Bug 15862

Summary: networkmanager new security issue CVE-2015-2924
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: Olav Vitters <olav>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: jyri2000, shlomif
Version: Cauldron   
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/644877/
Whiteboard:
Source RPM: networkmanager-1.0.0-4.mga5.src.rpm CVE:
Status comment:

Description David Walser 2015-05-06 17:07:59 CEST 
An update was submitted to Fedora QA on May 5:
https://admin.fedoraproject.org/updates/NetworkManager-1.0.2-1.fc22,network-manager-applet-1.0.2-1.fc22,NetworkManager-openconnect-1.0.2-1.fc22,NetworkManager-openvpn-1.0.2-1.fc22,NetworkManager-vpnc-1.0.2-1.fc22,NetworkManager-openswan-1.0.2-1.fc22?_csrf_token=e0a6c6bce78f6f99684f5382f1607a16ee0fa104

The RedHat bug has links to upstream commits to fix the issue:
https://bugzilla.redhat.com/show_bug.cgi?id=1209902

The issue also appears to be fixed in 1.0.2.

Mageia 4 and Mageia 5 are affected.

Reproducible: 

Steps to Reproduce:
David Walser 2015-05-06 17:08:04 CEST

Whiteboard: (none) => MGA5TOO, MGA4TOO

Comment 1 Shlomi Fish 2015-05-06 19:56:21 CEST 
The SVN of Cauldron was upgraded to 1.0.2 and I installed the packages and everything seems fine (but I'm not sure I'm actively using networkmanager). Should I file a freeze push request?

CC: (none) => shlomif

Comment 2 David Walser 2015-05-06 20:08:17 CEST 
If you have the packages installed and you don't have NM_CONTROLLED=no in your /etc/sysconfig/network-scripts/ifcfg-{interface-name} files, then I believe it should be actively using NetworkManager.  I believe NM has a service associated with it which should also be active and running.

I believe a freeze push request would be good.  It would make sense to include the release announcement 1.0.2 in the request:
https://mail.gnome.org/archives/networkmanager-list/2015-May/msg00005.html

It looks like all of the NetworkManager packages should be updated together though, as Fedora is doing for their update.  Besides the main networkmanager package itself, there's also networkmanager-applet, networkmanager-openconnect, networkmanager-openvpn, networkmanager-pptp, networkmanager-vpnc, and networkmanager-openswan in their own SRPMS.
Comment 3 Jüri Ivask 2015-05-08 08:33:33 CEST 
(In reply to David Walser from comment #2)
> It looks like all of the NetworkManager packages should be updated together
> though, as Fedora is doing for their update.  Besides the main
> networkmanager package itself, there's also networkmanager-applet,
> networkmanager-openconnect, networkmanager-openvpn, networkmanager-pptp,
> networkmanager-vpnc, and networkmanager-openswan in their own SRPMS.

But what about plasma-nm and plasma5-nm?

CC: (none) => jyri2000

Comment 4 David Walser 2015-05-08 13:29:57 CEST 
(In reply to Jüri Ivask from comment #3)
> But what about plasma-nm and plasma5-nm?

What about them?  They're not part of upstream NM.
Comment 5 David Walser 2015-05-11 14:17:59 CEST 
Fixed in networkmanager-1.0.2-2.mga5 and associated updated packages for Cauldron.

Non-upstream packages like networkmanager-l2tp, plasma-nm, and plasma5-nm have been rebuilt against the updated networkmanager packages.

Version: Cauldron => 4
Whiteboard: MGA5TOO, MGA4TOO => (none)

Comment 6 David Walser 2015-05-14 18:05:33 CEST 
Affected code not present until 0.9.10, Mageia 4 has 0.9.8.x.

Status: NEW => RESOLVED
Version: 4 => Cauldron
Resolution: (none) => FIXED

David Walser 2015-05-18 19:13:08 CEST

URL: (none) => http://lwn.net/Vulnerabilities/644877/