fix(network-manager): CVE-2025-9615 - certificate permission validation#25
Open
hudeng-go wants to merge 1 commit into
Open
fix(network-manager): CVE-2025-9615 - certificate permission validation#25hudeng-go wants to merge 1 commit into
hudeng-go wants to merge 1 commit into
Conversation
CVE-2025-9615: avoid that non-admin user using other users' certificates. A flaw was found in NetworkManager. The NetworkManager package allows access to files that may belong to other users. NetworkManager allows non-root users to configure the system's network. The daemon runs with root privileges and can access files owned by users different from the one who added the connection. This patch series addresses the issue: 1. Remove modify_system build option (prevents non-admin from creating system-wide connections that bypass permission checks) 2. Add permission helpers in libnm-std-aux 3. Add connection permission helpers in core and libnm-core 4. Add property flag for certificate and key files 5. Add daemon-helper read-file-as-user and libnm-helper 6. Read private certificate files in device stage2 and pass as blobs to supplicant 7. Add VPN safe private file access and certificate copy utility Upstream-Reference: https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/merge_requests/2324 Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
|
TAG Bot TAG: 1.44.2-7deepin10 |
Contributor
Author
|
/retest |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
CVE Fix: CVE-2025-9615
Summary
Backport upstream fix for CVE-2025-9615: avoid that non-admin users can use other users' certificates for network authentication.
Problem
NetworkManager allows non-root users to configure the system's network. The daemon runs with root privileges and can access files owned by users different from the one who added the connection. This allows a non-admin user to create a connection that references another user's certificate files for 802.1X or VPN authentication.
Fix (7 patches)
Strategy
Targeted backport (patch series) - much cleaner than the previous 2247-line monolithic patch.
Verification
Co-Authored-By: Claude Opus 4.8 (1M context) noreply@anthropic.com