diff -Nru network-manager-applet-0.9.4.1/debian/changelog network-manager-applet-0.9.4.1/debian/changelog --- network-manager-applet-0.9.4.1/debian/changelog 2015-03-16 13:18:00.000000000 +0000 +++ network-manager-applet-0.9.4.1/debian/changelog 2017-03-06 16:26:10.000000000 +0000 @@ -1,3 +1,12 @@ +network-manager-applet (0.9.4.1-0ubuntu2.6) precise-security; urgency=medium + + * SECURITY UPDATE: file access from login screen (LP: #1668321) + - debian/patches/applet-Check-the-user-has-permission-to-modify-befor.patch: + check permissions before showing dialog in src/applet-device-wifi.c. + - No CVE number + + -- Marc Deslauriers Mon, 06 Mar 2017 11:26:10 -0500 + network-manager-applet (0.9.4.1-0ubuntu2.5) precise; urgency=medium * Backport foo_client_setup from 0.9.8.8 src/applet.c (LP: #1424119) diff -Nru network-manager-applet-0.9.4.1/debian/patches/applet-Check-the-user-has-permission-to-modify-befor.patch network-manager-applet-0.9.4.1/debian/patches/applet-Check-the-user-has-permission-to-modify-befor.patch --- network-manager-applet-0.9.4.1/debian/patches/applet-Check-the-user-has-permission-to-modify-befor.patch 1970-01-01 00:00:00.000000000 +0000 +++ network-manager-applet-0.9.4.1/debian/patches/applet-Check-the-user-has-permission-to-modify-befor.patch 2017-03-06 17:31:14.000000000 +0000 @@ -0,0 +1,57 @@ +Backport of: + +From: Iain Lane +Date: Fri, 3 Mar 2017 12:27:23 +0000 +Subject: applet: Check the user has permission to modify before showing dialog + +In most places, we (or NM) check permissions before performing actions. +One place we don't is when we need more information when connecting to +and 802.1x network. In that case we pop up a dialog to ask for more +information before initiaing the connection. + +The dialog contains a GTK+ filechooser. We don't want unprivileged users +to have access to this as it allows opening files. + +Check for MODIFY_SYSTEM or MODIFY_OWN before showing the dialog for +802.1x connections. If the user doesn't have or can't get it, don't show +the dialog. They wouldn't have been able to create the connection +anyway. +--- + src/applet-device-wifi.c | 18 ++++++++++++++++++ + 1 file changed, 18 insertions(+) + +Index: network-manager-applet-0.9.4.1/src/applet-device-wifi.c +=================================================================== +--- network-manager-applet-0.9.4.1.orig/src/applet-device-wifi.c 2017-03-06 12:29:13.593100630 -0500 ++++ network-manager-applet-0.9.4.1/src/applet-device-wifi.c 2017-03-06 12:31:02.606474521 -0500 +@@ -565,6 +565,15 @@ + gtk_widget_destroy (GTK_WIDGET (dialog)); + } + ++static gboolean ++can_get_permission (NMApplet *applet, NMClientPermission perm) ++{ ++ if ( applet->permissions[perm] == NM_CLIENT_PERMISSION_RESULT_YES ++ || applet->permissions[perm] == NM_CLIENT_PERMISSION_RESULT_AUTH) ++ return TRUE; ++ return FALSE; ++} ++ + static void + _do_new_auto_connection (NMApplet *applet, + NMDevice *device, +@@ -639,6 +648,14 @@ + * Dialog Of Doom. + */ + if (s_8021x) { ++ if (!can_get_permission (applet, NM_CLIENT_PERMISSION_SETTINGS_MODIFY_SYSTEM) && ++ !can_get_permission (applet, NM_CLIENT_PERMISSION_SETTINGS_MODIFY_OWN)) { ++ const char *text = _("Failed to add new connection"); ++ const char *err_text = _("Insufficient privileges."); ++ g_warning ("%s: %s", text, err_text); ++ g_clear_object (&connection); ++ return; ++ } + more_info = g_malloc0 (sizeof (*more_info)); + more_info->applet = applet; + more_info->callback = callback; diff -Nru network-manager-applet-0.9.4.1/debian/patches/series network-manager-applet-0.9.4.1/debian/patches/series --- network-manager-applet-0.9.4.1/debian/patches/series 2015-03-16 13:17:03.000000000 +0000 +++ network-manager-applet-0.9.4.1/debian/patches/series 2017-03-06 16:26:02.000000000 +0000 @@ -25,3 +25,4 @@ position_dialogs_to_center_of_the_screen.patch hide_policy_items_env_var.patch lp1424119_fix_foo_client_setup.patch +applet-Check-the-user-has-permission-to-modify-befor.patch