Hi, today we've discovered and fixed a temporary file race flaw that could enable an unprivileged authenticated local user to read out connection secrets (e.g. a VPN or Wi-Fi password) while the connection is being saved.
It's fairly unlikely for this to happen as there's no way to force another user to save their connection. The problem affects all supported NetworkManager releases (and unsupported ones, as it dates way back to before 0.7.x series). The fix will be included in the next NetworkManager release (not schedule yet and no hurry either given the fairly low severity). Just in case anyone would wish to backport the fixes, it's these commits: master: 60b7ed3bdc3941a3b7c56824fba4b7291e79041f [1] 1.0.x: 38ad5c9f3ace1e5578727c9de74b45346ea0a00e [2] [1] http://cgit.freedesktop.org/NetworkManager/NetworkManager/commit/?i d=60b7ed3bdc3941a3b7c56824fba4b7291e79041f [2] http://cgit.freedesktop.org/NetworkManager/NetworkManager/commit/?h =nm-1-0&id=38ad5c9f3ace1e5578727c9de74b45346ea0a00e Take care! Lubo _______________________________________________ networkmanager-list mailing list [email protected] https://mail.gnome.org/mailman/listinfo/networkmanager-list
