-2021-20297

Full debdiff attached.

Regards,
Michael

unblock network-manager/1.30.0-2

diff --git a/debian/changelog b/debian/changelog
index 44ae3264f7..3431459d47 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+network-manager (1.30.0-2) unstable; urgency=medium
+
+  * core: fix crash in nm_wildcard_match_check()
+    (CVE-2021-20297, Closes: #986809)
+
+ -- Michael Biebl <biebl@debian.org>  Mon, 12 Apr 2021 21:15:36 +0200
+
 network-manager (1.30.0-1) unstable; urgency=medium
 
   * New upstream version 1.30.0
diff --git a/debian/control b/debian/control
index 06146cd204..d95f09bd03 100644
--- a/debian/control
+++ b/debian/control
@@ -65,7 +65,7 @@ Breaks: ${misc:Breaks}
 Description: network management framework (daemon and userspace tools)
  NetworkManager is a system network service that manages your network devices
  and connections, attempting to keep active network connectivity when
- available. It manages ethernet, WiFi, mobile broadband (WWAN), and PPPoE
+ available. It manages ethernet, Wi-Fi, mobile broadband (WWAN), and PPPoE
  devices, and provides VPN integration with a variety of different VPN
  services.
  .
@@ -100,7 +100,7 @@ Depends: ${shlibs:Depends},
 Description: GObject-based client library for NetworkManager
  NetworkManager is a system network service that manages your network devices
  and connections, attempting to keep active network connectivity when
- available. It manages ethernet, WiFi, mobile broadband (WWAN), and PPPoE
+ available. It manages ethernet, Wi-Fi, mobile broadband (WWAN), and PPPoE
  devices, and provides VPN integration with a variety of different VPN
  services.
  .
@@ -118,7 +118,7 @@ Depends: ${misc:Depends},
 Description: GObject-based client library for NetworkManager (development files)
  NetworkManager is a system network service that manages your network devices
  and connections, attempting to keep active network connectivity when
- available. It manages ethernet, WiFi, mobile broadband (WWAN), and PPPoE
+ available. It manages ethernet, Wi-Fi, mobile broadband (WWAN), and PPPoE
  devices, and provides VPN integration with a variety of different VPN
  services.
  .
@@ -136,7 +136,7 @@ Replaces: gir1.2-networkmanager-1.0 (<< 1.8.0-2)
 Description: GObject introspection data for the libnm library
  NetworkManager is a system network service that manages your network devices
  and connections, attempting to keep active network connectivity when
- available. It manages ethernet, WiFi, mobile broadband (WWAN), and PPPoE
+ available. It manages ethernet, Wi-Fi, mobile broadband (WWAN), and PPPoE
  devices, and provides VPN integration with a variety of different VPN
  services.
  .
diff --git a/debian/patches/core-fix-crash-in-nm_wildcard_match_check.patch b/debian/patches/core-fix-crash-in-nm_wildcard_match_check.patch
new file mode 100644
index 0000000000..02d4484dd0
--- /dev/null
+++ b/debian/patches/core-fix-crash-in-nm_wildcard_match_check.patch
@@ -0,0 +1,74 @@
+From: Thomas Haller <thaller@redhat.com>
+Date: Wed, 24 Mar 2021 21:05:19 +0100
+Subject: core: fix crash in nm_wildcard_match_check()
+
+It's not entirely clear how to treat %NULL.
+Clearly "match.interface-name=eth0" should not
+match with an interface %NULL. But what about
+"match.interface-name=!eth0"? It's now implemented
+that negative matches still succeed against %NULL.
+What about "match.interface-name=*"? That probably
+should also match with %NULL. So we treat %NULL really
+like "".
+
+Against commit 11cd443448bc ('iwd: Don't call IWD methods when device
+unmanaged'), we got this backtrace:
+
+    #0  0x00007f1c164069f1 in __strnlen_avx2 () at ../sysdeps/x86_64/multiarch/strlen-avx2.S:62
+    #1  0x00007f1c1637ac9e in __fnmatch (pattern=<optimized out>, string=<optimized out>, string@entry=0x0, flags=flags@entry=0) at fnmatch.c:379
+            p = 0x0
+            res = <optimized out>
+            orig_pattern = <optimized out>
+            n = <optimized out>
+            wpattern = 0x7fff8d860730 L"pci-0000:03:00.0"
+            ps = {__count = 0, __value = {__wch = 0, __wchb = "\000\000\000"}}
+            wpattern_malloc = 0x0
+            wstring_malloc = 0x0
+            wstring = <optimized out>
+            alloca_used = 80
+            __PRETTY_FUNCTION__ = "__fnmatch"
+    #2  0x0000564484a978bf in nm_wildcard_match_check (str=0x0, patterns=<optimized out>, num_patterns=<optimized out>) at src/core/nm-core-utils.c:1959
+            is_inverted = 0
+            is_mandatory = 0
+            match = <optimized out>
+            p = 0x564486c43fa0 "pci-0000:03:00.0"
+            has_optional = 0
+            has_any_optional = 0
+            i = <optimized out>
+    #3  0x0000564484bf4797 in check_connection_compatible (self=<optimized out>, connection=<optimized out>, error=0x0) at src/core/devices/nm-device.c:7499
+            patterns = <optimized out>
+            device_driver = 0x564486c76bd0 "veth"
+            num_patterns = 1
+            priv = 0x564486cbe0b0
+            __func__ = "check_connection_compatible"
+            device_iface = <optimized out>
+            local = 0x564486c99a60
+            conn_iface = 0x0
+            klass = <optimized out>
+            s_match = 0x564486c63df0 [NMSettingMatch]
+    #4  0x0000564484c38491 in check_connection_compatible (device=0x564486cbe590 [NMDeviceVeth], connection=0x564486c6b160, error=0x0) at src/core/devices/nm-device-ethernet.c:348
+            self = 0x564486cbe590 [NMDeviceVeth]
+            s_wired = <optimized out>
+
+Fixes: 3ced486f4162 ('libnm/match: extend syntax for match patterns with '|', '&', '!' and '\\'')
+
+https://bugzilla.redhat.com/show_bug.cgi?id=1942741
+(cherry picked from commit 420784e342da4883f6debdfe10cde68507b10d27)
+---
+ src/core/nm-core-utils.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/src/core/nm-core-utils.c b/src/core/nm-core-utils.c
+index 9075c30..eed8cd7 100644
+--- a/src/core/nm-core-utils.c
++++ b/src/core/nm-core-utils.c
+@@ -1956,7 +1956,8 @@ nm_wildcard_match_check(const char *str, const char *const *patterns, guint num_
+ 
+         _pattern_parse(patterns[i], &p, &is_inverted, &is_mandatory);
+ 
+-        match = (fnmatch(p, str, 0) == 0);
++        match = (fnmatch(p, str ?: "", 0) == 0);
++
+         if (is_inverted)
+             match = !match;
+ 
diff --git a/debian/patches/series b/debian/patches/series
index a2d7e06dbd..b31950d2cb 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1 +1,2 @@
 Force-online-state-with-unmanaged-devices.patch
+core-fix-crash-in-nm_wildcard_match_check.patch

Reply to:

Follow-Ups:
- Bug#986847: marked as done (unblock: network-manager/1.30.0-2)
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>

Prev by Date: Bug#986846: unblock: rabbitmq-server/3.8.9-3
Next by Date: Bug#986831: marked as done (unblock: node-core-js/3.8.2-2)
Previous by thread: Bug#986846: marked as done (unblock: rabbitmq-server/3.8.9-3)
Next by thread: Bug#986847: marked as done (unblock: network-manager/1.30.0-2)
Index(es):
- Date
- Thread