diff options
author | Iain Lane <iain@orangesquash.org.uk> | 2017-03-03 12:27:23 +0000 |
---|---|---|
committer | Beniamino Galvani <bgalvani@redhat.com> | 2017-03-16 16:19:20 +0100 |
commit | 523d0439c9d5633daccc77474f793c82cbd731ee (patch) | |
tree | be0c03d4e24441832eb5a78b23260f9a5f7135aa | |
parent | 9df10e2e758a7b78aa5a69a15900030f45e48fff (diff) | |
download | network-manager-applet-523d0439c9d5633daccc77474f793c82cbd731ee.tar.gz |
applet: check permissions before showing 802.1x wifi dialog (CVE-2017-6590)
In most places, we (or NM) check permissions before performing actions.
One place we don't is when we need more information when connecting to
and 802.1x network. In that case we pop up a dialog to ask for more
information before initiaing the connection.
The dialog contains a GTK+ filechooser. We don't want unprivileged users
to have access to this as it allows opening files.
Check for MODIFY_SYSTEM or MODIFY_OWN before showing the dialog for
802.1x connections. If the user doesn't have or can't get it, don't show
the dialog. They wouldn't have been able to create the connection
anyway.
This fixes CVE-2017-6590.
https://mail.gnome.org/archives/networkmanager-list/2017-March/msg00032.html
https://bugs.launchpad.net/bugs/1668321
[bgalvani@redhat.com: changed commit subject line, added links]
-rw-r--r-- | src/applet-device-wifi.c | 18 |
1 files changed, 18 insertions, 0 deletions
diff --git a/src/applet-device-wifi.c b/src/applet-device-wifi.c index 7b8fa6e1..4bc819d7 100644 --- a/src/applet-device-wifi.c +++ b/src/applet-device-wifi.c @@ -514,6 +514,15 @@ done: gtk_widget_destroy (GTK_WIDGET (dialog)); } +static gboolean +can_get_permission (NMApplet *applet, NMClientPermission perm) +{ + if ( applet->permissions[perm] == NM_CLIENT_PERMISSION_RESULT_YES + || applet->permissions[perm] == NM_CLIENT_PERMISSION_RESULT_AUTH) + return TRUE; + return FALSE; +} + static void _do_new_auto_connection (NMApplet *applet, NMDevice *device, @@ -590,6 +599,15 @@ _do_new_auto_connection (NMApplet *applet, * Dialog Of Doom. */ if (s_8021x) { + if (!can_get_permission (applet, NM_CLIENT_PERMISSION_SETTINGS_MODIFY_SYSTEM) && + !can_get_permission (applet, NM_CLIENT_PERMISSION_SETTINGS_MODIFY_OWN)) { + const char *text = _("Failed to add new connection"); + const char *err_text = _("Insufficient privileges."); + g_warning ("%s: %s", text, err_text); + utils_show_error_dialog (_("Connection failure"), text, err_text, FALSE, NULL); + g_clear_object (&connection); + return; + } more_info = g_malloc0 (sizeof (*more_info)); more_info->applet = applet; more_info->callback = callback; |