GNOME applet for NetworkManager: Arbitrary file read/write — GLSA 201707-09

A vulnerability has been found in GNOME applet for NetworkManager allowing local attackers to access the local filesystem.

Affected packages

gnome-extra/nm-applet on all architectures
Affected versions < 1.4.6-r1
Unaffected versions >= 1.4.6-r1

Background

GNOME applet for NetworkManager is a GTK+ 3 front-end which works under Xorg environments with a systray.

Description

Frederic Bardy and Quentin Biguenet discovered that GNOME applet for NetworkManager incorrectly checked permissions when connecting to certain wireless networks.

Impact

A local attacker could bypass security restrictions at the login screen to access local files.

Workaround

There is no known workaround at this time.

Resolution

All GNOME applet for NetworkManager users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=gnome-extra/nm-applet-1.4.6-r1"
 

References

Release date
July 08, 2017

Latest revision
August 06, 2017: 2

Severity
normal

Exploitable
local

Bugzilla entries