Bug 793329 – CVE-2012-1096: local user may specify arbitrary files as certificates, private keys in connections

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 793329 - CVE-2012-1096: local user may specify arbitrary files as certificates, private keys in connections


Summary:	CVE-2012-1096: local user may specify arbitrary files as certificates, privat...


Status:	RESOLVED OBSOLETE

Product:	NetworkManager
Classification:	Platform
Component:	API
Version:	unspecified
Hardware:	Other Linux

Importance:	Normal normal
Target Milestone:	---
Assigned To:	NetworkManager maintainer(s)
QA Contact:	NetworkManager maintainer(s)

URL:
Whiteboard:

Depends on:
Blocks:

Reported:	2018-02-09 10:39 UTC by Matthias Gerstner
Modified:	2020-11-12 14:29 UTC

See Also:
GNOME target:	---
GNOME version:	---

Description Matthias Gerstner 2018-02-09 10:39:22 UTC

We have come across an old security issue regarding NetworkManager that doesn't seem to be handled yet. I don't know whether you ever got aware of this issue. There seems to be no prior bug about it in your bugzilla.

Details can be found in our openSUSE bug:

https://bugzilla.suse.com/show_bug.cgi?id=738073

Basically it seems to be possible to add new connections as a local user (e.g. 802.1x authenticated ones) and specify arbitrary certificate and private key locations. This could e.g. be used to specify other users' certificates or private keys.

I had a look at the current NetworkManager code and it looks like the issue is still present. The situation seems difficult to fix cleanly but maybe at least some mitigation could be built in?

Comment 1 Thomas Haller 2018-02-09 20:48:39 UTC

Files have also other downsides, like NetworkManager (as root) or supplicant/VPN plugin (usually root too) might not be able to access the files of the user. For example due to SELinux, or the files could be on a fuse filesystem which isn't readable even to root.


The long term fix is not to use files at all, but pkcs11 URLs. That requires improvements and support from various components, and some work is already completed in this regard and it should already work today.

However, the day when files will be entirely rejected seems far away still.


As a mitigation, don't allow such untrusted users to create connections for NetworkManager. That can be controlled via PolicyKit.

Comment 2 André Klapper 2020-11-12 14:29:55 UTC

bugzilla.gnome.org is being shut down in favor of a GitLab instance. 
We are closing all old bug reports and feature requests in GNOME Bugzilla which have not seen updates for a long time.

If you still use NetworkManager and if you still see this bug / want this feature in a recent and supported version of NetworkManager, then please feel free to report it at https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/issues/

Thank you for creating this report and we are sorry it could not be implemented (workforce and time is unfortunately limited).