Debian Bug report logs - #519801
CVE-2009-0365, CVE-2009-0578

version graph

Package: network-manager-applet; Maintainer for network-manager-applet is Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>;

Reported by: Giuseppe Iuculano <giuseppe@iuculano.it>

Date: Sun, 15 Mar 2009 10:42:01 UTC

Severity: serious

Tags: security

Found in version 0.6.6-4

Fixed in versions 0.7.0.99-1, network-manager-applet/0.6.6-4+lenny1, network-manager/0.6.4-6+etch1

Done: Michael Biebl <biebl@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>, Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>:
Bug#519801; Package network-manager-applet. (Sun, 15 Mar 2009 10:42:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Giuseppe Iuculano <giuseppe@iuculano.it>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>, Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>. (Sun, 15 Mar 2009 10:42:05 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Giuseppe Iuculano <giuseppe@iuculano.it>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: CVE-2009-0365, CVE-2009-0578
Date: Sun, 15 Mar 2009 11:40:21 +0100
Package: network-manager-applet
Version: 0.6.6-4
Severity: serious
Tags: security

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for network-manager-applet:

CVE-2009-0365[1]:
The dbus request handler in (1) network-manager-applet and (2)
NetworkManager in Ubuntu 6.06 LTS, 7.10, 8.04 LTS, and 8.10 does not
properly verify privileges, which allows local users to discover (a)
network connection passwords and (b) pre-shared keys via unspecified
queries.


CVE-2009-0578[2]:
network-manager-applet in Ubuntu 8.10 does not properly verify
privileges for dbus (1) modify and (2) delete requests, which allows
local users to change or remove the network connections of arbitrary
users via unspecified vectors. 


These are already fixed in unstable, but I guess this should be fixed in
stable as well.


[1]http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0365
[2]http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0578

Cheers,
Giuseppe.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkm82w4ACgkQNxpp46476ap+ywCfdgKlbQPrEDto0zx/YuEWQRfl
AnEAoIEp5CEhzHYO8Xmft4d8AjX/7hs6
=9LWP
-----END PGP SIGNATURE-----




Bug no longer marked as found in version 0.7.0.99-1. Request was from Giuseppe Iuculano <giuseppe@iuculano.it> to control@bugs.debian.org. (Sun, 15 Mar 2009 11:27:06 GMT) Full text and rfc822 format available.

Reply sent to Nico Golde <nion@debian.org>:
You have taken responsibility. (Sun, 15 Mar 2009 11:30:15 GMT) Full text and rfc822 format available.

Notification sent to Giuseppe Iuculano <giuseppe@iuculano.it>:
Bug acknowledged by developer. (Sun, 15 Mar 2009 11:30:15 GMT) Full text and rfc822 format available.

Message #12 received at 519801-done@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: Giuseppe Iuculano <giuseppe@iuculano.it>, 519801-done@bugs.debian.org
Subject: Re: Bug#519801: CVE-2009-0365, CVE-2009-0578
Date: Sun, 15 Mar 2009 12:26:11 +0100
[Message part 1 (text/plain, inline)]
Version: 0.7.0.99-1

* Giuseppe Iuculano <giuseppe@iuculano.it> [2009-03-15 12:17]:
[...] 
> These are already fixed in unstable, but I guess this should be fixed in
> stable as well.
> 
> [1]http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0365
> [2]http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0578

Please use appropriate tags & versions if you file bugs just 
for stable.

Cheers
Nico
-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]

Reply sent to Michael Biebl <biebl@debian.org>:
You have taken responsibility. (Sun, 18 Apr 2010 14:10:46 GMT) Full text and rfc822 format available.

Notification sent to Giuseppe Iuculano <giuseppe@iuculano.it>:
Bug acknowledged by developer. (Sun, 18 Apr 2010 14:10:46 GMT) Full text and rfc822 format available.

Message #17 received at 519801-close@bugs.debian.org (full text, mbox):

From: Michael Biebl <biebl@debian.org>
To: 519801-close@bugs.debian.org
Subject: Bug#519801: fixed in network-manager-applet 0.6.6-4+lenny1
Date: Sun, 18 Apr 2010 14:01:06 +0000
Source: network-manager-applet
Source-Version: 0.6.6-4+lenny1

We believe that the bug you reported is fixed in the latest version of
network-manager-applet, which is due to be installed in the Debian FTP archive:

network-manager-applet_0.6.6-4+lenny1.diff.gz
  to main/n/network-manager-applet/network-manager-applet_0.6.6-4+lenny1.diff.gz
network-manager-applet_0.6.6-4+lenny1.dsc
  to main/n/network-manager-applet/network-manager-applet_0.6.6-4+lenny1.dsc
network-manager-gnome_0.6.6-4+lenny1_i386.deb
  to main/n/network-manager-applet/network-manager-gnome_0.6.6-4+lenny1_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 519801@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Michael Biebl <biebl@debian.org> (supplier of updated network-manager-applet package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Tue, 15 Dec 2009 23:40:01 +0100
Source: network-manager-applet
Binary: network-manager-gnome
Architecture: source i386
Version: 0.6.6-4+lenny1
Distribution: stable-security
Urgency: high
Maintainer: Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>
Changed-By: Michael Biebl <biebl@debian.org>
Description: 
 network-manager-gnome - network management framework (GNOME frontend)
Closes: 519801
Changes: 
 network-manager-applet (0.6.6-4+lenny1) stable-security; urgency=high
 .
   * debian/patches/10-CVE-2009-0365.patch
     - SECURITY: It was discovered that NetworkManager did not properly enforce
       permissions when responding to dbus requests. A local user could perform
       dbus queries to view system and user network connection passwords and
       pre-shared keys. (Closes: #519801)
       FIXES: CVE-2009-0365
Checksums-Sha1: 
 598dfb6b99c968ad56692033b092f7d8f2d176f5 1734 network-manager-applet_0.6.6-4+lenny1.dsc
 da572c48ae9ecb5c9ba61c0ed8fd06567dcbc4e3 781511 network-manager-applet_0.6.6.orig.tar.gz
 7ddf6febdc947d7ddf4e2cb7daf6f22d52f8e2dc 8437 network-manager-applet_0.6.6-4+lenny1.diff.gz
 eb67d943c67f6f83241409969784c55e4bd27a69 331344 network-manager-gnome_0.6.6-4+lenny1_i386.deb
Checksums-Sha256: 
 dd923cb6fc9b74a917eca4cf5e90fa32f36733f23a680ec3fc81d9d6ab43d939 1734 network-manager-applet_0.6.6-4+lenny1.dsc
 8eb264d5838d1f9e2e507a570cb23dc54e11505023b71b6868cee31da2dff38d 781511 network-manager-applet_0.6.6.orig.tar.gz
 851a66b459a8b7b563be893ce720d263dca83bed1b48c5ab6dc131554cb2b4bb 8437 network-manager-applet_0.6.6-4+lenny1.diff.gz
 489667d7e3ff72e0e58a8094044e214ce0c817aff652c4b53fb5b8c6866aac58 331344 network-manager-gnome_0.6.6-4+lenny1_i386.deb
Files: 
 34200f4387757a3688c49c617bc09fc6 1734 gnome optional network-manager-applet_0.6.6-4+lenny1.dsc
 16e95a3515e4255d034b14045a9effd5 781511 gnome optional network-manager-applet_0.6.6.orig.tar.gz
 d5c7910fc754ef45eb7628f41e98023f 8437 gnome optional network-manager-applet_0.6.6-4+lenny1.diff.gz
 993767ed8f55910cced53c641074b338 331344 gnome optional network-manager-gnome_0.6.6-4+lenny1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAkso9cMACgkQh7PER70FhVQONQCfZ1Ua3rGzlLlOp9bojdEnyG9s
UskAniwtpHky7OMTYKRmtICRLMFHZRVa
=f8WP
-----END PGP SIGNATURE-----





Reply sent to Michael Biebl <biebl@debian.org>:
You have taken responsibility. (Sun, 02 May 2010 14:12:06 GMT) Full text and rfc822 format available.

Notification sent to Giuseppe Iuculano <giuseppe@iuculano.it>:
Bug acknowledged by developer. (Sun, 02 May 2010 14:12:06 GMT) Full text and rfc822 format available.

Message #22 received at 519801-close@bugs.debian.org (full text, mbox):

From: Michael Biebl <biebl@debian.org>
To: 519801-close@bugs.debian.org
Subject: Bug#519801: fixed in network-manager 0.6.4-6+etch1
Date: Sun, 02 May 2010 14:10:00 +0000
Source: network-manager
Source-Version: 0.6.4-6+etch1

We believe that the bug you reported is fixed in the latest version of
network-manager, which is due to be installed in the Debian FTP archive:

libnm-glib-dev_0.6.4-6+etch1_i386.deb
  to main/n/network-manager/libnm-glib-dev_0.6.4-6+etch1_i386.deb
libnm-glib0_0.6.4-6+etch1_i386.deb
  to main/n/network-manager/libnm-glib0_0.6.4-6+etch1_i386.deb
libnm-util-dev_0.6.4-6+etch1_i386.deb
  to main/n/network-manager/libnm-util-dev_0.6.4-6+etch1_i386.deb
libnm-util0_0.6.4-6+etch1_i386.deb
  to main/n/network-manager/libnm-util0_0.6.4-6+etch1_i386.deb
network-manager-dev_0.6.4-6+etch1_i386.deb
  to main/n/network-manager/network-manager-dev_0.6.4-6+etch1_i386.deb
network-manager-gnome_0.6.4-6+etch1_i386.deb
  to main/n/network-manager/network-manager-gnome_0.6.4-6+etch1_i386.deb
network-manager_0.6.4-6+etch1.diff.gz
  to main/n/network-manager/network-manager_0.6.4-6+etch1.diff.gz
network-manager_0.6.4-6+etch1.dsc
  to main/n/network-manager/network-manager_0.6.4-6+etch1.dsc
network-manager_0.6.4-6+etch1_i386.deb
  to main/n/network-manager/network-manager_0.6.4-6+etch1_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 519801@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Michael Biebl <biebl@debian.org> (supplier of updated network-manager package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Tue, 15 Dec 2009 23:31:58 +0100
Source: network-manager
Binary: libnm-util-dev network-manager-gnome network-manager-dev libnm-util0 libnm-glib0 network-manager libnm-glib-dev
Architecture: source i386
Version: 0.6.4-6+etch1
Distribution: oldstable-security
Urgency: high
Maintainer: Riccardo Setti <giskard@debian.org>
Changed-By: Michael Biebl <biebl@debian.org>
Description: 
 libnm-glib-dev - network management framework (GLib interface)
 libnm-glib0 - network management framework (GLib shared library)
 libnm-util-dev - network management framework (development files)
 libnm-util0 - network management framework (shared library)
 network-manager - network management framework daemon
 network-manager-dev - network management framework (development files)
 network-manager-gnome - network management framework (GNOME frontend)
Closes: 519801
Changes: 
 network-manager (0.6.4-6+etch1) oldstable-security; urgency=high
 .
   * debian/patches/13-CVE-2009-0365.patch
     - SECURITY: It was discovered that NetworkManager did not properly enforce
       permissions when responding to dbus requests. A local user could perform
       dbus queries to view system and user network connection passwords and
       pre-shared keys. (Closes: #519801)
       FIXES: CVE-2009-0365
Files: 
 9ca281c6a38a498e5735a9e8caa4b7bc 1034 net optional network-manager_0.6.4-6+etch1.dsc
 2d8ec8b17f85ee9aa9c0e04c63b98c3a 1079499 net optional network-manager_0.6.4.orig.tar.gz
 448d010bfa385c406fad97b0c9667731 20424 net optional network-manager_0.6.4-6+etch1.diff.gz
 2f6c0940ac4e34ba3aea0c8cbf76cf60 239640 net optional network-manager_0.6.4-6+etch1_i386.deb
 e925bac52eb8fad1bcdf7e14f6dbbc1e 371748 gnome optional network-manager-gnome_0.6.4-6+etch1_i386.deb
 1e07c7c7318b89b08f443fcc2fcc4ed1 112858 devel optional network-manager-dev_0.6.4-6+etch1_i386.deb
 f2bae719f42c8a30dcd3b7e8004b8d58 118136 libs optional libnm-glib0_0.6.4-6+etch1_i386.deb
 d38c510c9e0094529575917272e74b72 118530 libdevel optional libnm-glib-dev_0.6.4-6+etch1_i386.deb
 2c641df7d5ab4f100778795dce5ab9bb 123882 libs optional libnm-util0_0.6.4-6+etch1_i386.deb
 e00655f007c778143f3b33eb2618cf2a 126232 libdevel optional libnm-util-dev_0.6.4-6+etch1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAkso8h0ACgkQh7PER70FhVSUJwCfU2XqAyR9L6smbmzW7unHrEoj
cBsAn2Nxg5TgBo3cjoGT4VfPetjGaLCA
=b96c
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 27 Jun 2010 07:30:17 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 20:12:27 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.