Re: CVE Request: NetworkManager arbitrary file access

[Kurt Seifried <kseifried () redhat com>]

On 02/29/2012 02:48 AM, Ludwig Nussel wrote:
> Hi,
>
> Connections in NetworkManager 0.9 store path names to certificates and
> key files. That means NM (or rather wpa_supplicant which gets
> configured by NM) accesses the user's files as root. A user who is
> allowed to add connections (default for locally logged in users) may
> specify arbitrary file names. NM happily accepts files of any other
> user, including root and even device files. Fortunately it's read
> access only.
>
> The safe approach would be to stream the actual content of the
> certificate and key files to NM and have NM store that directly.
> In fact NM 0.7 does just that for system connections (but forgets to
> store the key so those connections won't actually work).
>
> NM 0.6 is also affected.
>
> Reproducer for NM 0.9 attached, you need to edit the file names and
> then run e.g.
> $ nmw.py new wlan0 yourssid
>
> cu
> Ludwig

Please use CVE-2012-1096 for this issue.

-- 
Kurt Seifried Red Hat Security Response Team (SRT)