Bugzilla – Bug 928972
VUL-0: CVE-2015-1322: NetworkManager,ofono: privilege escalation via path traversal
Last modified: 2015-04-28 16:56:53 UTC
Via Ubuntu Security Notice USN-2581-1 http://www.ubuntu.com/usn/usn-2581-1/ > network-manager vulnerability > ========================================================================== > > A security issue affects these releases of Ubuntu and its derivatives: > > - Ubuntu 15.04 > - Ubuntu 14.10 > - Ubuntu 14.04 LTS > > Summary: > > NetworkManager would allow unintended access to files and modem device > configuration. > > Software Description: > - network-manager: Network connection manager > > Details: > > Tavis Ormandy discovered that NetworkManager incorrectly filtered paths > when requested to read modem device contexts. A local attacker could > possibly use this issue to bypass privileges and manipulate modem device > configuration or read arbitrary files. On LP: > * SECURITY UPDATE: directory traversal issue resulting in connection > modification and possible arbitrary file disclosure (LP: #1449245) > - debian/patches/CVE-2015-1322.patch: strip slashes from filename > in src/settings/plugins/ofono/plugin.c. > - CVE-2015-1322 The bug: https://bugs.launchpad.net/ubuntu/+source/network-manager/+bug/1449245 What is odd: > Apparently you're not happy with me for discussing local privilege > escalation on oss-security, so as you requested, here's what appears > to be a problem in Ubuntu-specific code. We do not ship src/settings/plugins/ofono/plugin.c. References: https://bugs.launchpad.net/ubuntu/+source/network-manager/+bug/1449245 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1322 http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-1322.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1322
Code not found in NetworkManager or ofono code, SLE or openSUSE. Fixing as Ubuntu specific.